149898073b601778d3705edc74f9f52d7bea6cb9e7b3c0e1af73dde7269ca65b

Analysis

max time kernel
163s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

149898073b601778d3705edc74f9f52d7bea6cb9e7b3c0e1af73dde7269ca65b.exe
Size

276KB
MD5

23b96f2b67d6bdd189ecb6831553880b
SHA1

8f83e81e547d74eb78f768e47b9d895754f983f8
SHA256

149898073b601778d3705edc74f9f52d7bea6cb9e7b3c0e1af73dde7269ca65b
SHA512

11ddb6430c183d6a05412f407fbb2defb4cbaf83678b71b00313e3fe29ec51e3e8b454e216f2de888c056335c25ca0fdd7e07e7adb9b490a71106898abdcee82
SSDEEP

3072:9QWp0w9mHpKZNGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2ZTxW:LZ9UpK7ShcHUaZA

Score

9^/10

ransomware

Malware Config

Signatures

Renames multiple (551) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 2 IoCs

pid	Process
1428	Zombie.exe
1892	_cinst.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Zombie.exe	149898073b601778d3705edc74f9f52d7bea6cb9e7b3c0e1af73dde7269ca65b.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	149898073b601778d3705edc74f9f52d7bea6cb9e7b3c0e1af73dde7269ca65b.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\th.txt.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.cs-cz.dll.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\af.txt.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Net.Sockets.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-CA\tipresx.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mshwgst.dll.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\sk.txt.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-handle-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.ComponentModel.EventBasedAsync.dll.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\ca.txt.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\va.txt.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\tipresx.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Data.Common.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.dll.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\nb.txt.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\ne.txt.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Transactions.dll.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\sw.txt.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrcommonlm.dat.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-synch-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Threading.Overlapped.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.ComponentModel.Annotations.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.IO.Compression.FileSystem.dll.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\mng2.txt.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msdaremr.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Threading.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\ado\msado60.tlb.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\be.txt.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\dbgshim.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipRes.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\ado\msado28.tlb.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\Microsoft.NETCore.App.deps.json.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-conio-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipTsf.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\ado\adovbs.inc.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\ado\msadomd.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-crt-convert-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ro-RO\tipresx.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\ado\fr-FR\msader15.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Private.Uri.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Text.RegularExpressions.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Reflection.Emit.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Runtime.Loader.dll.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\7z.sfx.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\InkObj.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pt-PT\tipresx.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Runtime.CompilerServices.Unsafe.dll.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\ar.txt.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipRes.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Dynamic.Runtime.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipRes.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee100.tlb.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Security.SecureString.dll.tmp	Zombie.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3896 wrote to memory of 1428	3896	149898073b601778d3705edc74f9f52d7bea6cb9e7b3c0e1af73dde7269ca65b.exe	91
PID 3896 wrote to memory of 1428	3896	149898073b601778d3705edc74f9f52d7bea6cb9e7b3c0e1af73dde7269ca65b.exe	91
PID 3896 wrote to memory of 1428	3896	149898073b601778d3705edc74f9f52d7bea6cb9e7b3c0e1af73dde7269ca65b.exe	91
PID 3896 wrote to memory of 1892	3896	149898073b601778d3705edc74f9f52d7bea6cb9e7b3c0e1af73dde7269ca65b.exe	90
PID 3896 wrote to memory of 1892	3896	149898073b601778d3705edc74f9f52d7bea6cb9e7b3c0e1af73dde7269ca65b.exe	90

C:\Users\Admin\AppData\Local\Temp\149898073b601778d3705edc74f9f52d7bea6cb9e7b3c0e1af73dde7269ca65b.exe
"C:\Users\Admin\AppData\Local\Temp\149898073b601778d3705edc74f9f52d7bea6cb9e7b3c0e1af73dde7269ca65b.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3896
- C:\Users\Admin\AppData\Local\Temp\_cinst.exe
  "_cinst.exe"
  2⤵
  - Executes dropped EXE
  PID:1892
- C:\Windows\SysWOW64\Zombie.exe
  "C:\Windows\system32\Zombie.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4036 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
1⤵
PID:1328

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini.tmp

Filesize
133KB

MD5
7bcc6aca2f0cbe9e7cb033e10939656b

SHA1
57329f1099ef6b70ca9e099ebce29913cb059cd8

SHA256
ff62f035931f331620e8f53eb40ac2103eadef63142b7dfd7cf10bdf639490d4

SHA512
6c41078829c608d37e0c7bfc988402a72a13173e55d58f60aa264ef5eb50d7f1a79baa46bfb3d06659c450dbc2e971ebbdd68439d3f62dcaa58492244d06d134

Download Submit
C:\Users\Admin\AppData\Local\Temp\_cinst.exe

Filesize
143KB

MD5
2fdb371d45181dff59577110ba1064e2

SHA1
42a5833cb0ac90e38d734d1327bb3f7c7a6aa453

SHA256
80d7ec8ce3913d81ea5d4f304b8609e56f0e49778c52af9279e742ea54f4a155

SHA512
52982041ba9ca552b90b79b251501ec6c33c5251d09ca9969a1b179af2ec17aca6eb81db6e588e12751bcea04208e1da8d5a754a979dd98ceb3f50780aadea20

Download Submit
C:\Windows\SysWOW64\Zombie.exe

Filesize
133KB

MD5
cc684f17c746d59b516934aa3ebba9ba

SHA1
4f0eaefcffbcf0fc346ee3b91fb18fe619ea43b2

SHA256
b6483b57347f6f3d4640d028c7a0e0e599d5cab0fc643c95cc8709635470f88f

SHA512
c565818f131c54769e948ef13964ee74456cf2148a0723dea14494f57d9fbd17edd5cf5b3167450e31af089f4ffdd4ea4e42d88d8f1ac7ed9daffec871ed74c4

Download Submit
memory/1428-10-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1892-15-0x00007FFA36593000-0x00007FFA36595000-memory.dmp

Filesize
8KB

Download
memory/1892-16-0x0000000000520000-0x0000000000548000-memory.dmp

Filesize
160KB

Download
memory/3896-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads