Analysis

  • max time kernel
    149s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/05/2025, 06:45

General

  • Target

    84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe

  • Size

    2.3MB

  • MD5

    7ffcd536703e1b316251cbf1047ef5f6

  • SHA1

    c9e00a62948da23bf1711dcd92be5923b46e8f06

  • SHA256

    84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e

  • SHA512

    1afe7092c6bca24a18243567d1c3a375db460eedfd793c4c98eb0b3cffc330cc04ba8fb51f781a903b19a40dbc267a7438bf55e9957a1a24b4deed2b4ffba033

  • SSDEEP

    24576:O2J4athJA6I+Prz+nGXIG1lPzHnhk59yjEGdi04J2ksswOapyCP5WecI:O2qa3ZI+Pv+GXjD25EnewO5CBW

Malware Config

Signatures

  • Renames multiple (22655) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Drivers directory 64 IoCs
  • Boot or Logon Autostart Execution: Print Processors 1 TTPs 1 IoCs

    Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Drops startup file 2 IoCs
  • Indicator Removal: Clear Windows Event Logs 1 TTPs 64 IoCs

    Clear Windows Event Logs to hide the activity of an intrusion.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 64 IoCs
  • Drops autorun.inf file 1 TTPs 1 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

Processes

  • C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe
    "C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe"
    1⤵
    • Drops file in Drivers directory
    • Boot or Logon Autostart Execution: Print Processors
    • Drops startup file
    • Indicator Removal: Clear Windows Event Logs
    • Drops desktop.ini file(s)
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    PID:2784

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-3299287909-2279959458-198972791-1000\desktop.ini

          Filesize

          383B

          MD5

          e8cb0adf38a2b8c8a20227ac3b5879b1

          SHA1

          000c0937dc913adc9b1ee593fc0fbc035b420b29

          SHA256

          91605fe1ae56c359d6afce862de8f2a09a0dbc0834f63f44655a8e625b7e740a

          SHA512

          fd86c734a9bfd0d67a3f5f541643c341f9561009ab8147396f0fa39e901be031d86a3e549b70b0201147240b1e5dc90e2d0079e5563552235d7fa6c193e6b469

        • C:\8e056885788215100b95f8050bba49\READTHISNOW.txt

          Filesize

          979B

          MD5

          8ab863dd5654b1d2fc00b0ee491c1193

          SHA1

          5f9795c4d306ed1852ab75e3f1f8fed825033a70

          SHA256

          4c37cea4272a4638452f3d74ef337f6f5eb33ec065284fe40352d8a95e5a7ccc

          SHA512

          ec91450d3ff76fdc9648ae88c8817d486aee21783cece971862344e07348ded30e22e11c196829cd8e96c7e341c84e81216769a6792794031990f91909591142