79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-10-2024 13:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
Size

39KB
MD5

9f3e06180fd6ae1fb88a17b6d3be6a30
SHA1

c3250317a7a3c5d0dd40f5bf3029cb205b9b84a8
SHA256

79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976
SHA512

33d8dbe2dccd23f46a44bb008bf5332af56f9c672819309b97719685dfc93c87323610e4bdbe704fd0e13114cc339503500b48065a03b4c7e81a3f9ae0a8ec24
SSDEEP

192:pACU3DIY0Br5xjL/EAgAQmP1oynLb22vB7m/FJHo7m/FJHA9jxjc8P8dzNNlNN+3:yBs7Br5xjL8AgA71Fbhv/F1UXNHNWV

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3393) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\ko.txt.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fa.pak.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861258748.profile.gz.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Java\jre7\bin\javacpl.exe.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\tipresx.dll.mui.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_zh_4.4.0.v20140623020002.jar.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-outline.jar.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground_PAL.wmv.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_MATTE2_PAL.wmv.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitevignette1047.png.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\button-bullet.png.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jaas_nt.dll.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Faroe.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-print.xml_hidden.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Tanspecks.jpg.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Edmonton.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Mahe.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Eucla.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Java\jre7\bin\jdwp.dll.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\YST9.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Adak.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Java\jre7\COPYRIGHT.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_dummy_plugin.dll.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\AddLock.shtml.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-previous-static.png.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.properties.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.security_8.1.14.v20131031.jar.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Mozilla Firefox\mozavcodec.dll.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Services.resources.dll.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-api_ja.jar.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-uisupport_zh_CN.jar.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.DataSetExtensions.Resources.dll.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libball_plugin.dll.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-heapwalker_ja.jar.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-threaddump_zh_CN.jar.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee.dll.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Common Files\System\ado\msador15.dll.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Tirane.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.service.exsd.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Tarawa.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jdwp.dll.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\prodicon.gif.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.filesystem_1.4.100.v20140514-1614.jar.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_matte.wmv.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench_1.2.1.v20140901-1244.jar.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app_1.0.300.v20140228-1829.jar.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-awt_zh_CN.jar.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Net.Resources.dll.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\7-Zip\Lang\tk.txt.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Graph.emf.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_it.jar.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_ja_4.4.0.v20140623020002.jar.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs-nio2.xml.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Maceio.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msadcfr.dll.mui.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64_3.103.1.v20140903-1947.jar.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Java\jre7\bin\glib-lite.dll.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Rainy_River.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.DataSetExtensions.Resources.dll.tmp	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe

C:\Users\Admin\AppData\Local\Temp\79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe
"C:\Users\Admin\AppData\Local\Temp\79e004808609579c0c0143f3f614fec37dcaf71a6c8ad41dcfa73c5047b77976N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-312935884-697965778-3955649944-1000\desktop.ini.tmp

Filesize
39KB

MD5
662275d803d33e5d06e788c5da7c82de

SHA1
0fbc0ac3c4bca9996f5afbc4b417471e4f06038a

SHA256
f2b937a35d473bebff4f28decace56769b479733e6e72ce848d7bef65ecfe6c4

SHA512
1c7c36aa0ec671452cbd0dd7515974e79a488fe2daa86541022e69f5389a691c994f8b40131592884f5018e4fc501b0cc6e26bb4e20f545e8bbbb086ee051619

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
48KB

MD5
6c50a13d84adb09cbc4c48c6f9e17c92

SHA1
7b48c1a6759c2e5b188b4d8c360ca5c32c89443b

SHA256
12cb094c709bec7dadae9732a92979202d94b999fb689b9239004ae32f5ddbb9

SHA512
f0315f2f584f1d94e05043a37b105dc2f216ec848a1c54c5821f64537c81e2046b29101c4ea9312a71403d932c06c26ea5bffeb7111c337beaf791c71525e066

Download Submit
memory/2404-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2404-72-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download