fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2024 07:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
Size

40KB
MD5

ad7939404a524eecacc1ef0281fb7780
SHA1

af51001a4e0c26bc403cfdb5e722c8efaccebb5f
SHA256

fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad
SHA512

dd7cd7e18a20874e5122f444a06663dc41502d086ab10fe57d799b15aab86d044bf646e0723e6b720de0e79ae862772bc3bf98609cbb85c42264206cf2429c47
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfproFNFdHFNFVKU:W7ZppApBULcfpHLcfpyDbD/

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5355) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-pl.xrm-ms.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\ALRTINTL.DLL.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\Java\jre-1.8\bin\wsdetect.dll.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-ul-oob.xrm-ms.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\zlib.md.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationTypes.resources.dll.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\VisualElements\SmallLogoCanary.png.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.Common.dll.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\icu_web.md.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RInt.16.msi.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ppd.xrm-ms.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-ppd.xrm-ms.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fi-fi.dll.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Http.Json.dll.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.DataContractSerialization.dll.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ppd.xrm-ms.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-ul-oob.xrm-ms.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-80.png.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-pl.xrm-ms.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Unlock.White.png.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.et-ee.dll.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TabTip.exe.mui.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\coreclr.dll.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\Java\jdk-1.8\bin\msvcp140.dll.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.Native.dll.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\PowerPivotExcelClientAddIn.rll.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\WindowsBase.resources.dll.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationClientSideProviders.resources.dll.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_es.properties.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\TYPE.WAV.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\Common Files\System\msadc\adcjavas.inc.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.Dataflow.dll.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encodings.Web.dll.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\WindowsAccessBridge-64.dll.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-ul-oob.xrm-ms.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_COL.HXT.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-pl.xrm-ms.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-ppd.xrm-ms.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHKEY.DAT.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\eu\msipc.dll.mui.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationNative_cor3.dll.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\Microsoft.VisualBasic.Forms.resources.dll.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\xmlresolver.md.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OneNote\prnms006.inf.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-pl.xrm-ms.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-conio-l1-1-0.dll.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Pipes.AccessControl.dll.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Extensions.dll.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\Internet Explorer\ieinstal.exe.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EntityPickerIntl.dll.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NL7MODELS0009.dll.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationTypes.resources.dll.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\fr.pak.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ppd.xrm-ms.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE2.POTX.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\System.ValueTuple.dll.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\OFFICE.DLL.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
File created	C:\Program Files\Java\jre-1.8\bin\sunmscapi.dll.tmp	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe

C:\Users\Admin\AppData\Local\Temp\fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe
"C:\Users\Admin\AppData\Local\Temp\fa1772954c6f62281a283f3d45b5f9e8f14c28a990a55daaf179a3a1c076f3ad.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3881032017-2947584075-2120384563-1000\desktop.ini.tmp

Filesize
41KB

MD5
a3d5497846f311265e5a2a67e5c40442

SHA1
23547f1eafd1297cc8fc4830539e1346b551cbc0

SHA256
1068687f630100b446c35b2c3287531be9cca17573cc2336c23b58604066427a

SHA512
ff0a090728ac8a336b71d544d7e85e6e5ecc4077d1b50266d9f2419e60b12e0aafa009fae9c486f44e98b44bd92b0a9a6739ea1800797f0ffcf617fdc20b775e

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
139KB

MD5
cd5c4aa164be9c2fe127130b3aed117d

SHA1
8edb6c0cef7ccdfa5170c68f0835ba2cb978167a

SHA256
6e56bbd59c48713e5f5ae55684059f7fd2c43c1137f19c70b4fe9b4d74e955b6

SHA512
da1957df136e7b56061f4dddbf980f138f297282cebdd810e942da0f652dee5d3627749d6132e696ee8d17f1d1dbf808a22980d2b49ce6f7ba462c3ffd87b001

Download Submit