Analysis

  • max time kernel
    150s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/05/2025, 11:57

General

  • Target

    4f8fff1eade9ef26fef0881e27fae158da5a8fc2bc6ce0128ba10d6e34780cf8.exe

  • Size

    17KB

  • MD5

    229d7d6c64dffbdf649b205df66ed1fd

  • SHA1

    53f7936d7dc02c59c08136bf29f60dc46e766d92

  • SHA256

    4f8fff1eade9ef26fef0881e27fae158da5a8fc2bc6ce0128ba10d6e34780cf8

  • SHA512

    fb04bb96a7918419fe0f47a5a93d825abbcbc4a597f3b7a302dcb169d5593343713429d75b356cc75bd80bc8ba91d63ffb1a5f180d9029acd4462bc799839f58

  • SSDEEP

    384:hAg+5OCZ4W6/KWLsqmFae+rOAqmFae+rOAL2Lp:uZ4FLz8ae+rOn8ae+rOL

Score
9/10

Malware Config

Signatures

  • Renames multiple (5335) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\4f8fff1eade9ef26fef0881e27fae158da5a8fc2bc6ce0128ba10d6e34780cf8.exe
    "C:\Users\Admin\AppData\Local\Temp\4f8fff1eade9ef26fef0881e27fae158da5a8fc2bc6ce0128ba10d6e34780cf8.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    PID:5400

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-2930597513-779029253-718817275-1000\desktop.ini.tmp

          Filesize

          17KB

          MD5

          d1e2b49ca859f5dbcfdd2221f4db5a65

          SHA1

          cc134218086bc52c99d2b6cb37ae0c850532e0d3

          SHA256

          63abbdce5577d26cd9a8a21bbf8a4b708f878eb7e1d99a8024ed01bd88c7f330

          SHA512

          7306a6eaa437d5b8db255c6c1704509ae2a0982888a09e519521c742f0723e90c5024e6164ebd09ba4393b99370f09cd6672d92b3d66677ee5738b1ee1ad1545

        • C:\6479eedf55783993fe56765264\2010_x86.log.html.tmp

          Filesize

          98KB

          MD5

          588a4c40fd36475be90312839286604c

          SHA1

          deb87556dc7dbd6bcb2fd00f4c314e77c037d94c

          SHA256

          eff702347b3adc4c47cf9ba91dfd4251cd0c850de1ee8cc85e91cc85efee528a

          SHA512

          f36a30986ad3bb3d11305e8c01db132b8cb0a153499dca5869e0839e4a8725f3f4d6497a94f68ecbd0f399ed94eb6b21f8522d4d764391f2e35d6d72ee215f50

        • memory/5400-817-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB