16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df

Analysis

max time kernel
150s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2024, 19:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
Size

50KB
MD5

685b8cbadea0b02578c4ca01186b854e
SHA1

082340bb6fac0641fb38e3627be186c2f86563ef
SHA256

16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df
SHA512

f668b0a86ea03422afa443b53c081e5a60c6d1f1eeacf8d1498792417cc45dc8efc50f917eeca2e7dda162d48f0010a1c365bbd8bb3b0881f0335a3f9d27b2ce
SSDEEP

768:/7BlpQpARFbhn54fmiy+3BVr54fmiy+3BV6nkSI:/7ZQpApmi6nkSI

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5049) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\PresentationUI.resources.dll.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationTypes.resources.dll.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\colorimaging.md.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Green.xml.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ul-oob.xrm-ms.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.AdHoc.Excel.Client.Entry.Interfaces.dll.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL020.XML.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0.dll.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l2-1-0.dll.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\jpeg_fx.md.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\Java\jre-1.8\bin\unpack.dll.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ConsumerSub_Bypass30-ppd.xrm-ms.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ul-oob.xrm-ms.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\TPN.txt.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Controls.Ribbon.resources.dll.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-pl.xrm-ms.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\Microsoft Office\root\Office16\VVIEWDWG.DLL.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Aero2.dll.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationClient.resources.dll.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-private-l1-1-0.dll.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_de.properties.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ul-oob.xrm-ms.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_F_COL.HXK.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\PGOMESSAGES.XML.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationTypes.resources.dll.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.resources.dll.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationClient.resources.dll.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ul-oob.xrm-ms.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-pl.xrm-ms.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-conio-l1-1-0.dll.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART9.BDR.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\7-Zip\Lang\sl.txt.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.id-id.dll.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Parallel.dll.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ppd.xrm-ms.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as80.xsl.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Xml.dll.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Drawing.dll.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-libraryloader-l1-1-0.dll.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.password.template.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\cacerts.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-pl.xrm-ms.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Delete.png.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\en-GB.pak.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jcup.md.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\Java\jre-1.8\bin\w2k_lsa_auth.dll.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-pl.xrm-ms.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ppd.xrm-ms.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_Grace-ul-oob.xrm-ms.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ppd.xrm-ms.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ul-oob.xrm-ms.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\libeay32.dll.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\7-Zip\Lang\nn.txt.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InputPersonalization.exe.mui.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Transactions.dll.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\Java\jre-1.8\lib\javaws.jar.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-pl.xrm-ms.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-ppd.xrm-ms.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-pl.xrm-ms.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ul-oob.xrm-ms.tmp	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe

C:\Users\Admin\AppData\Local\Temp\16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe
"C:\Users\Admin\AppData\Local\Temp\16faad7aa3947b98cb937830d93a2873fa05daaec0689b8f68e62dc43be7e2df.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini.tmp

Filesize
50KB

MD5
e57bb0a662110254cf76b664127074d5

SHA1
37b87c82a4874762eabf1a3edc50240864505173

SHA256
af29f1219822ea87a87c488f8850e60440d653fd7cefbce443cddc0aac54ebaa

SHA512
b15191da80051f1514154717118aa94b2fa06a539272430ba1684718d3846761f4e1650d7c60d34b9f522dc7b11e5b7e3ba612fade19e63305f919eb74b2a053

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
149KB

MD5
954183b1366ea2d7e6d1683598329d13

SHA1
2f308352fa7e3ed6659a94924215ba4c8bed80aa

SHA256
d4daaf3ddadf297da3b97022229278d7ac31db3d76db74a32c46fa51b7ceca92

SHA512
e660277706ebe56389864d400f8d727cf7575688027f8c10a515d0cfab3e1cf6471ace297eac506329f7a5b8a46dbad73d8cb7bf65b4795617913c9a9bc5b766

Download Submit
memory/3192-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3192-1842-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download