fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
26/07/2024, 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
Size

44KB
MD5

5cb3628e47e8707d160bde7bb7c3ccc2
SHA1

13b92365cc9d84af14436a6714ffce3c925a8425
SHA256

fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa
SHA512

c58d6d614fef133590b27b80a2d1413116b6e15fbcf9ae9b9a9e84cd1209a1394490886d3938fce5187f8aaacdaab4a05f90985d4aa632bf5c57457f57ca0be4
SSDEEP

384:yBs7Br5xjL8AgA71Fbhv/FzzwzoRYZMP1z9iw:/7BlpQpARFbhNI8tP1z9iw

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3705) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libstereo_widen_plugin.dll.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libvc1_plugin.dll.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\DVD Maker\DVDMaker.exe.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sv.pak.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\jvm.dll.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\MANIFEST.MF.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\NewDebug.zip.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libantiflicker_plugin.dll.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Windows Media Player\es-ES\WMPDMC.exe.mui.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_top_right.png.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Common Files\System\msadc\msdaprst.dll.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\1047x576black.png.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Internet Explorer\jsprofilerui.dll.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs-nio2_ja.jar.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-favorites.xml_hidden.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipTsf.dll.mui.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\DVD Maker\directshowtap.ax.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Buenos_Aires.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Microsoft Games\Mahjong\de-DE\Mahjong.exe.mui.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\jvmticmlr.h.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Noumea.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\chkrzm.exe.mui.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\mip.exe.mui.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stucco.gif.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576black.png.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_SelectionSubpicture.png.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\af.pak.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Windows Journal\fr-FR\PDIALOG.exe.mui.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Windows Photo Viewer\PhotoBase.dll.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-ui.xml.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libsftp_plugin.dll.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\12.png.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\redStateIcon.png.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.sat4j.core_2.3.5.v201308161310.jar.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_zh_CN.jar.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sampler.jar.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libflacsys_plugin.dll.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\localizedSettings.css.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\MANIFEST.MF.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Windows Journal\it-IT\MSPVWCTL.DLL.mui.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tiptsf.dll.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\full.png.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\es.pak.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\Logo.png.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Google\Chrome\Application\master_preferences.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\settings.html.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo.bat.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\JdbcOdbc.dll.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app_1.0.300.v20140228-1829.jar.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Windows Sidebar\de-DE\sbdrop.dll.mui.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-snaptracer.xml.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-first-quarter_partly-cloudy.png.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Port_Moresby.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\.lastModified.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Windows Media Player\wmpnetwk.exe.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe

C:\Users\Admin\AppData\Local\Temp\fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
"C:\Users\Admin\AppData\Local\Temp\fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3434294380-2554721341-1919518612-1000\desktop.ini.tmp

Filesize
44KB

MD5
87d677bf9b2dd551277857f64a93b1a2

SHA1
0d426886091180f1fd6c84dc92d9ee7ae8f7f5e1

SHA256
7f5b6329bf8e4e09c0540ddd2a6460d80820b02c0542fe61e927d2ce21b69d8e

SHA512
1b2b277b0106e14afeed5d82df1631168cf4c091b88cddd2a905b3262d6000ade97360aaf24f20e306277758f5e71feb5facf093c3d721551c3e2e956ae6d6da

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
53KB

MD5
008268dc63d6410f7a4df9f83fd1a81c

SHA1
61d0543f0a7ba49ad6a902e0b2043ef31bef10a9

SHA256
4092f2a13d2934510675b8750aaf6955dcaae1f9bc1b16bc1891260e91d0a82a

SHA512
de2e23def8222352b94a2f9d36c63bdd8125d53f6930ebbb919574481cedd2cd7dff859d14a90de26bf7470f7a7ce6374fea1278f6a6e94c9e0df7b8c066715d

Download Submit
memory/2812-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download