Analysis
-
max time kernel
102s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
15/05/2025, 08:16
Static task
static1
Behavioral task
behavioral1
Sample
a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe
Resource
win11-20250502-en
General
-
Target
a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe
-
Size
1.9MB
-
MD5
f7f679420671b7e18677831d4d276277
-
SHA1
1cb6a93e6d2d86d3479a1ea59f7d5b258f1c5c53
-
SHA256
a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642
-
SHA512
d1254926a171a7ad0588a16cfbd30a039b92aa082b1b32f38b028f745cbf34143ffa0738a97f22946a78fe16baf5b1ac2eb2205093e873438f30a6a0731d9ba7
-
SSDEEP
49152:NW9uVTc0/UrZUAT+x0L9/T9YDlXljktz4Q7NNJaaArzLGWBDF/y5QeK:Xc1rZD+mtTOxXlzF/y5zK
Malware Config
Extracted
C:\Program Files\7-Zip\!__README__!.txt
http://ebhmkoohccl45qesdbvrjqtyro2hmhkmh6vkyfyjjzfllm3ix72aqaid.onion/support/step.php
Signatures
-
Renames multiple (7421) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\asm.md.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-pl.xrm-ms.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-pl.xrm-ms.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\wordmui.msi.16.en-us.tree.dat.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\PICTIM32.FLT.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-oob.xrm-ms.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\XLCALL32.DLL.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\LHANDW.TTF.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\delete.svg.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_ie8.gif.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\sat_logo_2x.png.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File created C:\Program Files (x86)\Internet Explorer\en-US\!__README__!.txt a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\rt.jar.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\ResiliencyLinks\Extensions\!__README__!.txt a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files\Internet Explorer\uk-UA\iexplore.exe.mui.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\DUBAI-BOLD.TTF.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-oob.xrm-ms.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\cs-cz\ui-strings.js.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\da-dk\!__README__!.txt a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\he.pak.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange Red.xml.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\cross.png.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\WidevineCdm\_platform_specific\win_x64\!__README__!.txt a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File created C:\Program Files\VideoLAN\VLC\plugins\lua\!__README__!.txt a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\!__README__!.txt a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\AdSelectionAttestationsPreloaded\manifest.json.DATA.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File created C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\!__README__!.txt a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sv-se\ui-strings.js.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\es-es\!__README__!.txt a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\VisualElements\SmallLogo.png.DATA.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\cs-cz\!__README__!.txt a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File created C:\Program Files (x86)\Common Files\Oracle\Java\!__README__!.txt a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\AdSelectionAttestationsPreloaded\!__README__!.txt a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\Trust Protection Lists\Sigma\Content.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-pl.xrm-ms.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ul-oob.xrm-ms.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-100.png.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hu-hu\!__README__!.txt a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_pattern_RHP.png.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fi-fi\ui-strings.js.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files\chrome_installer.log.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\!__README__!.txt a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\en_CA.dic.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File created C:\Program Files\dotnet\host\fxr\7.0.16\!__README__!.txt a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nb-no\ui-strings.js.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\ja-jp\ui-strings.js.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File created C:\Program Files (x86)\Common Files\System\Ole DB\en-US\!__README__!.txt a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\WXPNSE.DLL.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-si\ui-strings.js.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ru-ru\!__README__!.txt a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\nb-no\!__README__!.txt a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fi-fi\!__README__!.txt a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\hr-hr\ui-strings.js.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-ppd.xrm-ms.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetCompare_col.hxt.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\css\!__README__!.txt a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\Locales\sv.pak.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ul-oob.xrm-ms.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\catalog.json.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ENES\MSB1ENES.ITS.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4072 a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe 4072 a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe"C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:4072
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD57037527ffd3ebe496f9df5278f1004f8
SHA1fd37a41c913acde1fc3e3d75a1f776f5a113dff1
SHA25608b14c7d4be16cae6d08885e174cbc8485d81cfccdaca332418859267f528420
SHA5121f9a43c24e1d07b420b0f85c587c52dfac5af705cc7f082681d958035b95e6bc6e3f6edc0faac80ab40c96f7337223aefcc0499951b88133bbf5754fe106d4fb