effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 03:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
Size

46KB
MD5

7a59f9a3072570d556e65159acc13e99
SHA1

15ef337e01a68aed7881f33d91d4a41b14390185
SHA256

effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8
SHA512

1ca010570d028023b3dd5501d983ee214808b67c5c01b9ea01b8907951503c09087c91ecbd0895cae1dc1f8511772f060af9431d1d22ed50879836b1606c530c
SSDEEP

384:GBt7Br5xjL9AgA71FbhvuNBN10wpAp/lvolGClvolGwTCus7sczBtRrhBn8xzP+z:W7BlpppARFbhbt7Y7wTCnBbrBTrB1

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4062) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\cursors.properties.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libmotiondetect_plugin.dll.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\calendar.css.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\gadget.xml.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\library.js.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_windy.png.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\pkeyconfig.companion.dll.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_ButtonGraphic.png.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NextMenuButtonIcon.png.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dili.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\images\vlc16x16.png.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\VideoLAN\VLC\lua\sd\jamendo.luac.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.jpg.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\Java\jre7\bin\servertool.exe.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_top.png.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\FDFFile_8.ico.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Edmonton.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-editor-mimelookup-impl.jar.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.ini.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_http_plugin.dll.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\init.js.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base.nl_zh_4.4.0.v20140623020002.jar.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libadjust_plugin.dll.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\PREVIEW.GIF.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\Java\jre7\lib\fonts\LucidaSansRegular.ttf.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Stockholm.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\Java\jre7\lib\zi\Indian\Mauritius.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\delete_over.png.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt.nl_ja_4.4.0.v20140623020002.jar.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\Microsoft Games\Mahjong\ja-JP\Mahjong.exe.mui.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\Mozilla Firefox\libEGL.dll.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Halifax.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libsamplerate_plugin.dll.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\Windows Journal\fr-FR\Journal.exe.mui.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.nl_zh_4.4.0.v20140623020002.jar.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_zh_CN.jar.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\5.png.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSSOAP30.DLL.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_SelectionSubpicture.png.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\RedoCopy.aif.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.Speech.resources.dll.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-background.png.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\activity16v.png.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm_cmd.xml.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\SETUP.XML.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\PREVIEW.GIF.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\Java\jre7\bin\jabswitch.exe.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\cpu.js.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Atikokan.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\PREVIEW.GIF.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\Java\jre7\bin\jsdt.dll.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\7-Zip\Lang\sr-spc.txt.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576_91n92.png.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Lima.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
File created	C:\Program Files\Windows Media Player\de-DE\setup_wm.exe.mui.tmp	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe

C:\Users\Admin\AppData\Local\Temp\effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe
"C:\Users\Admin\AppData\Local\Temp\effb138198caf4b497d1d1f03607a7d70e924ccd1b5af624edc3e0f64e1f53a8.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini.tmp

Filesize
46KB

MD5
965a21499973fed7e9520f52346a8bc7

SHA1
6801ced31d886feec4f5fb30a6b57076b04d2e76

SHA256
e3a75ad2d8ecc47a8447bd40cbf9324a4160455ac3f692fac14b0ca58d22f47e

SHA512
51cac53b3090192abbc62814250d228f00079d22242ec76920cb300b90cdc912bde458f9b324b58345c6e71016a78546fbdb3c170a194010f7eb63815586fe67

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
55KB

MD5
6f9f567821a92ddf8d3fa57f74157d29

SHA1
0a29a0666fdbbee31430f4b7ba2b5304d3361908

SHA256
ae24f3535779af67e105b2944c38c9c942a553955dc7b9c52c00baba7fa5949d

SHA512
e7fe59ae234313fcb38952ea22c9fadd076c3ef60335b41941f5f9861b48df9bf0b3db23849259287c224415c848e68310d3b1c3e7f993928592b9582a9729fd

Download Submit