Analysis

  • max time kernel
    150s
  • max time network
    103s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250502-en
  • resource tags

    arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    18/05/2025, 11:58

General

  • Target

    849f71ce804616187c30f66bc1a37df7a2f66e0ab1c24eec3b9d16b40bb17d50.exe

  • Size

    17KB

  • MD5

    037aa02e443a62f5c5f084ebe33db79a

  • SHA1

    c0c1411baa5212931f514fdcf257caa4775b6474

  • SHA256

    849f71ce804616187c30f66bc1a37df7a2f66e0ab1c24eec3b9d16b40bb17d50

  • SHA512

    217336f94abb6e6ef2b3f4907b743aafbe3d65816066cad0f49aa66299c7b536433b34e6b011df0ee767e7bbb5755765d597ce73c9fb53a0f53f57e68462c7ad

  • SSDEEP

    384:hAg+5OCZ4W6/KWLsqmFae+rOAqmFae+rOAL2LK:uZ4FLz8ae+rOn8ae+rOM

Score
9/10

Malware Config

Signatures

  • Renames multiple (5360) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\849f71ce804616187c30f66bc1a37df7a2f66e0ab1c24eec3b9d16b40bb17d50.exe
    "C:\Users\Admin\AppData\Local\Temp\849f71ce804616187c30f66bc1a37df7a2f66e0ab1c24eec3b9d16b40bb17d50.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    PID:1812

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-330179853-1108322181-418488014-1000\desktop.ini.tmp

          Filesize

          17KB

          MD5

          235399ae37407a4bed7849886c7b8d1f

          SHA1

          f5f2eee96e886328f3e25dd8a6eabd84421a8b07

          SHA256

          ba38e48131f43fec26eb01d2597b902d0b8d175ee6005e3e7ff6ee9d8d82b67d

          SHA512

          5976b26ca3469ba78e6fe4df29c7348bb3f53059768a946aca01a07fe24ba8d90832a166f67159b68dd89a78fa8bcac6e79e4af6f3ce622a3ac9173e13484ec8

        • C:\b5678467481f56688dc2ce816954\2010_x86.log.html.tmp

          Filesize

          98KB

          MD5

          878f0eb040c736b15682e2ce2d2704c1

          SHA1

          a4f62ebe9c0645c0ee41e3d67c57f169dad2dbf0

          SHA256

          5c9dfd4d9b084878a4a75d26a59ff30281254b8c7c7adca8e75aab2d1ed57f33

          SHA512

          49189c9c21b4340001d326cb5ad562e9d2db54392591ec210d590ee3718a73506bf9e526f16d9e74b0c88ab900253b45c5a7a01b4b9195a13e6e21e8d257e791

        • memory/1812-1227-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB