98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
Size

36KB
MD5

54435baf6a71490816c4a440750ad070
SHA1

868ae9edd65ef75347a0009616fd46d7d3d46b86
SHA256

98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979
SHA512

1f0aac5b9caa0b6a20ab83866a05ee8caf4ce1a1b3d0062869740043b3fbe29ddf0596b937de77bf42ce1c82485a6f2a9aed847a8e78918a38398600b76a72f5
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfpKJ2pqpW:W7ZppApBULcfpHLcfpKewW

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3737) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\14.png.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\setup.ini.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\7-Zip\descript.ion.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\7-Zip\Lang\lij.txt.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text.nl_zh_4.4.0.v20140623020002.jar.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libddummy_plugin.dll.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\Windows Journal\jnwdui.dll.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\gadget.xml.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\digest.s.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_up.png.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeulm.dat.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationLeft_SelectionSubpicture.png.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Resolute.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libdvbsub_plugin.dll.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\Windows Journal\de-DE\NBMapTIP.dll.mui.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\settings.html.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\BHOINTL.DLL.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_150.png.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\Mozilla Firefox\postSigningData.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\BIBUtils.dll.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbytools.jar.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\MANIFEST.MF.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm_cmd.xml.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libedummy_plugin.dll.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\highDpiImageSwap.js.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Port-au-Prince.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+6.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\jfluid-server.jar.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler_zh_CN.jar.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_imem_plugin.dll.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\Windows Media Player\de-DE\WMPSideShowGadget.exe.mui.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Bahia.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-fallback.xml.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-attach.xml.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libmkv_plugin.dll.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\gadget.xml.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\Windows Journal\ja-JP\NBMapTIP.dll.mui.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\cpu.js.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javafx-iio.dll.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-uihandler.jar.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-spi-actions.xml.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Oslo.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\liblpcm_plugin.dll.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkWatson.exe.mui.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Indian\Maldives.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\Windows Photo Viewer\PhotoBase.dll.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-hot.png.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoBeta.png.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbynet.jar.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_rtp_plugin.dll.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_hov.png.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_down_BIDI.png.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libanaglyph_plugin.dll.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\calendar.css.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfxwebkit.dll.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\COPYRIGHT.tmp	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe

C:\Users\Admin\AppData\Local\Temp\98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe
"C:\Users\Admin\AppData\Local\Temp\98add37e825658e3cc2185b85cbfba9be46d63b47b0b850063ae93c03e2f6979N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini.tmp

Filesize
37KB

MD5
240b47b2c77be4f888b030e74290e930

SHA1
22162ad6d667ab20939b9b604c7a05edbb5c553b

SHA256
9564996a6b0d7984c223663a2a0c8ed0b2d9f00f8e99d4ae4a8cfe9ed3e25f76

SHA512
b1392a807c0cc22e7006687b5ef51afc0406df170e75a51a2d5e7312eca6f6cd5932e435823655c57eb994a94b7f510f156719bcc7caa3195cf363caf21623d2

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
45KB

MD5
0b7c1bb8fccf2fefac26f86f31aa30a3

SHA1
f52fede10a0bcc941abb8bac8ca9de9ca0243f53

SHA256
fb9d4eac6483696ddcd4c50c8fc2bf1c6bbbe20b9679e0beaca3c389630532be

SHA512
8e93527856e828f3ef2418bb1c0b4076d7390148b68f6cfcdbe08e5f21db084444afaf6aa4333a1359ba897859e227a95793d0b35657c9991f2bd89a021fc8c4

Download Submit