d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
15/09/2024, 01:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
Size

35KB
MD5

6a3a82502379f59bc9c3272cab75832c
SHA1

699e316a0428478dae805456d5d25a4b56c45926
SHA256

d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22
SHA512

b7d85d9f6b5b0e64ca04924e7e7ae5b4644e577e7bd78c6dac92049f03fec46239f2ad8851de3d0ab1c1291e54d02c1e78a5ef43e68fb58a92fdee23ff7a487e
SSDEEP

192:pACU3DIY0Br5xjL/EAgAQmP1oynLb22vB7m/FJHo7m/FJHhpqW7U7OlI2v2xNJPp:yBs7Br5xjL8AgA71FbhvszwRPZ

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3792) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Games\Chess\fr-FR\Chess.exe.mui.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\Windows Defender\en-US\MsMpRes.dll.mui.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_windy.png.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\rtscom.dll.mui.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\micaut.dll.mui.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\msinfo32.exe.mui.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\MANIFEST.MF.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Engine.resources.dll.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libtheora_plugin.dll.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureA.png.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox_1.0.500.v20131211-1531.jar.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64_3.103.1.v20140903-1947.jar.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-ui.jar.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\PresentationCore.resources.dll.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwritalm.dat.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Mahe.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.Speech.resources.dll.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\art\03_lastfm.luac.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\Windows Journal\Templates\Music.jtp.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\Windows Media Player\en-US\wmpnssci.dll.mui.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipRes.dll.mui.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msaddsr.dll.mui.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\Internet Explorer\sqmapi.dll.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\Java\jre7\lib\cmm\sRGB.pf.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Entity.Resources.dll.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\CGMIMP32.FNT.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\instrument.dll.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\orb.idl.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libscaletempo_pitch_plugin.dll.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\gadget.xml.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.xml.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Athens.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.xml.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-api-annotations-common.jar.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-ui.xml.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Belize.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\ProtectShow.mpeg2.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Activities.dll.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile_drop_shadow.png.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\Java\jre7\lib\zi\Antarctica\Mawson.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Samara.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\vlc.mo.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Search5.api.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tpcps.dll.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sk.pak.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-math-l1-1-0.dll.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_output\libwaveout_plugin.dll.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\ITIRCL55.DLL.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ml.pak.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup_ja.jar.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\Windows NT\TableTextService\en-US\TableTextService.dll.mui.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Accessibility.api.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.HLP.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\TipBand.dll.mui.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.xml.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\ProtectClose.au3.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\vlc.mo.tmp	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe

C:\Users\Admin\AppData\Local\Temp\d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe
"C:\Users\Admin\AppData\Local\Temp\d385a05d224abecb2b497b8e0fa40449700237cda89875088e4d8313208ebd22.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini.tmp

Filesize
36KB

MD5
3554badbc8d67bf39be9179adcedbbc2

SHA1
febafbd3e5f9dbb5cbf76914b7aa6e74a574ad99

SHA256
88a7f9b23449122227b3644e3adc6ec2c56764d40a71141dc943afe357420fd9

SHA512
c723e8f7c469c4ce7b929bdb81bb81ae277dcf1bed7ac8ed54a2277f333633ea9745c430213456f04bffd6c74bccbcdf290c36c2fd2147791df51f769891b0eb

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
44KB

MD5
5b5abc78a300235cba8cc315a6232f96

SHA1
fcceafc90fb655845641975707404fda597737f4

SHA256
a943209f85ed4f5b9cbecb1bb43026ce5c2d3d29e1e2ac01265fb36b718cf192

SHA512
f97dc82cfaf1259f9a63e08b2511b58c595228845e07600e3170df0a2cd0fe820a15faf922306943e4c85f3c7d36d49b0299f98198d8e9b5f0a5035d59ec49b4

Download Submit
memory/1904-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1904-68-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download