809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-09-2024 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
Size

41KB
MD5

016db14147446d1af9af987b91a47aa0
SHA1

528fed616d381c4d5ebe3168a384501d1932a14b
SHA256

809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4
SHA512

ec0be84865eb1cddf3e97665f822cbd6dfb3f7a9a3b0f3893090e4c3a4f4a9ee00d5539c547bfcc50091a1801a9d9e1a8d9c23224ce07cb40c845c1ba7cfa092
SSDEEP

384:GBt7Br5xjL7lAgA71Fbhvt3avjZjTc7QUlac7QUl92ns:W7Blp9pARFbhSjs2ns

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3149) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\AST4.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7TSFrame.png.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Tell_City.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\7-Zip\Lang\be.txt.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\tipresx.dll.mui.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-ui_ja.jar.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pitcairn.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench_1.2.1.v20140901-1244.jar.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine.nl_ja_4.4.0.v20140623020002.jar.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ml.pak.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Microsoft Games\Purble Place\es-ES\PurblePlace.exe.mui.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Mozilla Firefox\postSigningData.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.ecore.xmi_2.10.1.v20140901-1043.jar.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\modules\common.luac.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\micaut.dll.mui.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\IPSEventLogMsg.dll.mui.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_videoinset.png.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Microsoft Office\Office14\IEAWSDC.DLL.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\micaut.dll.mui.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macGrey.png.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\core_ja.jar.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-windows_ja.jar.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-tools.xml.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Australia\Brisbane.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler_zh_CN.jar.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Java\jre7\bin\javafx-font.dll.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Apia.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Internet Explorer\JSProfilerCore.dll.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\New_Salem.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-runtime-l1-1-0.dll.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Colombo.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Microsoft Games\FreeCell\desktop.ini.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-spi-actions.xml.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Java\jre7\bin\j2pcsc.dll.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.properties.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-execution.xml.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Amsterdam.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\autoconfig.js.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\vlc.mo.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\vlc.mo.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Internet Explorer\sqmapi.dll.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Common Files\System\msadc\msadcor.dll.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.xml.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\.lastModified.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-lib-uihandler.xml.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Java\jre7\lib\jfr.jar.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOLoaderUI.dll.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_SelectionSubpicture.png.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_ButtonGraphic.png.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Mozilla Firefox\mozavcodec.dll.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Center.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\mobile.html.tmp	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe

C:\Users\Admin\AppData\Local\Temp\809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe
"C:\Users\Admin\AppData\Local\Temp\809880aa6edd40be77a8ae611909ccff2863b87150a4cdaecc090b8d458151f4N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-312935884-697965778-3955649944-1000\desktop.ini.tmp

Filesize
41KB

MD5
c69ebb7693b2a5e18f7719de87c0f000

SHA1
04d5cfec804dbcc9de6b6e00b9e263019b60e080

SHA256
6e1de33584dfa434fe7386fc75596fa67ecf269e87452ea1d9dc16f2a7fe4007

SHA512
301f8618faac5eeae2962d7029e2f538289ed988b6629e1760a601e6fbdcced9f3f85959679f5dc26c9a7c847069e1044e292b34820c09cc3c3652244ef163a9

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
50KB

MD5
a4aeaa400f16a4c96e5a2416e6508088

SHA1
3cece39c5b794b9f06ad00e5b245819af86eace5

SHA256
c736a9ca202c0d9e0a20c3f899ad3158a967f44ed75f5d7e3366c6425e43b0d7

SHA512
3def088976d341c9536443f85d933c3b0f7ec7b6c2960f84bde783801869e66f86baef47c6d5c34999663adcc308f9829b271969cb985778154e26c0bf218c88

Download Submit