a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/09/2024, 15:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
Size

49KB
MD5

dcbd6a4b43e3e8b9be7055b413e91550
SHA1

9734857178585d23385ecc0f54b095eea61c11b0
SHA256

a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9
SHA512

efd1affaff89b0553cdcfb3cafd134a7a670fc21663b5932d23c962fa2bdd377e4ccfee2fe48ef7e13320e30a8591251e17a1bdbb22340b0d80b62f900a8fb7a
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfproFNFjqAJLOqAJLBbfCDTbfCDNXM:W7ZppApBULcfpHLcfpyDkbfGTbfGNXM

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3255) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.xml.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.ds_1.4.200.v20131126-2331.jar.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-javahelp.xml.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Microsoft Office\Office14\MAPISHELL.DLL.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrcatsh.dat.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kcms.dll.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator_1.1.0.v20131217-1203.jar.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkTSFrame.png.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\vlc.mo.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\tipresx.dll.mui.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_ja.jar.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-modules-appui_ja.jar.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Utilities.v3.5.resources.dll.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_ButtonGraphic.png.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo.bat.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding.nl_zh_4.4.0.v20140623020002.jar.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Algiers.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Internet Explorer\ie9props.propdesc.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core.nl_zh_4.4.0.v20140623020002.jar.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-sampler.xml.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Linq.Resources.dll.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\PreviousMenuButtonIcon.png.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\visualvm.conf.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Java\jre7\bin\kinit.exe.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Australia\Darwin.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Hermosillo.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Reunion.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Java\jre7\lib\deploy\messages_zh_CN.properties.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\vlc.mo.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\reader\filename.luac.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libdca_plugin.dll.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\dnsns.jar.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.ja_5.5.0.165303.jar.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.ecore_2.10.1.v20140901-1043.jar.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-text.xml.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.Design.dll.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\menu_style_default_Thumbnail.png.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfxwebkit.dll.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-api-caching_zh_CN.jar.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-environment-l1-1-0.dll.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Los_Angeles.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Java\jre7\bin\java.dll.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Engine.resources.dll.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.ComponentModel.DataAnnotations.dll.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.Design.dll.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libdshow_plugin.dll.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Rio_Branco.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator.nl_ja_4.4.0.v20140623020002.jar.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Java\jre7\lib\zi\EET.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Services.Design.resources.dll.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Antarctica\Davis.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Chatham.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkObj.dll.mui.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Nairobi.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.util.gui_1.7.0.v200903091627.jar.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security.win32.x86_64_1.0.100.v20130327-1442.jar.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.Printing.resources.dll.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Net.Resources.dll.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitevignette1047.png.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_es.properties.tmp	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe

C:\Users\Admin\AppData\Local\Temp\a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe
"C:\Users\Admin\AppData\Local\Temp\a61447199a6f49f33fb24ab2534bba0c299ae5b625476b277543d27e554772f9N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-312935884-697965778-3955649944-1000\desktop.ini.tmp

Filesize
49KB

MD5
2996b8a66e8db6f95610c93c0150d429

SHA1
76451370336b36a0f01c62643263445b2f060016

SHA256
387490058f1f98271ba67055deb309744bba0daff1417874e593ff0de6992c14

SHA512
b545de3161fe4ba9f28293eed2ad9882a524cdbdb9104d4641c2b0968acdf48e5158da5d2c5acdc9afe53b510e80d8b93bee1bc3be542944959b4d410fd848a2

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
58KB

MD5
1c19a54d7ad6db6903e13e4596d6f655

SHA1
9dac3a2c3eb192fc6d2dbc924d5587d8f4615ad1

SHA256
c10a6cd465815f5d6358b4f76f84a645a5fca130c614795ca036c69ac3f8dbd4

SHA512
51a3d73ab019f000f046d58196379733de74b6fa3c3a828848f736c406d6991dc918f56ea8cb545a02f6a7d759e22766fcfad964b731174b924e1a247562c060

Download Submit