File name:

RansomwareFileDecryptor 1.0.1668 MUI.exe

Full analysis: https://app.any.run/tasks/76a5d218-015b-4cfa-ba82-065791e33aed
Verdict: Malicious activity
Analysis date: June 18, 2024, 07:09:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

5A64A4425AEAD92B9D9E1891BE7572E3

SHA1:

ACAEF2A172E76055AC9DF34982C10F793E53CA81

SHA256:

DB8C550E5D92D913EA84CA29B59342EEBA001D9C2BEB8C2320F791346C1BC3CC

SSDEEP:

196608:7BfXl3jhAuRArXmsQcUP7wiGTxM1hZBVNF/F1VuwytCUBKdQINxgXo7d6Tz:7BjtEQDP7wiVZBN/FfuwICUBKdnNOMdO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • RansomwareFileDecryptor 1.0.1668 MUI.exe (PID: 3952)

  • SUSPICIOUS

    • The process drops C-runtime libraries

      • RansomwareFileDecryptor 1.0.1668 MUI.exe (PID: 3952)

    • Process drops legitimate windows executable

      • RansomwareFileDecryptor 1.0.1668 MUI.exe (PID: 3952)

    • Executable content was dropped or overwritten

      • RansomwareFileDecryptor 1.0.1668 MUI.exe (PID: 3952)

  • INFO

    • Checks supported languages

      • RansomwareFileDecryptor 1.0.1668 MUI.exe (PID: 3952)
      • TMRDT.exe (PID: 3988)

    • Create files in a temporary directory

      • RansomwareFileDecryptor 1.0.1668 MUI.exe (PID: 3952)
      • TMRDT.exe (PID: 3988)

    • Reads the machine GUID from the registry

      • TMRDT.exe (PID: 3988)

    • Reads the computer name

      • TMRDT.exe (PID: 3988)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (30.7)
.exe | UPX compressed Win32 Executable (30.1)
.exe | Win32 EXE Yoda's Crypter (29.5)
.exe | Win32 Executable (generic) (5)
.exe | Generic Win/DOS Executable (2.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2017:11:09 09:00:13+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 1462272
InitializedDataSize: 184320
UninitializedDataSize: 2633728
EntryPoint: 0x3e8500
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.1668
ProductVersionNumber: 1.0.0.1668
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Trend Micro Inc.
CoverageBuild: NO
CompileOption: Release
BuildType: int
SpecialBuild: 1668
PrivateBuild: Build 1668 - 11/9/2017
LegalTrademarks: Copyright (C) Trend Micro Inc.
FileDescription: Trend Micro Ransomware File Decryptor
FileVersion: 1.0.0.1668
InternalName: RansomwareFileDecryptor.exe
LegalCopyright: Copyright (C) 2017 Trend Micro Incorporated. All rights reserved.
OriginalFileName: RansomwareFileDecryptor.exe
ProductName: RansomwareFileDecryptor
ProductVersion: 1
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
33
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start ransomwarefiledecryptor 1.0.1668 mui.exe tmrdt.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3952"C:\Users\admin\AppData\Local\Temp\RansomwareFileDecryptor 1.0.1668 MUI.exe" C:\Users\admin\AppData\Local\Temp\RansomwareFileDecryptor 1.0.1668 MUI.exe
explorer.exe
User:
admin
Company:
Trend Micro Inc.
Integrity Level:
MEDIUM
Description:
Trend Micro Ransomware File Decryptor
Version:
1.0.0.1668
Modules
Images
c:\users\admin\appdata\local\temp\ransomwarefiledecryptor 1.0.1668 mui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
3988"C:\Users\admin\AppData\Local\Temp\TMRDTSelfExtract\TMRDT.exe" C:\Users\admin\AppData\Local\Temp\TMRDTSelfExtract\TMRDT.exeRansomwareFileDecryptor 1.0.1668 MUI.exe
User:
admin
Company:
Trend Micro Inc.
Integrity Level:
MEDIUM
Description:
Trend Micro Ransomware File Decryptor
Version:
1.0.0.1668
Modules
Images
c:\users\admin\appdata\local\temp\tmrdtselfextract\tmrdt.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\webio.dll
c:\users\admin\appdata\local\temp\tmrdtselfextract\htmlayout.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
Total events
302
Read events
302
Write events
0
Delete events
0

