Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/05/2025, 07:24

General

  • Target

    0cb01ae197e4e593a7943d4d2d847dd399efef8040410174d7bfb2e24083be17.exe

  • Size

    322KB

  • MD5

    863f055577979e13e1aef6d08c580755

  • SHA1

    eb1384e49aca875511cafdd596c6ca5b75386a1b

  • SHA256

    0cb01ae197e4e593a7943d4d2d847dd399efef8040410174d7bfb2e24083be17

  • SHA512

    ac4f09de6305fcbe7b112fe76ffbf43d43c620a839020172a9a8cbd041d16db8f1455c6b1c35a5df27b0e8c5a34703c260adbfbb78e41a6f558e2d207d189796

  • SSDEEP

    3072:tqM3k5q6GZmhnVUI1rn/3ulU01fidg5eS8vAlpTmLb14wKYHHuos/fGC/SEXmrNL:S3rYMv0pilFvAfTtYHHu8C/TXmrIL2

Score
9/10

Malware Config

Signatures

  • Renames multiple (4317) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\0cb01ae197e4e593a7943d4d2d847dd399efef8040410174d7bfb2e24083be17.exe
    "C:\Users\Admin\AppData\Local\Temp\0cb01ae197e4e593a7943d4d2d847dd399efef8040410174d7bfb2e24083be17.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    PID:1072

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-1153236273-2212388449-1493869963-1000\desktop.ini.tmp

          Filesize

          322KB

          MD5

          bea11225b17b811521822386240422a9

          SHA1

          cac8bc626399be2ae618b03b20a247d8b32180b5

          SHA256

          d283b2d4b8528ed4c45327e3fc15047429e3d27ff677ef05ab1ecc756d536aec

          SHA512

          ab8e96c38102df5ee18e72d9d9a2a4ec90f5e01f01f8eac686738cbef76e717d57458dca2b6967755eb7e1afbee405896272b371e1f2989faa82d88d8c3d2a77

        • C:\f518c2ae32873fab6fcffcc19027\2010_x64.log.html.tmp

          Filesize

          408KB

          MD5

          31ed3725513859b40d565df01c3461f3

          SHA1

          a69d0189734694a6112d7e1cc798c1ffc6bd2c71

          SHA256

          438f5787a2dd8389e3f6aed2db5fc7a66499fbb5dccd92e94113ccded4240987

          SHA512

          2f5f4c58076e0db26f71a626b7983b39d09a3499d9b28e1be53c8a9ad7fc47ad147bd2fc2aa69282b3a3ed5ece3fb3e0fcbf83def34e975859f87ff948651529

        • memory/1072-657-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB