64c0acf76c6e9aebfffcb239b894e5002642576b2b59d5ad785b6a19440b5fed

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09/09/2024, 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28a0c413f453d2822314714e935c1f80N.exe
Size

44KB
MD5

28a0c413f453d2822314714e935c1f80
SHA1

cb7d25dcddaf9e58debf093b308e03e78dc222ac
SHA256

64c0acf76c6e9aebfffcb239b894e5002642576b2b59d5ad785b6a19440b5fed
SHA512

25a77855c9ae66467f764a39c5382d58d2c6d43efa266eb081d95c8cb097db38ccff7526443d150b321cde3b597bec9ae3034e33f457462e74ff1e0a1dc574c5
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfproFNFjqAJLOqAJLr3jxOxw:W7ZppApBULcfpHLcfpyDMxOxw

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3181) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7.png.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Runtime.dll.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Blue_Gradient.jpg.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\ShvlRes.dll.mui.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\hprof-16.png.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.resources_3.9.1.v20140825-1431.jar.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\Java\jre7\lib\deploy\splash.gif.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\SubmitImport.mpg.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_notes.wmv.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_elf.dll.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\ant-javafx.jar.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings_0.10.200.v20140424-2042.jar.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Santo_Domingo.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\Internet Explorer\en-US\DiagnosticsTap.dll.mui.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-threaddump.xml.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\AST4ADT.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Kwajalein.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Vevay.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\newgrounds.luac.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guatemala.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dhaka.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs_zh_CN.jar.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libadpcm_plugin.dll.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libchorus_flanger_plugin.dll.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_SelectionSubpicture.png.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Mendoza.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\Chkr.dll.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.dll.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_realrtsp_plugin.dll.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\chkrzm.exe.mui.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\7-Zip\Lang\lt.txt.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrespsh.dat.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\DVD Maker\Shared\Common.fxh.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Barbados.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Qyzylorda.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\Microsoft Office\Office14\Mso Example Setup File A.txt.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\Microsoft Office\Office14\NPAUTHZ.DLL.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\Mozilla Firefox\installation_telemetry.json.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\7-Zip\Lang\fur.txt.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\Internet Explorer\ielowutil.exe.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Norfolk.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-queries_zh_CN.jar.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\Java\jre7\lib\fonts\LucidaBrightDemiItalic.ttf.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_SelectionSubpicture.png.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Vancouver.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Nauru.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.dll.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.httpcomponents.httpcore_4.2.5.v201311072007.jar.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.IdentityModel.Resources.dll.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\7-Zip\Lang\ro.txt.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Chagos.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\bckgzm.exe.mui.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\chkrzm.exe.mui.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoCanary.png.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-applemenu.xml.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Barbados.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationTypes.resources.dll.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\Mozilla Firefox\osclientcerts.dll.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tipresx.dll.mui.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\DVD Maker\Shared\Filters.xml.tmp	28a0c413f453d2822314714e935c1f80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-search_ja.jar.tmp	28a0c413f453d2822314714e935c1f80N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	28a0c413f453d2822314714e935c1f80N.exe

C:\Users\Admin\AppData\Local\Temp\28a0c413f453d2822314714e935c1f80N.exe
"C:\Users\Admin\AppData\Local\Temp\28a0c413f453d2822314714e935c1f80N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini.tmp

Filesize
44KB

MD5
ea981151774626bc6c43c3aa4b51baab

SHA1
47722baac40ab388aad6855ac68fc82bf83a8cda

SHA256
d7e1f68b2d02a0fc3e076e792b211fc771f1a81fed75266845b34476a5434af5

SHA512
fd44156a419e74fb47f4c34afdad90f8e578c1ed61ee39e9dbf7703abfd94b52611f437efaa17ea7a9f68334887b56efdbad718994f7feb713ed0df63925bc3e

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
53KB

MD5
8c05c6d1bdb4f2b07f1abb1fe48a0940

SHA1
419548547c01a49415d2654cf4f4d9f7b73be8df

SHA256
0b592a7b95810bd437f975d9ab88f5df8ea78aa091b3568b0894da5f60888801

SHA512
97164610c6792790fb5da5b037ce591c66472bb70a0c300ff0cd31f95238d2eeb8e9bc97176dbc5e6e677a9912cf863cc69ec075d0ccd62b977cc8faa3292a38

Download Submit