fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 05:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
Size

44KB
MD5

5cb3628e47e8707d160bde7bb7c3ccc2
SHA1

13b92365cc9d84af14436a6714ffce3c925a8425
SHA256

fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa
SHA512

c58d6d614fef133590b27b80a2d1413116b6e15fbcf9ae9b9a9e84cd1209a1394490886d3938fce5187f8aaacdaab4a05f90985d4aa632bf5c57457f57ca0be4
SSDEEP

384:yBs7Br5xjL8AgA71Fbhv/FzzwzoRYZMP1z9iw:/7BlpQpARFbhNI8tP1z9iw

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5195) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Xaml.resources.dll.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\charsets.jar.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\asm.md.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ul-oob.xrm-ms.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Common Files\System\ado\msadox.dll.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\WindowsFormsIntegration.dll.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Forms.Design.resources.dll.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-pl.xrm-ms.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\WindowsBase.resources.dll.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-conio-l1-1-0.dll.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Java\jre-1.8\bin\eula.dll.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_EnterpriseSub_Bypass30-ppd.xrm-ms.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\MSO20SKYPEWIN32.DLL.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\PresentationCore.resources.dll.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.dll.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaTypewriterBold.ttf.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ul-oob.xrm-ms.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Excel.dll.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN107.XML.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Principal.Windows.dll.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\DirectWriteForwarder.dll.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\WindowsBase.resources.dll.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Microsoft Office\root\Integration\SPPRedist.msi.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ul-oob.xrm-ms.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Excel.dll.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.RsClient.dll.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\CloseInitialize.wmf.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fontconfig.properties.src.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-oob.xrm-ms.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremDemoR_BypassTrial365-ppd.xrm-ms.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-pl.xrm-ms.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ppd.xrm-ms.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.XLS.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART2.BDR.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationProvider.resources.dll.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-pl.xrm-ms.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\cpprestsdk.dll.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Forms.Design.resources.dll.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OsfTaskengine.dll.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationUI.resources.dll.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.Design.resources.dll.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\javaws.policy.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.common.16.xml.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ppd.xrm-ms.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ul-oob.xrm-ms.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_eula.txt.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.dll.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Globalization.dll.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\EntityPicker.dll.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clretwrc.dll.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\accessibility.properties.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\cacerts.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-environment-l1-1-0.dll.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ul-oob.xrm-ms.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXPTOOWS.DLL.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL026.XML.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\7-Zip\7zFM.exe.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemXmlLinq.dll.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationClientSideProviders.resources.dll.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\ReachFramework.resources.dll.tmp	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe

C:\Users\Admin\AppData\Local\Temp\fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe
"C:\Users\Admin\AppData\Local\Temp\fae4294fa841dc14ff20a529fb24300397e33ceed76e98610d8b637f4c5579aa.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3419463127-3903270268-2580331543-1000\desktop.ini.tmp

Filesize
44KB

MD5
d688233c7953222f44f7b9dbc0d6a06e

SHA1
c76af1a66d11adf443ab1d3d41257f449848a909

SHA256
09942fd0f654f156656fc5fc1c495601942e5758da75dce78e0cc57f7a8fd9ac

SHA512
ee55d7fcdda2136d71c2bad7d60a7f2f871b889e7ba9a27db4718272be14e00f75855cb8c272fc8acc81610af0c9c19c2bedf5bdacfa279467ab8d95bed6f0a5

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
143KB

MD5
94a6231a80a22fde494b6164387fefb3

SHA1
2f56ead9f97ef17be7023aab4b2e21a6d8a4dc94

SHA256
df95ed29f6de0b40f9000e110da50a46c01ee3f5c768a758147ba7ef6b42c351

SHA512
b688ab746dec229296fd782ed5e2613abcfd809335b1c1486e4f96f533ca4e1207b98088b5a44d6bc85261971949f0761bc12a0a59191668fd5503a6708ad31f

Download Submit
memory/1204-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1204-1862-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download