Analysis

  • max time kernel
    150s
  • max time network
    105s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250502-en
  • resource tags

    arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    15/05/2025, 07:20

General

  • Target

    0cb01ae197e4e593a7943d4d2d847dd399efef8040410174d7bfb2e24083be17.exe

  • Size

    322KB

  • MD5

    863f055577979e13e1aef6d08c580755

  • SHA1

    eb1384e49aca875511cafdd596c6ca5b75386a1b

  • SHA256

    0cb01ae197e4e593a7943d4d2d847dd399efef8040410174d7bfb2e24083be17

  • SHA512

    ac4f09de6305fcbe7b112fe76ffbf43d43c620a839020172a9a8cbd041d16db8f1455c6b1c35a5df27b0e8c5a34703c260adbfbb78e41a6f558e2d207d189796

  • SSDEEP

    3072:tqM3k5q6GZmhnVUI1rn/3ulU01fidg5eS8vAlpTmLb14wKYHHuos/fGC/SEXmrNL:S3rYMv0pilFvAfTtYHHu8C/TXmrIL2

Score
9/10

Malware Config

Signatures

  • Renames multiple (4490) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\0cb01ae197e4e593a7943d4d2d847dd399efef8040410174d7bfb2e24083be17.exe
    "C:\Users\Admin\AppData\Local\Temp\0cb01ae197e4e593a7943d4d2d847dd399efef8040410174d7bfb2e24083be17.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    PID:628

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-2329104403-2882594830-3136665766-1000\desktop.ini.tmp

          Filesize

          322KB

          MD5

          fae38edbac93a44e7f6e978fd64f74ac

          SHA1

          300f0a024a577b932d06d15fe6d2de52f13d4102

          SHA256

          4389993a987ce3624c504979e5b59b9d176163764023a7984cfaf15255f19c39

          SHA512

          d601e678bbbe4d8d620da6e88c9219386023608deec268c208ccf303ee6ed12e0569ccbc6fa5480282f4d20787b641ebd8a1f091f6991116eee03a89458fccfa

        • C:\bf6fffe43a1488106117f05273896fef\2010_x86.log.html.tmp

          Filesize

          403KB

          MD5

          6964365cb078ad6ba3a9cc34a2b236ed

          SHA1

          075a15977a959079986ff599cdddd3d2d104df19

          SHA256

          2d7c4f4b79dec8d7df40163f079ada2eb49cc56f1181d943fbe3f394ca74c87a

          SHA512

          f8b7b8896577a202ed2ec677b7924bb8bf72764d94b8c184ae62a61af4b3cbdd42e71b1170a806f7f5cf61a1f7646017a65b710b248ab0947591f09db20a12df

        • memory/628-763-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB