File name:

RansomwareFileDecryptor 1.0.1668 MUI.exe

Full analysis: https://app.any.run/tasks/76a5d218-015b-4cfa-ba82-065791e33aed
Verdict: Malicious activity
Analysis date: June 18, 2024, 07:09:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

5A64A4425AEAD92B9D9E1891BE7572E3

SHA1:

ACAEF2A172E76055AC9DF34982C10F793E53CA81

SHA256:

DB8C550E5D92D913EA84CA29B59342EEBA001D9C2BEB8C2320F791346C1BC3CC

SSDEEP:

196608:7BfXl3jhAuRArXmsQcUP7wiGTxM1hZBVNF/F1VuwytCUBKdQINxgXo7d6Tz:7BjtEQDP7wiVZBN/FfuwICUBKdnNOMdO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • RansomwareFileDecryptor 1.0.1668 MUI.exe (PID: 3952)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • RansomwareFileDecryptor 1.0.1668 MUI.exe (PID: 3952)

    • Executable content was dropped or overwritten

      • RansomwareFileDecryptor 1.0.1668 MUI.exe (PID: 3952)

    • The process drops C-runtime libraries

      • RansomwareFileDecryptor 1.0.1668 MUI.exe (PID: 3952)

  • INFO

    • Checks supported languages

      • RansomwareFileDecryptor 1.0.1668 MUI.exe (PID: 3952)
      • TMRDT.exe (PID: 3988)

    • Create files in a temporary directory

      • RansomwareFileDecryptor 1.0.1668 MUI.exe (PID: 3952)
      • TMRDT.exe (PID: 3988)

    • Reads the computer name

      • TMRDT.exe (PID: 3988)

    • Reads the machine GUID from the registry

      • TMRDT.exe (PID: 3988)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (30.7)
.exe | UPX compressed Win32 Executable (30.1)
.exe | Win32 EXE Yoda's Crypter (29.5)
.exe | Win32 Executable (generic) (5)
.exe | Generic Win/DOS Executable (2.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2017:11:09 09:00:13+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 1462272
InitializedDataSize: 184320
UninitializedDataSize: 2633728
EntryPoint: 0x3e8500
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.1668
ProductVersionNumber: 1.0.0.1668
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Trend Micro Inc.
CoverageBuild: NO
CompileOption: Release
BuildType: int
SpecialBuild: 1668
PrivateBuild: Build 1668 - 11/9/2017
LegalTrademarks: Copyright (C) Trend Micro Inc.
FileDescription: Trend Micro Ransomware File Decryptor
FileVersion: 1.0.0.1668
InternalName: RansomwareFileDecryptor.exe
LegalCopyright: Copyright (C) 2017 Trend Micro Incorporated. All rights reserved.
OriginalFileName: RansomwareFileDecryptor.exe
ProductName: RansomwareFileDecryptor
ProductVersion: 1
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
33
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start ransomwarefiledecryptor 1.0.1668 mui.exe tmrdt.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3952"C:\Users\admin\AppData\Local\Temp\RansomwareFileDecryptor 1.0.1668 MUI.exe" C:\Users\admin\AppData\Local\Temp\RansomwareFileDecryptor 1.0.1668 MUI.exe
explorer.exe
User:
admin
Company:
Trend Micro Inc.
Integrity Level:
MEDIUM
Description:
Trend Micro Ransomware File Decryptor
Version:
1.0.0.1668
Modules
Images
c:\users\admin\appdata\local\temp\ransomwarefiledecryptor 1.0.1668 mui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
3988"C:\Users\admin\AppData\Local\Temp\TMRDTSelfExtract\TMRDT.exe" C:\Users\admin\AppData\Local\Temp\TMRDTSelfExtract\TMRDT.exeRansomwareFileDecryptor 1.0.1668 MUI.exe
User:
admin
Company:
Trend Micro Inc.
Integrity Level:
MEDIUM
Description:
Trend Micro Ransomware File Decryptor
Version:
1.0.0.1668
Modules
Images
c:\users\admin\appdata\local\temp\tmrdtselfextract\tmrdt.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\webio.dll
c:\users\admin\appdata\local\temp\tmrdtselfextract\htmlayout.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
Total events
302
Read events
302
Write events
0
Delete events
0

