517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 21:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
Size

66KB
MD5

8feaf9341313bc1808ab32f7e111e910
SHA1

3fcb28bc538a3ab1b773285ffbf15efac76561a4
SHA256

517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908
SHA512

0b8dd3847364812c1951e69e641c42d7aaa6564c6e5ce6afcc4a0112e6abee1aa2ce72dab00ac5195cbc99b71cffefb7b60e7826b365f6786404a73f9827ff2f
SSDEEP

768:/7BlpQpARFbhvEXBwzEXBwLtAc7Fc7u595QUhUB:/7ZQpApHou595QUhUB

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3205) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\dicjp.dll.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cambridge_Bay.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nassau.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.core_5.5.0.165303.jar.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerEvaluators.exsd.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_ja.jar.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\Java\jre7\lib\currency.data.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\Microsoft Games\Hearts\Hearts.exe.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\MST.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\VideoLAN\VLC\NEWS.txt.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Gambier.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Guadalcanal.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Costa_Rica.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\Microsoft Games\Hearts\de-DE\Hearts.exe.mui.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsound.dll.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Scoresbysund.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kuching.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core.xml.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvm_ja.jar.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckg.dll.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\vlc.mo.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libfluidsynth_plugin.dll.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationTypes.resources.dll.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\dailymotion.luac.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-uisupport_zh_CN.jar.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\Mozilla Firefox\install.log.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\liblibbluray_plugin.dll.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\DVD Maker\OmdProject.dll.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Mazatlan.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\ZoneInfoMappings.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\FlickLearningWizard.exe.mui.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiler.xml.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Anadyr.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\7-Zip\Lang\mr.txt.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-7.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InkDiv.dll.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libcrystalhd_plugin.dll.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Australia\Sydney.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipRes.dll.mui.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\index.gif.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-editor-mimelookup-impl.jar.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Microsoft.Build.Conversion.v3.5.resources.dll.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libaudio_format_plugin.dll.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InputPersonalization.exe.mui.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkClientCP.bat.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-oql_zh_CN.jar.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jmx.xml.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\Microsoft Games\Purble Place\PurblePlace.dll.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Wake.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.contenttype_3.4.200.v20140207-1251.jar.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\7-Zip\Lang\el.txt.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-progress-ui.xml.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-options_ja.jar.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrespsh.dat.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_SelectionSubpicture.png.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\huemainsubpicture2.png.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ja_JP.jar.tmp	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe

C:\Users\Admin\AppData\Local\Temp\517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe
"C:\Users\Admin\AppData\Local\Temp\517f1b950793a81dfafc8d61107809c4227e9e6fb3e25ccde4925be1ff545908N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini.tmp

Filesize
67KB

MD5
d745c818891b134e07c1b656b6fa7bd5

SHA1
80f55e8793bfbab4275a73f8025243efa2087b20

SHA256
7760076042bd276427ee66751c9a65bdb001eb59186a893ea3e6d4d5eb265928

SHA512
b21f2cebe23e83615515bfd30d4fe80b87f742d48aef3df0107e4c08aacd233a38df3d2c07753dcaf074c7d107d3adc9086c2d12343ae31b2c30cd619459befd

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
75KB

MD5
c85d48c5de7725636d6c9b0739049b25

SHA1
60d2160785b3494bdf663c00ddb4f27b1f42ebae

SHA256
2e5c82d93fbb028c8d7c81d776da3a8c671a0488a07f0070c034c3b39d6ea0fc

SHA512
5abce5af6f59b70fb3971cf11e94873c795219b298c79c8151f7146d12b6e6ea64f48445049797eea1ed6590e980779dd1909e0d52a6d993837b6922e8791f58

Download Submit
memory/2400-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2400-70-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download