Analysis
-
max time kernel
103s -
max time network
105s -
platform
windows11-21h2_x64 -
resource
win11-20250502-en -
resource tags
arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system -
submitted
15/05/2025, 08:16
Static task
static1
Behavioral task
behavioral1
Sample
a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe
Resource
win11-20250502-en
General
-
Target
a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe
-
Size
1.9MB
-
MD5
f7f679420671b7e18677831d4d276277
-
SHA1
1cb6a93e6d2d86d3479a1ea59f7d5b258f1c5c53
-
SHA256
a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642
-
SHA512
d1254926a171a7ad0588a16cfbd30a039b92aa082b1b32f38b028f745cbf34143ffa0738a97f22946a78fe16baf5b1ac2eb2205093e873438f30a6a0731d9ba7
-
SSDEEP
49152:NW9uVTc0/UrZUAT+x0L9/T9YDlXljktz4Q7NNJaaArzLGWBDF/y5QeK:Xc1rZD+mtTOxXlzF/y5zK
Malware Config
Extracted
C:\Program Files\7-Zip\!__README__!.txt
http://ebhmkoohccl45qesdbvrjqtyro2hmhkmh6vkyfyjjzfllm3ix72aqaid.onion/support/step.php
Signatures
-
Renames multiple (7429) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\ms_get.svg.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\dd_arrow_small.png.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-pl.xrm-ms.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-pl.xrm-ms.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files\SelectInitialize.001.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\TipTsf.dll.mui.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\art\03_lastfm.luac.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\AdobePDF417.pmp.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\[email protected] a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\theme.png.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\SearchEmail.png.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\Locales\ka.pak.DATA.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\!__README__!.txt a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\!__README__!.txt a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\!__README__!.txt a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\edge_game_assist\EdgeGameAssist.msix.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_K_COL.HXK.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File created C:\Program Files\VideoLAN\VLC\locale\sm\LC_MESSAGES\!__README__!.txt a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msadcor.dll.mui.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\am.pak.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ORGCHART.CHM.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File created C:\Program Files\Microsoft Office\!__README__!.txt a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\manifest.json.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ar-ae\!__README__!.txt a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\sat_logo.png.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\eu-es\!__README__!.txt a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\edge_game_assist\!__README__!.txt a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\Other.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\PowerPivotExcelClientAddIn.rll.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_cancel_18.svg.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File created C:\Program Files (x86)\Windows Photo Viewer\!__README__!.txt a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glow Edge.eftx.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmuxmui.msi.16.en-us.xml.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-ul-oob.xrm-ms.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\eu\!__README__!.txt a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STRTEDGE\STRTEDGE.ELM.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\rhp_world_icon_hover_2x.png.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fi-fi\ui-strings.js.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dummy.dic.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filter-focus_32.svg.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Trust Protection Lists\Mu\Other.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\Extensions\external_extensions.json.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\gstreamer.md.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\hijrah-config-umalqura.properties.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\!__README__!.txt a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Delete.png.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File created C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\!__README__!.txt a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\prefs.json.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\he.pak.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\EBWebView\x64\!__README__!.txt a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ul-phn.xrm-ms.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\BIN\FPSRVUTL.DLL.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\rhp\createpdfupsell-app-tool-view.js.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\ResiliencyLinks\VisualElements\SmallLogoBeta.png.DATA.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pl-pl\AppStore_icon.svg.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\!__README__!.txt a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ul-oob.xrm-ms.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\status.xml.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\!__README__!.txt a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\Analytics.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-pl.xrm-ms.interlock a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\!__README__!.txt a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4032 a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe 4032 a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe"C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:4032
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD57037527ffd3ebe496f9df5278f1004f8
SHA1fd37a41c913acde1fc3e3d75a1f776f5a113dff1
SHA25608b14c7d4be16cae6d08885e174cbc8485d81cfccdaca332418859267f528420
SHA5121f9a43c24e1d07b420b0f85c587c52dfac5af705cc7f082681d958035b95e6bc6e3f6edc0faac80ab40c96f7337223aefcc0499951b88133bbf5754fe106d4fb