8b0f9d248e67199bb7f1a778a03e4caee7d267e61d8a7d70fa1c1f6d7944e96a

Resubmissions

28/03/2025, 16:52

250328-vdc6kazry9 9

24/03/2025, 22:22

250324-2aphra1jx7 10

Analysis

max time kernel
424s
max time network
435s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
24/03/2025, 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4561647.exe
Size

7KB
MD5

ebbc82f619471384f392efd5c4d05883
SHA1

17d91b45c8615d0f09d1100d2be396cbcba21fde
SHA256

e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c
SHA512

3e33bd22c440e9ab4a065d216467c1220780aa2a39a38ea4aec81d050d3e6048e87244341fbeac2cdefebae9fe987b713e0d4fcf34adf1390b5ccda6dd448241
SSDEEP

96:uP/EuJO5ER8KDGrru1M2mIspl5SgOj9/xVKzAQTH1osaxnkK:unE5ORTD91M2mIGyxhp2AQRONkK

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (1679) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	4561647.exe

Deletes itself 1 IoCs

pid	Process
4956	WScript.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	4561647.exe
File opened (read-only)	\??\Y:	4561647.exe
File opened (read-only)	\??\I:	4561647.exe
File opened (read-only)	\??\M:	4561647.exe
File opened (read-only)	\??\P:	4561647.exe
File opened (read-only)	\??\W:	4561647.exe
File opened (read-only)	\??\G:	4561647.exe
File opened (read-only)	\??\Q:	4561647.exe
File opened (read-only)	\??\R:	4561647.exe
File opened (read-only)	\??\U:	4561647.exe
File opened (read-only)	\??\V:	4561647.exe
File opened (read-only)	\??\J:	4561647.exe
File opened (read-only)	\??\N:	4561647.exe
File opened (read-only)	\??\S:	4561647.exe
File opened (read-only)	\??\X:	4561647.exe
File opened (read-only)	\??\Z:	4561647.exe
File opened (read-only)	\??\E:	4561647.exe
File opened (read-only)	\??\H:	4561647.exe
File opened (read-only)	\??\K:	4561647.exe
File opened (read-only)	\??\L:	4561647.exe
File opened (read-only)	\??\O:	4561647.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\nb-no\!_READ_ME_!.txt	4561647.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\!_READ_ME_!.txt	4561647.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-fr\ui-strings.js._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ca-es\ui-strings.js._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\Locales\fil.pak._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\!_READ_ME_!.txt	4561647.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\!_READ_ME_!.txt	4561647.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sv-se\ui-strings.js._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ko-kr\ui-strings.js._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\cs-cz\ui-strings.js._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\eu-es\ui-strings.js._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\RenderingControl_DMP.xml._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ca-es\!_READ_ME_!.txt	4561647.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\en-US.pak._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\mi.pak._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\cs-cz\!_READ_ME_!.txt	4561647.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\root\!_READ_ME_!.txt	4561647.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\es-es\!_READ_ME_!.txt	4561647.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\es-es\!_READ_ME_!.txt	4561647.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\!_READ_ME_!.txt	4561647.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\affDescription.txt._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\kn.pak._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\Locales\vi.pak._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\it-it\ui-strings.js._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ro-ro\ui-strings.js._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\pt-br\ui-strings.js._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\hu-hu\ui-strings.js._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\!_READ_ME_!.txt	4561647.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\es-es\ui-strings.js._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\zh-cn\ui-strings.js._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-ae\!_READ_ME_!.txt	4561647.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sk-sk\ui-strings.js._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\is.pak._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\it-it\!_READ_ME_!.txt	4561647.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\eu-es\!_READ_ME_!.txt	4561647.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nb-no\!_READ_ME_!.txt	4561647.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\cs-cz\!_READ_ME_!.txt	4561647.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ko-kr\!_READ_ME_!.txt	4561647.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nl-nl\!_READ_ME_!.txt	4561647.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\zh-cn\!_READ_ME_!.txt	4561647.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fr-ma\!_READ_ME_!.txt	4561647.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\zh-tw\ui-strings.js._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\hu-hu\ui-strings.js._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\nb-no\!_READ_ME_!.txt	4561647.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-gb\!_READ_ME_!.txt	4561647.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fr-fr\!_READ_ME_!.txt	4561647.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\az.pak._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\ur.pak._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\ui-strings.js._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\es-es\ui-strings.js._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fr-ma\ui-strings.js._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\Locales\fi.pak._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\ui-strings.js._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\!_READ_ME_!.txt	4561647.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ca-es\ui-strings.js._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\pt-br\ui-strings.js._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-il\ui-strings.js._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\!_READ_ME_!.txt	4561647.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sl-sl\!_READ_ME_!.txt	4561647.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\!_READ_ME_!.txt	4561647.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\hr-hr\ui-strings.js._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\da-dk\ui-strings.js._CRYPT	4561647.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4561647.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	4561647.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 4956	1960	4561647.exe	98
PID 1960 wrote to memory of 4956	1960	4561647.exe	98
PID 1960 wrote to memory of 4956	1960	4561647.exe	98

C:\Users\Admin\AppData\Local\Temp\4561647.exe
"C:\Users\Admin\AppData\Local\Temp\4561647.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4561647.vbs"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:4956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\!_READ_ME_!.txt

Filesize
502B

MD5
b0952e65955eaeca0064f1a368acb216

SHA1
5b5074c950a480fcb920b8f3ff108cfcdeaec639

SHA256
e1263206f1524bac3c87a1ad532780dc326415cfd01ee03e9775ff433e57ad4f

SHA512
7610fa182d0ddf8879ae3178dc099be53cf5648ad3eb7f8acaef178ea1ccfa5f74bd8afe9a8a6b9066737f9faff2230d4e402017a197fcf7e51151cf6c64b3a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4561647.vbs

Filesize
373B

MD5
9266e359efa382b829dd86da49d0e7e8

SHA1
bb8556218ea57ed70329f6dbda2c1888c9721a09

SHA256
33c495267c6443a04590300b55a1eb1499999fecc7e0f511218dfa7b08ea7979

SHA512
7c9de391a3800a169b024c863cdd01f71f9deb4b5edecf849408882c5fe5c3141b856ed3d30117d2b3ac202e012e689c15514a9e24b09a5f6f1c3429bc20239a

Download Submit
memory/1960-352-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/1960-2875-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads