fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89

Analysis

max time kernel
120s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
Size

84KB
MD5

df3ae392edf9e47efa901de0ea2dcd70
SHA1

8a09f575de35034397cd4779d7f9666ae6dbddef
SHA256

fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89
SHA512

f018330fed82402b304920fa323f4ffd992ad5d8cd4b25cf1a04b5fbcafe3cfde1e48126ab9b698277643a91c9e47b275cf843acd46f6cb885b47fa4afa402fc
SSDEEP

768:W7BlpDpARFbhYQkQjjLaMaRRpi1xnRpi1xOYJIJDYJIJMFhWFhCmDpBIjsZORReu:W7ZDpApYbWj2WTWJe+e/qXhgq

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4540) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\Welcome.html.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-pl.xrm-ms.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Exchange.WebServices.dll.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINSHELL.DLL.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Client.Picasso.dll.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-util-l1-1-0.dll.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\Java\jre-1.8\bin\dcpr.dll.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\nl.pak.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-pl.xrm-ms.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Excel.dll.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\ReachFramework.resources.dll.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveDrop32x32.gif.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationProvider.resources.dll.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GFX.DLL.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Algorithms.dll.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.dll.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Forms.Primitives.resources.dll.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\zipfs.jar.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-oob.xrm-ms.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-phn.xrm-ms.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-ppd.xrm-ms.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TellMeWord.nrr.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\ReachFramework.resources.dll.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\PresentationFramework.resources.dll.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ul-phn.xrm-ms.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\PresentationUI.resources.dll.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\libpng.md.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ul-oob.xrm-ms.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\PresentationCore.resources.dll.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ul-oob.xrm-ms.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Input.Manipulations.resources.dll.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ur.pak.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\TYPE.WAV.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-80.png.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Xml.Linq.dll.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\Java\jdk-1.8\javafx-src.zip.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ppd.xrm-ms.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Console.dll.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Xaml.resources.dll.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\giflib.md.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Grace-ul-oob.xrm-ms.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-oob.xrm-ms.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-pl.xrm-ms.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ul-phn.xrm-ms.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-pt.dll.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\README.txt.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PPT_WHATSNEW.XML.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Csp.dll.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.DataAnnotations.dll.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentDemoR_BypassTrial180-ppd.xrm-ms.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-180.png.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\tabskb.dll.mui.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.dll.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-oob.xrm-ms.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART12.BDR.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-convert-l1-1-0.dll.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\Java\jre-1.8\lib\psfont.properties.ja.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sunmscapi.dll.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\joni.md.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Trial-ul-oob.xrm-ms.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe

C:\Users\Admin\AppData\Local\Temp\fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe
"C:\Users\Admin\AppData\Local\Temp\fa6a7239e6809a3ea9fc70fad6fe5605ff746055e037c4842aea0345c84bee89N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
84KB

MD5
5990c5e208f7196bfe5cf9195c178a43

SHA1
d57a854796ae51ceca7ec339761f0b9b6873f5b4

SHA256
c21e44d9102cdaef1857e138e0c0bb4bdefff9490c35da0d2e64547553c25cde

SHA512
66903eabf6c117dd3f6000e64e07da8be5af18246d3de1eda2841613ed303d8053837dfdd523137d421be4a0cbf045520d42d398679a7a239bcc6304fb77cccb

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
183KB

MD5
6dacb9933abd2c72a7132bb0790f3738

SHA1
f45a2ed29c493b63684c0269db8d6c8eb82890b7

SHA256
36c0f11bea26aa329faa2d2ce388ab8a09236376832a38b07341bbd8d18d4ca6

SHA512
6e287e43d12b200777d5ef3faecc1812dc008c7061ad6d4d0928f256d2a7e44eac340488a14e4828b918779a35383bcb8aa4dd95bc01fff8ad47f5d68c7baf34

Download Submit