Modification events

No data
Executable files
6
Suspicious files
24
Text files
42
Unknown types
0

Dropped files

PID
Process
Filename
Type
3952RansomwareFileDecryptor 1.0.1668 MUI.exeC:\Users\admin\AppData\Local\Temp\TMRDTSelfExtract\HLUI\skin\common\img\icon_folder.pngimage
MD5:E743AB1FC49197352C6A6F55FAD873E2
SHA256:9389EA7F2351A1537B1BD6AAF2D0FB25C37EF0167C30BAC9C7535E877B3EA598
3952RansomwareFileDecryptor 1.0.1668 MUI.exeC:\Users\admin\AppData\Local\Temp\TMRDTSelfExtract\HLUI\IDEmailPage\common\img_info_jp.jpgimage
MD5:D584BAA31F164948EEBB3A22B1FA7B7C
SHA256:5266096E18EBED39B3CA0A1C671134A41C090AE74C5FD1DD96C1F3E32B39D13D
3952RansomwareFileDecryptor 1.0.1668 MUI.exeC:\Users\admin\AppData\Local\Temp\TMRDTSelfExtract\HLUI\skin\common\img\bg_loading.pngimage
MD5:96967391225AA8B811DF27B461AC2BA7
SHA256:74BB92CF109A900684F22093742B567F7D1AC60D277B7566D85237634DA5B56D
3952RansomwareFileDecryptor 1.0.1668 MUI.exeC:\Users\admin\AppData\Local\Temp\TMRDTSelfExtract\HLUI\skin\common\img\button_long.pngimage
MD5:7D790CBC2AD1E0D3F8EA8F11525DD8E0
SHA256:6A8D68FA7B7555AA9293866466129431187F755E5A684C7C92274B91B8CA3159
3952RansomwareFileDecryptor 1.0.1668 MUI.exeC:\Users\admin\AppData\Local\Temp\TMRDTSelfExtract\HLUI\skin\common\img\close_btn_pressed.pngimage
MD5:96C1CA6E8BEF0A0706F96BC305C5546A
SHA256:C35EE64FC3211FD04F8DADAF54EE5BF2D79E856D2099624D0D34566357A31FBD
3952RansomwareFileDecryptor 1.0.1668 MUI.exeC:\Users\admin\AppData\Local\Temp\TMRDTSelfExtract\HLUI\IDEmailPage\common\img_info.jpgimage
MD5:CEBCC737A53676757F8916AB85E17869
SHA256:A8A14F06526E12F9FC4730DF606B197AC01404607C202907029C776A1FBB882F
3952RansomwareFileDecryptor 1.0.1668 MUI.exeC:\Users\admin\AppData\Local\Temp\TMRDTSelfExtract\HLUI\skin\common\img\close_btn_hover.pngimage
MD5:7F43B03425078F8AEA06134615E77DE0
SHA256:0BDB190146F6F92088521EA736858AC5C602CFC33A3FBC26A2D8B6A906540B32
3952RansomwareFileDecryptor 1.0.1668 MUI.exeC:\Users\admin\AppData\Local\Temp\TMRDTSelfExtract\HLUI\skin\common\img\icon_feedback.pngimage
MD5:EEAD4CB067A94EF5DA71C6409CF470D9
SHA256:466A9FFC8CF906E07DF94364593B96FF66E96527430BFBEDCF714D8B7C7ED72F
3952RansomwareFileDecryptor 1.0.1668 MUI.exeC:\Users\admin\AppData\Local\Temp\TMRDTSelfExtract\HLUI\skin\common\img\icon_about.pngimage
MD5:3248EF377F98D485EF4F95FA391EFF36
SHA256:2E7033A88612C7991CD1DD79655B6C783FB2FC9FF074C26A840D4D529A3B608D
3952RansomwareFileDecryptor 1.0.1668 MUI.exeC:\Users\admin\AppData\Local\Temp\TMRDTSelfExtract\HLUI\skin\common\img\icon_Info.pngimage
MD5:1791BE8D9E37251ADEC1797CF5C5134F
SHA256:C66FA37FC5B04C3813075432D62D5681E5BE4CB568EDB142ABD11BF44A0EC23E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
1088
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
Process
Message
RansomwareFileDecryptor 1.0.1668 MUI.exe
C:\Users\admin\AppData\Local\Temp\RansomwareFileDecryptor 1.0.1668 MUI.exe
RansomwareFileDecryptor 1.0.1668 MUI.exe
C:\Users\admin\AppData\Local\Temp
RansomwareFileDecryptor 1.0.1668 MUI.exe
start extract
RansomwareFileDecryptor 1.0.1668 MUI.exe
ModulePath:C:\Users\admin\AppData\Local\Temp\RansomwareFileDecryptor 1.0.1668 MUI.exe, SelfExtractDir:C:\Users\admin\AppData\Local\Temp\TMRDTSelfExtract, szOffSet:1644002
RansomwareFileDecryptor 1.0.1668 MUI.exe
Command line:"C:\Users\admin\AppData\Local\Temp\TMRDTSelfExtract\TMRDT.exe"
RansomwareFileDecryptor 1.0.1668 MUI.exe
Extract Success !!
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
RansomwareFileDecryptor 1.0.1668 MUI.exe