Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/05/2025, 11:54

General

  • Target

    849f71ce804616187c30f66bc1a37df7a2f66e0ab1c24eec3b9d16b40bb17d50.exe

  • Size

    17KB

  • MD5

    037aa02e443a62f5c5f084ebe33db79a

  • SHA1

    c0c1411baa5212931f514fdcf257caa4775b6474

  • SHA256

    849f71ce804616187c30f66bc1a37df7a2f66e0ab1c24eec3b9d16b40bb17d50

  • SHA512

    217336f94abb6e6ef2b3f4907b743aafbe3d65816066cad0f49aa66299c7b536433b34e6b011df0ee767e7bbb5755765d597ce73c9fb53a0f53f57e68462c7ad

  • SSDEEP

    384:hAg+5OCZ4W6/KWLsqmFae+rOAqmFae+rOAL2LK:uZ4FLz8ae+rOn8ae+rOM

Score
9/10

Malware Config

Signatures

  • Renames multiple (5244) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\849f71ce804616187c30f66bc1a37df7a2f66e0ab1c24eec3b9d16b40bb17d50.exe
    "C:\Users\Admin\AppData\Local\Temp\849f71ce804616187c30f66bc1a37df7a2f66e0ab1c24eec3b9d16b40bb17d50.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    PID:3076

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-186956858-2143653872-2609589082-1000\desktop.ini.tmp

          Filesize

          17KB

          MD5

          938e619a486bca8a0fc417401c83d3c0

          SHA1

          45ad42c126765b1b60552b92ebfcb2154bf39661

          SHA256

          cc8f68026a275c6e96e18f563e8485e0aedc039f4d618799f7e8153931e81ddd

          SHA512

          48ac4f4a06895eae65e14f157330c3d79dbf3e867e7e1a2d8a86a4d3463a2fc184c3035dfd606506f0573132f142ddabcb6993d0a7fc114c1c7fd0d9ce1945a4

        • C:\d962f70874f5d4bfc1c6\2010_x64.log.html.tmp

          Filesize

          102KB

          MD5

          7869b31629de9027ceb24a22ad93cc89

          SHA1

          75da97c249ead436fb586752f0060334e5ca01b9

          SHA256

          f1de0e6322382dedbb69722ad96dacee8a3945d6fb059b94bffe9c9d12b86e93

          SHA512

          b617074528972638dafdf54368f7d983d8c0a5fc2d619cfa3ee88ab5b5675feadc57c31284901d02de1fbcddd74e71c890af162712ead08e1395c19a021a6606

        • memory/3076-819-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB