6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11/09/2024, 22:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
Size

83KB
MD5

48d5563c9ede3c266d21f7fb8dbb5154
SHA1

020a603de85721c5e40aec5d48ea388b09fb98dd
SHA256

6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d
SHA512

86f47efe397e2c1ee4762d3a04346bd11f3fa8ddc3911977f6d188d83b13e8b5c7dd2fe559e8ddf3cf748ed2e8cc615db2219c2cfc886a7682f101d9de55b2fb
SSDEEP

1536:W7ZhA7dAZ1++PJHJXA/OsIZfzc3/Q8asUsJOLKc/xJtLJtTGW:6e76mQSohsUsUKO

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3489) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Memo.emf.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\snmp.acl.template.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Anchorage.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core.nl_ja_4.4.0.v20140623020002.jar.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\Windows Journal\ja-JP\Journal.exe.mui.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.runtime_3.10.0.v20140318-2214.jar.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.services_1.1.0.v20140328-1925.jar.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins.nl_ja_4.4.0.v20140623020002.jar.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-queries.xml.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_hover.png.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\Windows Media Player\de-DE\WMPSideShowGadget.exe.mui.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\blackbars60.png.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\1047x576_91n92.png.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask_PAL.wmv.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\sunec.dll.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\gimap.jar.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_udp_plugin.dll.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IPSEventLogMsg.dll.mui.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_zh_4.4.0.v20140623020002.jar.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\Microsoft Office\Office14\MSOHEVI.DLL.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)redStateIcon.png.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\wsdetect.dll.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations.nl_zh_4.4.0.v20140623020002.jar.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Luna.dll.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\vlc.mo.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC.DLL.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitevignette1047.png.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_SelectionSubpicture.png.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-applemenu_ja.jar.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-progress-ui.xml.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\London.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.IdentityModel.Resources.dll.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libaom_plugin.dll.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdatl3.dll.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\1047x576black.png.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Easter.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\diagnostic-command-16.png.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Vincennes.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Onix32.dll.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_thunderstorm.png.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\external_extensions.json.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Bogota.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicHandle.png.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Kaliningrad.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\Java\jre7\lib\zi\HST.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Entity.Resources.dll.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.properties.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\SpiderSolitaire.exe.mui.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationTypes.resources.dll.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\Windows Journal\es-ES\Journal.exe.mui.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\curl-hot.png.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\main.html.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\flyout.css.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_SelectionSubpicture.png.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\scene_button_style_default_Thumbnail.bmp.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository_1.2.100.v20131209-2144.jar.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\boot.jar.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Ojinaga.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\VideoLAN\VLC\lua\extensions\VLSub.luac.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked-loading.png.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
File created	C:\Program Files\Mozilla Firefox\nssckbi.dll.tmp	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe

C:\Users\Admin\AppData\Local\Temp\6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe
"C:\Users\Admin\AppData\Local\Temp\6a2c1c28770ec0e17db784502f52372752bc8c79f9e9f2b0d3d834d1c46ee07d.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini.tmp

Filesize
83KB

MD5
960d50692341bf6aa50df01a4577df35

SHA1
462e7428bf8f84f60470b86f4606953aad17457c

SHA256
1d946f6d8e8fe3c72d827cce8f0d7d52beb86c3705ffec6b971b237f675cfbc4

SHA512
6973316aed6c329103708045a97d0e485886be2ab90f7073f422f48dbc9bec44167d1c307d96bf3fd209b99f0a30da005f7689b492c48a386e61c6d24b6c004b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
92KB

MD5
7fda0e85ef775c31e7e678c25f3a0cd5

SHA1
5411533d9b18bd6c1e98a19dbce2c1558ffc7a39

SHA256
ed07df15a2931479ea8042c3e3df69dc174b6457dc8750ae9ca63a8d1f64d42e

SHA512
e8919ed07bbf9184146045ed3bf51ffeb748faea68fcb6fba223eacb93c45d0b7f2ad99674bf0d5c93343ff181b1b1561bc3c13fbfe994a5104428d4e472362b

Download Submit