Modification events

No data
Executable files
6
Suspicious files
24
Text files
42
Unknown types
0

Dropped files

PID
Process
Filename
Type
3952RansomwareFileDecryptor 1.0.1668 MUI.exeC:\Users\admin\AppData\Local\Temp\TMRDTSelfExtract\HLUI\skin\common\img\button_long.pngimage
MD5:7D790CBC2AD1E0D3F8EA8F11525DD8E0
SHA256:6A8D68FA7B7555AA9293866466129431187F755E5A684C7C92274B91B8CA3159
3952RansomwareFileDecryptor 1.0.1668 MUI.exeC:\Users\admin\AppData\Local\Temp\TMRDTSelfExtract\HLUI\skin\common\img\play.gifimage
MD5:33881101530B3873BF76494FEEF65B27
SHA256:3671AAEE37F4FFE5E3FE7B88CB14615C8E4F32326F8D3D958E6F8978FB763A50
3952RansomwareFileDecryptor 1.0.1668 MUI.exeC:\Users\admin\AppData\Local\Temp\TMRDTSelfExtract\HLUI\skin\common\img\icon_about.pngimage
MD5:3248EF377F98D485EF4F95FA391EFF36
SHA256:2E7033A88612C7991CD1DD79655B6C783FB2FC9FF074C26A840D4D529A3B608D
3952RansomwareFileDecryptor 1.0.1668 MUI.exeC:\Users\admin\AppData\Local\Temp\TMRDTSelfExtract\HLUI\IDEmailPage\common\img_info.jpgimage
MD5:CEBCC737A53676757F8916AB85E17869
SHA256:A8A14F06526E12F9FC4730DF606B197AC01404607C202907029C776A1FBB882F
3952RansomwareFileDecryptor 1.0.1668 MUI.exeC:\Users\admin\AppData\Local\Temp\TMRDTSelfExtract\HLUI\skin\common\img\close_btn.pngimage
MD5:7894EAB03D760E7E67F5E1561277B0BF
SHA256:C5F32AE6486C563596FE21E4CBD17C41486C64FA58CD24CFD8D3C15837391687
3952RansomwareFileDecryptor 1.0.1668 MUI.exeC:\Users\admin\AppData\Local\Temp\TMRDTSelfExtract\HLUI\IDEmailPage\common\img_info_jp.jpgimage
MD5:D584BAA31F164948EEBB3A22B1FA7B7C
SHA256:5266096E18EBED39B3CA0A1C671134A41C090AE74C5FD1DD96C1F3E32B39D13D
3952RansomwareFileDecryptor 1.0.1668 MUI.exeC:\Users\admin\AppData\Local\Temp\TMRDTSelfExtract\HLUI\skin\common\img\button_long_hover.pngimage
MD5:ECDDDEE6D3910C05D8B1FEAA48D9666E
SHA256:3024AC3E3C2880667D821D7153B7B9D843E7EF17135523A3E3B637B8E727508F
3952RansomwareFileDecryptor 1.0.1668 MUI.exeC:\Users\admin\AppData\Local\Temp\TMRDTSelfExtract\HLUI\skin\common\img\close_btn_hover.pngimage
MD5:7F43B03425078F8AEA06134615E77DE0
SHA256:0BDB190146F6F92088521EA736858AC5C602CFC33A3FBC26A2D8B6A906540B32
3952RansomwareFileDecryptor 1.0.1668 MUI.exeC:\Users\admin\AppData\Local\Temp\TMRDTSelfExtract\HLUI\skin\common\img\icon_feedback.pngimage
MD5:EEAD4CB067A94EF5DA71C6409CF470D9
SHA256:466A9FFC8CF906E07DF94364593B96FF66E96527430BFBEDCF714D8B7C7ED72F
3952RansomwareFileDecryptor 1.0.1668 MUI.exeC:\Users\admin\AppData\Local\Temp\TMRDTSelfExtract\HLUI\skin\common\img\icon_key.pngimage
MD5:51851C7CA87350D7D2110975CCEA30A7
SHA256:EDC36A149F3E1B6E484189B3DB5B31E20E4D5E71E2BB8496EDC00FE83E0442F3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
1088
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
Process
Message
RansomwareFileDecryptor 1.0.1668 MUI.exe
C:\Users\admin\AppData\Local\Temp\RansomwareFileDecryptor 1.0.1668 MUI.exe
RansomwareFileDecryptor 1.0.1668 MUI.exe
C:\Users\admin\AppData\Local\Temp
RansomwareFileDecryptor 1.0.1668 MUI.exe
start extract
RansomwareFileDecryptor 1.0.1668 MUI.exe
ModulePath:C:\Users\admin\AppData\Local\Temp\RansomwareFileDecryptor 1.0.1668 MUI.exe, SelfExtractDir:C:\Users\admin\AppData\Local\Temp\TMRDTSelfExtract, szOffSet:1644002
RansomwareFileDecryptor 1.0.1668 MUI.exe
Command line:"C:\Users\admin\AppData\Local\Temp\TMRDTSelfExtract\TMRDT.exe"
RansomwareFileDecryptor 1.0.1668 MUI.exe
Extract Success !!
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
RansomwareFileDecryptor 1.0.1668 MUI.exe