70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13/10/2024, 23:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
Size

88KB
MD5

866c0b874be65b3872974a90aae609ed
SHA1

a39c8505bec3ad8e017f8866085129855288857b
SHA256

70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad
SHA512

1fe25187dd3370ab7b9c2441de19c34b71e54feec1d30add396c1573aa293af01fc86d362fa5537696988718ec0c981936d34d8e35fa28266d01cc40c4777561
SSDEEP

1536:W7ZhA7dAZ1++PJHJXA/OsIZfzc3/Q8asUsJOLKc/xJtLJtTGLtEreRRNRRUQY:6e76mQSohsUsUKDtEreRrR+QY

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3499) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_ja_4.4.0.v20140623020002.jar.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-visual_zh_CN.jar.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_ja.jar.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\Microsoft Office\Office14\NPAUTHZ.DLL.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationTypes.resources.dll.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_dts_plugin.dll.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msadcfr.dll.mui.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msdaremr.dll.mui.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_disabled.png.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\GoldRing.png.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Adak.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+2.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Knox.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Merida.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\Java\jre7\lib\zi\Antarctica\Mawson.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\7-Zip\Lang\hu.txt.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\7-Zip\Lang\hy.txt.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state.nl_ja_4.4.0.v20140623020002.jar.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Ndjamena.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\drag.png.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pt-PT.pak.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_SelectionSubpicture.png.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Brunei.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Gibraltar.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\Windows Media Player\de-DE\wmlaunch.exe.mui.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipTsf.dll.mui.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\IpsMigrationPlugin.dll.mui.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_it.properties.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Khartoum.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\Java\jre7\lib\fontconfig.properties.src.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\vlc.mo.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\Windows NT\TableTextService\de-DE\TableTextService.dll.mui.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\currency.html.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\7-Zip\Lang\th.txt.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\tipresx.dll.mui.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\weather.html.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.nl_zh_4.4.0.v20140623020002.jar.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_pressed.png.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\settings.css.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_VideoInset.png.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Ushuaia.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ie\LC_MESSAGES\vlc.mo.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\delete_over.png.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Sofia.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Bucharest.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Maceio.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Volgograd.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\calendar.js.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\high-contrast.css.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sa_ja.jar.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\DVD Maker\es-ES\DVDMaker.exe.mui.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\msvcr100.dll.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\DVD Maker\it-IT\DVDMaker.exe.mui.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_SelectionSubpicture.png.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.properties.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Blanc-Sablon.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.IdentityModel.Selectors.Resources.dll.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libball_plugin.dll.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\GreenBubbles.jpg.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\Common Files\System\msadc\adcvbs.inc.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_bottom_right.png.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_MCELogo_mouseover.png.tmp	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe

C:\Users\Admin\AppData\Local\Temp\70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe
"C:\Users\Admin\AppData\Local\Temp\70cfc84dd493a1af9e726dbe1e0a5c7c7d36434a7305e3fc85f717314dba99ad.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini.tmp

Filesize
89KB

MD5
e843dcfe955d063257b42fd9577661fe

SHA1
1e806fdeae88afa65a4447116f56cbf6d379a268

SHA256
f0f88d9d3d1bfc1bf1f9b94eff534c4b36ece03554386044d225c2f57130a393

SHA512
dd26966f87ceee89e7c68c27b6455650d83678b576c4fcf2afb9e3f904df84d395bb2584399bad4b533640ef18b75aa502cc89d846f2ef9485926091dd621ff4

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
98KB

MD5
9feddd59788a5c8c7637de3d4145b34b

SHA1
dc1bb52dd49e59b722f799a7a0295e4bbe250625

SHA256
d02f8ef7a5dc4a105ccb4d87d222c13ef4c404f0b19f0c2a87914dc00eaff509

SHA512
b8605ba11eb3322166aaad0f9a052ac6d0d835287ff974bacfb60886cae672baa1a94154375f95c6162b848e656d3eb3c8f7982d715f44d046a0b5443e5f0a7f

Download Submit