Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 04:46
Static task
static1
Behavioral task
behavioral1
Sample
fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe
Resource
win10v2004-20240508-en
General
-
Target
fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe
-
Size
81KB
-
MD5
218bc73ae39bb68cbc38bbc4dcd7172d
-
SHA1
0509bbd0e36541e67e7a8b85ede8be194197fec5
-
SHA256
fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6
-
SHA512
450b9e5004ce5da277c34eca428f25f27d141c9918895af82d547618c5d9d74a40c40351e906089b4da810a21876a7cd98a2ec5ff9be777e7dd73100f75966b0
-
SSDEEP
1536:W7ZppApUFpEhLfyBtPf50FWkFpPDze/qFsxEhLfyBtPf50FWkFpPDze/qFsAcEhb:6pWpUFpEhLfyBtPf50FWkFpPDze/qFse
Malware Config
Signatures
-
Renames multiple (5031) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Common Files\System\ado\msadrh15.dll.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-pl.xrm-ms.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\sunmscapi.dll.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ppd.xrm-ms.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ul-oob.xrm-ms.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.Diagnostics.dll.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL048.XML.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxhelper.exe.manifest.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.Annotations.dll.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Input.Manipulations.resources.dll.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ul-oob.xrm-ms.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\DocumentFormat.OpenXml.dll.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\Microsoft Office\root\Office16\DIFF_MATCH_PATCH_WIN32.DLL.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\7-Zip\Lang\hi.txt.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.ServicePoint.dll.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Frosted Glass.eftx.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Gill Sans MT.xml.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-100.png.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\Microsoft Office\root\Office16\TextConversionModule.dll.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-environment-l1-1-0.dll.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationClient.resources.dll.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ul.xrm-ms.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Models.dll.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Json.dll.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ppd.xrm-ms.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-pl.xrm-ms.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\Client2019_eula.txt.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\TellMeWord.nrr.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\Microsoft Office\root\Office16\NL7MODELS0009.dll.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Grace-ppd.xrm-ms.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-ppd.xrm-ms.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2String.XSL.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7FR.DLL.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tabskb.dll.mui.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\ReachFramework.resources.dll.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ul.xrm-ms.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-filesystem-l1-1-0.dll.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\DirectWriteForwarder.dll.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Resources.Extensions.dll.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-xstate-l2-1-0.dll.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\7-Zip\7z.sfx.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.dll.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordbi.dll.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\vulkan-1.dll.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\vcruntime140_1.dll.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaTypewriterRegular.ttf.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\Microsoft Office\root\Office16\Configuration\card_expiration_terms_dict.txt.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\Common Files\microsoft shared\ink\tr-TR\tipresx.dll.mui.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\openssl64.dlla.manifest.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-80.png.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\webkit.md.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-pl.xrm-ms.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationClientSideProviders.resources.dll.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\Java\jre-1.8\bin\java-rmi.exe.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ul-phn.xrm-ms.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ppd.xrm-ms.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-ul-oob.xrm-ms.tmp fafbc6719b6125bd700cbf42b43a25973aa6b62d62c95f07d70dd8f8289a06a6.exe
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
81KB
MD5a5d5bfdccd0e70191b01bc594f6ca59f
SHA18b29bf2568e1ed1121056f8acc0bf212ccfa60b0
SHA25658b6279e1d3681990ff80334e433b684f0311e88b0ea34a1d84d3d5c35cd0faf
SHA5122565da34993de7d2b40daa32a96ed8101fbe1b964828eb68494b379ad8d7f6737734088a4657fad67e36d0a3f8ac0e5fa4215302b7359e5a01da4beb5347fc30
-
Filesize
180KB
MD5bc595b1cc123e0eb3a3328bdb8504cbc
SHA1dd08c565feab68ca479acc53e52c8782b8bbd957
SHA256934b122f398b21c74086b5667cc4bd59d292eb2581711f8113f854fbf6cb5c7a
SHA51204dcdeb2d110702e3125dc4a5fffc50b03a425ef5e83028158947e2dfba482a67d9acbad3362bcfb7a0f3e66a71c1c11d200378b40338c5f3288fbb90de6b73e