Analysis

  • max time kernel
    150s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/05/2025, 07:20

General

  • Target

    0cb01ae197e4e593a7943d4d2d847dd399efef8040410174d7bfb2e24083be17.exe

  • Size

    322KB

  • MD5

    863f055577979e13e1aef6d08c580755

  • SHA1

    eb1384e49aca875511cafdd596c6ca5b75386a1b

  • SHA256

    0cb01ae197e4e593a7943d4d2d847dd399efef8040410174d7bfb2e24083be17

  • SHA512

    ac4f09de6305fcbe7b112fe76ffbf43d43c620a839020172a9a8cbd041d16db8f1455c6b1c35a5df27b0e8c5a34703c260adbfbb78e41a6f558e2d207d189796

  • SSDEEP

    3072:tqM3k5q6GZmhnVUI1rn/3ulU01fidg5eS8vAlpTmLb14wKYHHuos/fGC/SEXmrNL:S3rYMv0pilFvAfTtYHHu8C/TXmrIL2

Score
9/10

Malware Config

Signatures

  • Renames multiple (4361) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\0cb01ae197e4e593a7943d4d2d847dd399efef8040410174d7bfb2e24083be17.exe
    "C:\Users\Admin\AppData\Local\Temp\0cb01ae197e4e593a7943d4d2d847dd399efef8040410174d7bfb2e24083be17.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    PID:368

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-3920234085-916416549-2700794571-1000\desktop.ini.tmp

          Filesize

          322KB

          MD5

          b17f9109e46476345763a74ecdaf5af7

          SHA1

          df8ba1cb666bd8de368caae65396aa6756ead223

          SHA256

          96fde5b2022c0902e791ead04ba652c8518ba79f0a8df498c8b2694705570b71

          SHA512

          81678941f9e2d7d38793af70490188dcd49241523b223ce8d9972e409aaa5786c6b36daa0359476e370afe19df22b557009d96b5569c6f69568b77d2f6bdcb21

        • C:\6eaadd5e1536cd09900c16de307910\2010_x86.log.html.tmp

          Filesize

          403KB

          MD5

          4ba9981e792c4299b405aa4744903b63

          SHA1

          662186ef2b0609e58854776f13ae782310fdcd7c

          SHA256

          7c66c029d3f2b7ea5fc3a6113621cab2e440b6355094df58c2e17ace3ee77080

          SHA512

          20877a06423450302f6438477119b87f47b3a965ff0f31d6f80c06c18579f3c5c442b54bc43903a72ef2a5cb74df8b30ea1c30742057ba0a858fbc1a45f33c41

        • memory/368-655-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB