5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-09-2024 09:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
Size

89KB
MD5

9cf35d637f5e1da1e61082676adbb390
SHA1

6965f6c794ceeea75c445384d3abcfb8b9dc6bcd
SHA256

5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062
SHA512

b0e4eec6ac348b78930d5d195e4ac389a67751c2d1a1b32fd81ed8548405b1f79748a72ece9764f1400636c11c0da1b41a6f416c5a48554046b6d569d93d6b28
SSDEEP

1536:W7ZhA7pApH9QHwtRF9ESWu0SWujodsodaNovTW+SPL+cycWAF689ilL:6e7WpHIyRF9ESWu0SWujKsKRsP9fVL9C

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3121) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Copenhagen.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\mojo_core.dll.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\calendars.properties.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\HandPrints.jpg.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\localedata.jar.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Novosibirsk.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-annotations-common_zh_CN.jar.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jmx.jar.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\Java\jre7\bin\JAWTAccessBridge-64.dll.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\7-Zip\7zFM.exe.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Moncton.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\boot_ja.jar.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Rarotonga.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\bear_formatted_matte2.wmv.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_postage_Thumbnail.bmp.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\jmxremote.password.template.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-progress_ja.jar.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-cli_zh_CN.jar.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-application-views.jar.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Singapore.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\7-Zip\Lang\kab.txt.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_ButtonGraphic.png.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-shadow.png.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\license.html.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\PST8.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\tipresx.dll.mui.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tipresx.dll.mui.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\artifacts.xml.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\visualvm.conf.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-threaddump_zh_CN.jar.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_ButtonGraphic.png.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-next-static.png.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tipresx.dll.mui.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.ja_5.5.0.165303.jar.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs.zh_CN_5.5.0.165303.jar.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\Java\jre7\lib\zi\EST.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Port_Moresby.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\Microsoft Games\Hearts\fr-FR\Hearts.exe.mui.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\TestDeny.xml.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\7-Zip\Lang\cy.txt.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msadcor.dll.mui.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Belem.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240811.profile.gz.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sampler.xml.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\twitch.luac.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\7-Zip\Lang\ga.txt.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\South_Georgia.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.properties.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861258748.profile.gz.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\Java\jre7\README.txt.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\vlc.mo.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\vlc.mo.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe.tmp	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe

C:\Users\Admin\AppData\Local\Temp\5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe
"C:\Users\Admin\AppData\Local\Temp\5016f4c57a34fb9264e92e226b54d992769a7375abe7db767194741d65a4f062N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3290804112-2823094203-3137964600-1000\desktop.ini.tmp

Filesize
90KB

MD5
e5ac7adfb45849f8dd845e7d621da8b4

SHA1
56fef604f4c305a9796dccddb092a31a7e403c13

SHA256
d2785fce13b30855ffef1d25b52dff23dd03c480fdd10de74ef88601c5e90baf

SHA512
adb38edf4aec7a0165ce196aa403f3c66a3a64b729ed1b3f7409dba2402b2be679301e8cad6ef634ed970f4661ade23ce096c214c9eff29d9d43137c229b4a8b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
99KB

MD5
1bc97860e0b7054c685621adc90bb3c2

SHA1
e76249e303d35c0b45a5bf5d0369b6255d6d0863

SHA256
708759a231b1ec0690bfb7d0ee680861f46225969184e882ee20fbfa656887db

SHA512
dca056e62ac2467c1c51df3325fdb338ee87fff00ac5daaaee88bea7658d2b10c9de6450cac6285ab79672ff894febb5ade1627ed8f5647fcc5e4faa5eac6d13

Download Submit