487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/09/2024, 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
Size

77KB
MD5

081a7f68e03924414fcc342afa2c8366
SHA1

effddc4854d58a03ad31c1ad2f035befb50d2d18
SHA256

487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a
SHA512

d131db4e73152e48152d86a8344db26f2c6fa72aa0527fa241ead858c1bd7ebb62896da90f954f1c53c5e35246242031716a0bbc05ac3be06cc46719b2d5e59a
SSDEEP

768:W7BlphA7pARFbhvOsTKnKqtb4HBZjlwGpCYnigugqOzM9bdifwMtxEwJjlVk0:W7ZhA7pApvOsOKM4HBhaGwOQ54xEIjlv

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3460) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-windows_zh_CN.jar.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Windows NT\Accessories\it-IT\wordpad.exe.mui.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_dot.png.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\icon.png.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Shorthand.emf.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Urumqi.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Sitka.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-api.xml.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Microsoft Games\Purble Place\desktop.ini.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libsubstx3g_plugin.dll.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\cpu.html.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\huemainsubpicture2.png.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.commands_0.10.2.v20140424-2344.jar.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-options-api.jar.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\bckgzm.exe.mui.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libhds_plugin.dll.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msadcfr.dll.mui.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Microsoft Games\FreeCell\it-IT\FreeCell.exe.mui.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\divider-horizontal.png.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Microsoft Games\Chess\it-IT\Chess.exe.mui.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\pushplaysubpicture.png.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\ImportHide.mp4v.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.nl_ja_4.4.0.v20140623020002.jar.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\images\vlc-48.png.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-desk.png.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\localizedSettings.css.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\36.png.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipTsf.dll.mui.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-gibbous.png.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\cacerts.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\javaws.policy.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Prague.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.sat4j.core_2.3.5.v201308161310.jar.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Java\jre7\lib\images\cursors\win32_CopyNoDrop32x32.gif.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Mozilla Firefox\install.log.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\DVD Maker\it-IT\OmdProject.dll.mui.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_up.png.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\6.png.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libvc1_plugin.dll.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.RunTime.Serialization.Resources.dll.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpeg4video_plugin.dll.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Bougainville.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Internet Explorer\en-US\F12Resources.dll.mui.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\picturePuzzle.js.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_thunderstorm.png.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\7-Zip\Lang\lij.txt.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Internet Explorer\MemoryAnalyzer.dll.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Tijuana.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Darwin.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-awt.jar.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dial.png.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-first-quarter_partly-cloudy.png.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_partly-cloudy.png.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\micaut.dll.mui.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Almaty.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.properties.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Mozilla Firefox\locale.ini.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\clock.css.tmp	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe

C:\Users\Admin\AppData\Local\Temp\487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe
"C:\Users\Admin\AppData\Local\Temp\487b89d7af4e29ea8194ca07b3faba37112eab5470b57b4f47025a21a112b94a.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3533259084-2542256011-65585152-1000\desktop.ini.tmp

Filesize
77KB

MD5
f3fccf8530744a1717a2af9dc0c5354f

SHA1
683b8ac6a96855c4b4ba28e0495013756e772bcb

SHA256
970d50ad1a31a054f4ac4dfbaec2f0ce92d85a427f9dd14e55732e3a1124f2aa

SHA512
c9dde5927bb9dea198fa8552cdd53960a4b76cf91d3618e89efc337212a0d0bbc3f01b55e320407dbe16417ff5dcddae52003c6fe0b8bb61da73dd5334b7780e

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
86KB

MD5
a0d525f885c113ab768e12388a13f635

SHA1
f9050e13c0b79d320a3c63bad76861e4916f3ba8

SHA256
075566573ebe311cdfe950615d9561fd83290b91057706040cd8595dcf6e23ff

SHA512
565bbbc2910b543d91d9d00c2c82cc2894889bc7459c358af6a7cbac085173d5b0db13e09b30837fe3aef27dcc82a989c9e683eb4c401114e222f30f3d0b5752

Download Submit