Analysis

  • max time kernel
    150s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/05/2025, 13:45

General

  • Target

    f7a52c3bd352215920092d31ffaaf1c1a8d0e125ecf599ed4a1428f4d258d6b3.exe

  • Size

    18KB

  • MD5

    af78857e264f8a0ce3d310842571a5ec

  • SHA1

    d2d2598d8ee9c9db64d74f4beb0354105d397bf6

  • SHA256

    f7a52c3bd352215920092d31ffaaf1c1a8d0e125ecf599ed4a1428f4d258d6b3

  • SHA512

    da244dda421b2084d4bf23061584663b9fd69d631e6f6fe2f008a2c9428826158c3ecedc1a86d035982a0039b4ee86ffc9087404664124767ef8037853f07ce1

  • SSDEEP

    384:hAg+5OCZ4W6/KWLsqmFae+rOAqmFae+rOdzzgyt69Q6Czzgyt69Q6C:uZ4FLz8ae+rOn8ae+rOdzEytU5CzEyt/

Score
9/10

Malware Config

Signatures

  • Renames multiple (5294) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\f7a52c3bd352215920092d31ffaaf1c1a8d0e125ecf599ed4a1428f4d258d6b3.exe
    "C:\Users\Admin\AppData\Local\Temp\f7a52c3bd352215920092d31ffaaf1c1a8d0e125ecf599ed4a1428f4d258d6b3.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    PID:4380

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-2930597513-779029253-718817275-1000\desktop.ini.tmp

          Filesize

          18KB

          MD5

          71bbf202ac42e95c6bd9473cefa7d307

          SHA1

          8202da80030a2571b02f7554d642057727fa25eb

          SHA256

          62e650807b2ff1bb61337daef38475c0bdde2bcc51304b808f750d32bf0df99b

          SHA512

          bbf549606db3a0656c628f0c185ca5b4566bb8c177a28bef4028227ce4d675e5583fcd1dd59e71de8f01e231653aa347ba5b674f9eac2b9ee3d4a144f03c6ff8

        • C:\6479eedf55783993fe56765264\2010_x86.log.html.tmp

          Filesize

          99KB

          MD5

          6f5b629a7a20e838e5072d1f94faa10c

          SHA1

          d6da6d25843e054abc8ee50420d98f7b215259be

          SHA256

          875db476c1143abd130521e65e58544bfaf95999c24d324c5ff67bb8e5e42213

          SHA512

          00ee2b1706d97310b7baa26135679ca1425a8bc7277a283e319c07f74c53e07b405378835c50d0f1863cb753630844da223667d112701c2ca076d19b000eb5f9

        • memory/4380-813-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB