3e7ac9bcdfa03e34692d5dd390d2a2ffb9b032b21b1359622c21abc72a93683a

Analysis

max time kernel
119s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 01:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbae888d18e683872a091e6006306450N.exe
Size

73KB
MD5

fbae888d18e683872a091e6006306450
SHA1

0f7d842238012a1b5590c6986c6526785a5ca7e7
SHA256

3e7ac9bcdfa03e34692d5dd390d2a2ffb9b032b21b1359622c21abc72a93683a
SHA512

143145352ad05ac2b1f900d0980f34b52b3f7919e554e00cb23f26b56aa62dfb0fe88a0ff723612b774caa3756400ff72c481d46b6eeda15a52b36fc4e39a6ac
SSDEEP

768:W7Blp2sspARFbhJpupZ5pZ4+fTgTvlK1lK6RZR+8/8gClurYClurUpOpLqfqY:W7Z2sspApkZrZ4+fU7lK1lKT8/82CY

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4640) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Google\Chrome\Application\initial_preferences.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.dll.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_MoveDrop32x32.gif.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\libxslt.md.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunmscapi.jar.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Windows.dll.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\coreclr.dll.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-pl.xrm-ms.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Crashpad\settings.dat.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ul-oob.xrm-ms.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-pl.xrm-ms.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Document.XmlSerializers.dll.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Sockets.dll.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Microsoft Office\root\Client\msvcp140.dll.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Ion.thmx.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-pl.xrm-ms.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ppd.xrm-ms.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ppd.xrm-ms.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-file-l1-1-0.dll.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Internet Explorer\fr-FR\ieinstal.exe.mui.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-pl.xrm-ms.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.BackEnd.XmlSerializers.dll.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSPECTRE.DLL.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\WindowsFormsIntegration.resources.dll.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.dll.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationTypes.resources.dll.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationClientSideProviders.resources.dll.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime2019_eula.txt.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\vcruntime140.dll.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.NETCore.App.deps.json.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome.dll.sig.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Java\jre-1.8\lib\charsets.jar.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_Grace-ppd.xrm-ms.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ppd.xrm-ms.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\de\msipc.dll.mui.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-convert-l1-1-0.dll.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ul-oob.xrm-ms.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-utility-l1-1-0.dll.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Json.dll.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\WindowsFormsIntegration.resources.dll.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationProvider.resources.dll.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ca.pak.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-ul-oob.xrm-ms.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul-oob.xrm-ms.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdatl3.dll.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.onenotemui.msi.16.en-us.xml.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Java\jre-1.8\lib\javaws.jar.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\tipresx.dll.mui.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\rtscom.dll.mui.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_CopyDrop32x32.gif.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD.HXS.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.EventSource.dll.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.DiaSymReader.Native.amd64.dll.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.Serialization.dll.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.dll.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Data.dll.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\WindowsBase.resources.dll.tmp	fbae888d18e683872a091e6006306450N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationProvider.resources.dll.tmp	fbae888d18e683872a091e6006306450N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fbae888d18e683872a091e6006306450N.exe

C:\Users\Admin\AppData\Local\Temp\fbae888d18e683872a091e6006306450N.exe
"C:\Users\Admin\AppData\Local\Temp\fbae888d18e683872a091e6006306450N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini.tmp

Filesize
73KB

MD5
0ce6bef54dcc737573d9701a7c8d9379

SHA1
ca6fff1bdb32eb398b9da79b09b7a7128bfcb6c2

SHA256
27d4b812fbccb95ccb7f882d3fa0abbdb812f69410bf14134b30703e7721fe11

SHA512
5bb0952473b2a7a505816ac2fcb0e2c3a8ad56461f2ff37f566b92e9dedcacf0abe424489f65ee71cbd67475280d31d49e14af1bdf3901811b1994193108050c

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
172KB

MD5
31cace51b9a7260b01cd1447f490f9f1

SHA1
c1032cb0e199efe6306a3a4bea486d6572f0ae01

SHA256
6d6b8f5d8d8abf8866fb966477cef723b3a8fd5e4d4469bffe90b8adfdc53233

SHA512
139de87d9e14375ff5a277aa0696923493efbca83c9886d243e4946ee1863f84a12f4f576b2a98ff3996a0800413770b8c7154f829858205b8cae51f23cd58c8

Download Submit