3e7ac9bcdfa03e34692d5dd390d2a2ffb9b032b21b1359622c21abc72a93683a

Analysis

max time kernel
120s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19/08/2024, 01:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbae888d18e683872a091e6006306450N.exe
Size

73KB
MD5

fbae888d18e683872a091e6006306450
SHA1

0f7d842238012a1b5590c6986c6526785a5ca7e7
SHA256

3e7ac9bcdfa03e34692d5dd390d2a2ffb9b032b21b1359622c21abc72a93683a
SHA512

143145352ad05ac2b1f900d0980f34b52b3f7919e554e00cb23f26b56aa62dfb0fe88a0ff723612b774caa3756400ff72c481d46b6eeda15a52b36fc4e39a6ac
SSDEEP

768:W7Blp2sspARFbhJpupZ5pZ4+fTgTvlK1lK6RZR+8/8gClurYClurUpOpLqfqY:W7Z2sspApkZrZ4+fU7lK1lKT8/82CY

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (331) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\tipresx.dll.mui.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\IpsMigrationPlugin.dll.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InputPersonalization.exe.mui.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-background.png.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-back-static.png.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fa.pak.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.jpg.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Common Files\System\ado\ja-JP\msader15.dll.mui.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Common Files\System\ado\msader15.dll.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Common Files\System\ado\msado25.tlb.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Common Files\System\msadc\msadce.dll.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\pagecurl.png.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_SelectionSubpicture.png.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-back-static.png.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\7-Zip\Lang\uz-cyrl.txt.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stucco.gif.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_ButtonGraphic.png.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground.wmv.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\7-Zip\Lang\pa-in.txt.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipBand.dll.mui.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPOBJS.DLL.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG_PAL.wmv.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\DVD Maker\Shared\Common.fxh.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\cloud_Thumbnail.bmp.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\1047x576black.png.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sv.pak.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationRight_SelectionSubpicture.png.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tipresx.dll.mui.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Common Files\System\wab32.dll.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_ButtonGraphic.png.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ml.pak.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\rtscom.dll.mui.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\bear_formatted_rgb6.wmv.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msdaremr.dll.mui.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\DVD Maker\en-US\OmdProject.dll.mui.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkObj.dll.mui.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Psychedelic.jpg.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\oledb32r.dll.mui.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationUp_SelectionSubpicture.png.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\7-Zip\Lang\ast.txt.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\7-Zip\Lang\sw.txt.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\DVD Maker\fieldswitch.ax.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\1047x576black.png.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Common Files\System\ado\adojavas.inc.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Common Files\System\ado\adovbs.inc.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\background.png.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\7-Zip\readme.txt.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\correct.avi.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrfralm.dat.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\tipresx.dll.mui.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref_PAL.wmv.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\v8_context_snapshot.bin.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\msinfo32.exe.mui.tmp	fbae888d18e683872a091e6006306450N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fbae888d18e683872a091e6006306450N.exe

C:\Users\Admin\AppData\Local\Temp\fbae888d18e683872a091e6006306450N.exe
"C:\Users\Admin\AppData\Local\Temp\fbae888d18e683872a091e6006306450N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini.tmp

Filesize
73KB

MD5
548ad92d22f23ef80de4b3c0acd31e81

SHA1
4a5034df0e3ff0680bd93bfcba8d6d7d8f7db81a

SHA256
e3531ffd75a89296354727805b5459b46b5f0de2b45f27f3149aa0a1160cfe93

SHA512
3e24ebb6ff7e0939e02f8a6c3ec1a3ba7e375f2e6b3f014d6ebcee09d59304fa84acd25cb1ade2b29ad7c80ad4e585df422dfa8b0580b991285a3d3276d85625

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
82KB

MD5
0ecdf6882e251135c6a775d825e4a5cb

SHA1
1420bbe7c82ce5754db35605b806eeecec88fcc4

SHA256
9a30121b193e4eb6b5a6102484b532258fc06e35fd0ccf8e317a3c273f0f3890

SHA512
b202651d703a9a3cc8896c484fcc25def11e1b3ce4ec93c90babd2fd2863fb07c35c10e4410e3a13536b73675163137a295537c60c2020b7c90a5c3ec002c0b8

Download Submit