169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/09/2024, 22:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
Size

44KB
MD5

d0a18230b15a41e71312ae2e2cce74e0
SHA1

c70305d70a54f44da14ee5b95e5617c1155d0bad
SHA256

169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984
SHA512

0943bed59f8f58c6dbb49bf9044824e140a599858cc3e2f768c59a57b0987f4fee1539486fb4f4950577794efce002e96bf7eed28c4cfc73d5d7b762c347a788
SSDEEP

384:yBs7Br5xjL8AgA71Fbhv/F1Ue8FnpfaKaxGnpfaKaxNmP9Pb:/7BlpQpARFbhzUe8HaKa4aKaKP9Pb

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3771) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.properties.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libgme_plugin.dll.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\Windows NT\TableTextService\TableTextServiceArray.txt.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\icon.png.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\7-Zip\Lang\ro.txt.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\Internet Explorer\en-US\iedvtool.dll.mui.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-windows.jar.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\librawvideo_plugin.dll.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\back.png.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-crescent.png.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\travel.png.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\7-Zip\License.txt.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\tipresx.dll.mui.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\Java\jre7\lib\deploy\messages_ko.properties.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\7-Zip\Lang\uz.txt.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libgaussianblur_plugin.dll.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Lima.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.css_1.7.0.v201011041433.jar.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libtwolame_plugin.dll.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libhds_plugin.dll.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\library.js.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\LICENSE.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Aqtobe.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_it.jar.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Pangnirtung.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sa_ja.jar.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-middle.png.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\Common Files\System\msadc\msdaprst.dll.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\about.html.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs.zh_CN_5.5.0.165303.jar.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-actions.xml.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_down.png.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\babypink.png.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-coredump.jar.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\misc\libaddonsfsstorage_plugin.dll.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_de_DE.jar.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Choibalsan.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security_1.2.0.v20130424-1801.jar.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core.xml.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Vincennes.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\Windows Media Player\it-IT\wmpnssui.dll.mui.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\library.js.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialmainsubpicture.png.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\ECLIPSE_.SF.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\tools.jar.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\org-netbeans-core_visualvm.jar.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Danmarkshavn.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\Windows Media Player\fr-FR\setup_wm.exe.mui.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\Words.pdf.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.xml.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ms.pak.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-javahelp_ja.jar.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\settings.js.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\RSSFeeds.html.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.tmp	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe

C:\Users\Admin\AppData\Local\Temp\169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe
"C:\Users\Admin\AppData\Local\Temp\169e3e1461f58408044b5f7bc91bcb0ead42921af088f5525f2e252e16875984N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini.tmp

Filesize
45KB

MD5
a48c15c4b6de51dc61cd11926cd627e6

SHA1
d13154dee4a3cdb2f2530a8978da47ba2c3c0708

SHA256
91c0cd3cb69b7f9fa4a6a7ee6aa16b587842140942e4000c5572af5f1b0458be

SHA512
0cf2a5bd3f69bceab8422c319bad2ac7887bb35f47236bbb3243dc74f40ab5bb6f433a0af7f60dfa04f2bbdd4d9794ef166acfc7af5b0ec95593ee2135f27d1e

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
54KB

MD5
3a1827508dc14212e4538c5edd4edb35

SHA1
380d92c9a1b57fdf83587e598b13f377c829c37c

SHA256
6a9825799a3b77be38a1651152f723715ac1e3dd18ba998b573b6be3f2420051

SHA512
5330bc2517a3c5d400076dc9dce6fc0d7461ed7001b4bfa98c1187f754255e54fe4afcc4eccec5ee88c51febd5bc0247ce0ade327d4ef93a694807af5430f1ed

Download Submit
memory/2180-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2180-74-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download