Analysis

  • max time kernel
    120s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    11-01-2025 22:27

General

  • Target

    4cd28bce599f29d5dd195092e647a5675a838d5aa38bbbe3639f508a33e5144b.exe

  • Size

    364KB

  • MD5

    f2be745b64c74bee4f77624c418d2c03

  • SHA1

    854e2a37f2071dbd4b10664c9d4e7c3e7c89886f

  • SHA256

    4cd28bce599f29d5dd195092e647a5675a838d5aa38bbbe3639f508a33e5144b

  • SHA512

    86add2f9b8d03efca9d49c972402e79bee80040a6a054b98cd886a17c20b87b1eede63406c5cc322978c189952645ea4164523babb11486a55f6cc4b442182e5

  • SSDEEP

    6144:fEyyj2yAIJbIjNDv0bNXkbvLiPqEyyj2yAIJbIjNDv0bNXkbvLiPs:PyAUbIZGNXkbvL7yAUbIZGNXkbvL3

Malware Config

Signatures

  • Renames multiple (1855) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\4cd28bce599f29d5dd195092e647a5675a838d5aa38bbbe3639f508a33e5144b.exe
    "C:\Users\Admin\AppData\Local\Temp\4cd28bce599f29d5dd195092e647a5675a838d5aa38bbbe3639f508a33e5144b.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    PID:3044

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini.tmp

    Filesize

    364KB

    MD5

    a29e05eac4cff8611c248851c2545077

    SHA1

    d49c7fdaa4eea39375c9e5a1180e2b5ffd6b2169

    SHA256

    13e89b1fa289208e2dc8e427eb6dee8ccfd2f37450a6a767699f382095ef0730

    SHA512

    89260c80be128fc879f8e4a268ef8fdb7dc4e4ea35ad7bc7ca41546b10a8d1063b839d860ef28ea5122bb9d176476ad9c61e17116bacabac993142379f723a27

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

    Filesize

    373KB

    MD5

    e183a37eff37b3f1ce4eb6290182f0b2

    SHA1

    150e81da9b5a93c497a11501166ccb50668a37dc

    SHA256

    cfa6639f7846cb4438b7b25dbdf6bef3fdced4a91f240ab80a62d2388b994c3a

    SHA512

    fb72a7ea0b190d71d8c48c0228c51cd280b1fe4fe861d64093e90b6edf56b5b66f7f369a5b0be0ab1ebfb433ded581d36f8b0c5479dfd6704ee42f47d3bdb177

  • memory/3044-0-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

  • memory/3044-69-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB