363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18b

Analysis

max time kernel
120s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
Size

111KB
MD5

9c60ff6882b0263603d507d9b144e6d0
SHA1

2159f48c3c654e82f6ff38bb846af7ff21a082ad
SHA256

363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18b
SHA512

3a2cf04fc897528f2a331cb5c73719bf701276af8516a1302227000aff43a9ea41f16fe4e31fa88076c15b6caf71227204becebd44ab828c240edfaf9fd51451
SSDEEP

1536:W7ZDpApYbWjIlE77ufL2e+efZwZQ/8S/80PqPIUpCUpiPIgaYgaQ:6DWpwE7oL2e+efZwZ08i8R9Y9Q

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (2850) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Cape_Verde.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler.xml.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Java\jre7\bin\jdwp.dll.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-math-l1-1-0.dll.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.exe.sig.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository_2.3.0.v20131211-1531.jar.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Java\jre7\lib\fontconfig.bfc.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\MST.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Common Files\System\msadc\msadds.dll.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\vignettemask25.png.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\JdbcOdbc.dll.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwritash.dat.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pohnpei.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Fiji.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\id.pak.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoDev.png.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Java\jre7\lib\zi\Atlantic\Stanley.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\London.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Management.Instrumentation.Resources.dll.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tipskins.dll.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\lt.pak.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\MANIFEST.MF.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application.xml.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Mendoza.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Java\jre7\lib\classlist.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrenclm.dat.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Mozilla Firefox\private_browsing.exe.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Graph.emf.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\release.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Jakarta.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\VideoLAN\VLC\axvlc.dll.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-utilities.xml.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Magadan.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Java\jre7\bin\t2k.dll.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\7-Zip\Lang\ps.txt.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Athens.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_zh_4.4.0.v20140623020002.jar.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.views.nl_ja_4.4.0.v20140623020002.jar.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.views_3.7.0.v20140408-0703.jar.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Java\jre7\bin\jsoundds.dll.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Java\jre7\lib\zi\Antarctica\DumontDUrville.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sv.pak.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\bckgRes.dll.mui.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Internet Explorer\perf_nt.dll.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-multiview.jar.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.el_2.2.0.v201303151357.jar.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\epl-v10.html.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\7-Zip\readme.txt.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Internet Explorer\jsdebuggeride.dll.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-sampler.xml.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\7-Zip\Lang\mr.txt.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationRight_SelectionSubpicture.png.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Nassau.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\micaut.dll.mui.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-progress-ui.jar.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fil.pak.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Azores.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe

C:\Users\Admin\AppData\Local\Temp\363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
"C:\Users\Admin\AppData\Local\Temp\363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3533259084-2542256011-65585152-1000\desktop.ini.tmp

Filesize
112KB

MD5
b063310c52036123dcb5556bb1b60802

SHA1
b5076f8b5388ea6ffb04e5153717cb9490b44f0f

SHA256
7c1601927ab7ac2f24b9f0d6a6da66eb92a98ccfac9271ff451087c5b1ad4e84

SHA512
70b8d8eca81a8f4c2c6b4d123a2121d81cbfc0dde3300d64f8b39b95cf9173d958c868c981c281c76f8540d5752a87eed15b2336c29c83884d5d13869a3675c0

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
120KB

MD5
362028022442a92d83c37e4c3bea2950

SHA1
eb958ba96432c5fcd8e520110511821bc2a63bf2

SHA256
51cea4d8615d177351f1178c569d687ae67644ff8320cbc5b4f30b56311991b7

SHA512
793fffa22b82e2ef2dd031b007c35a7b8087b3e7f6b56af5dfa9dfb5283ddbcc7a583ea13e8d5fe0c81b7a003a0116e21265f0b6247f207e8e93ea5446d64118

Download Submit