Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28-05-2024 18:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
020d9d037cad355e5c8bece6ab4da432b6f0858d6b0f0a347834fc563520bc58.exe
Resource
win7-20240419-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral2
Sample
020d9d037cad355e5c8bece6ab4da432b6f0858d6b0f0a347834fc563520bc58.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
020d9d037cad355e5c8bece6ab4da432b6f0858d6b0f0a347834fc563520bc58.exe
-
Size
155KB
-
MD5
34cb7c2c7ca70ac53bd13b7ffd73c282
-
SHA1
514f3ba37e73eeceaf9e4216d48f8319a1b76105
-
SHA256
020d9d037cad355e5c8bece6ab4da432b6f0858d6b0f0a347834fc563520bc58
-
SHA512
8e110964223ef192791649afc34834bc0f30d1ead95c1c3f381faa7b0bc5941a698982dd3658ae1c3c8a6bb449ec1173b3810bc49ea84f8f3ed5fd96f0370ae8
-
SSDEEP
3072:6NLWpCZxVP2ZQfq6Tl7j66sfmTk3WdK1q:u6EVWQVm6S3WYq
Score
9/10
Malware Config
Signatures
-
Renames multiple (5141) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 1 IoCs
pid Process 4976 Zombie.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Zombie.exe 020d9d037cad355e5c8bece6ab4da432b6f0858d6b0f0a347834fc563520bc58.exe File opened for modification C:\Windows\SysWOW64\Zombie.exe 020d9d037cad355e5c8bece6ab4da432b6f0858d6b0f0a347834fc563520bc58.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Loader.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationClient.resources.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\Microsoft.VisualBasic.Forms.resources.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-file-l1-1-0.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8EN.DLL.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tipresx.dll.mui.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\WindowsBase.resources.dll.tmp Zombie.exe File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\nacl_irt_x86_64.nexe.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-process-l1-1-0.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ul-phn.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\OFFSYMSB.TTF.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\mshwLatin.dll.mui.tmp Zombie.exe File created C:\Program Files\Common Files\System\Ole DB\sqloledb.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-console-l1-2-0.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationClientSideProviders.resources.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ppd.xrm-ms.tmp Zombie.exe File created C:\Program Files\7-Zip\Lang\kaa.txt.tmp Zombie.exe File created C:\Program Files\7-Zip\Lang\ps.txt.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationCore.dll.tmp Zombie.exe File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-runtime-l1-1-0.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\AugLoop\third-party-notices.txt.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Templates\1033\StudentReport.dotx.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Principal.Windows.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationProvider.resources.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Practices.Unity.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-180.png.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Design.dll.tmp Zombie.exe File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\resources.pak.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.VisualStudio.OLE.Interop.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\Interceptor.tlb.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\MSOHEVI.DLL.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.el-gr.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Uri.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.Win32.Primitives.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationNative_cor3.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationClientSideProviders.resources.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ul-phn.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\OSFROAMINGPROXY.DLL.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL092.XML.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Word.Word.x-none.msi.16.x-none.xml.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ul-oob.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ul-oob.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ppd.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_eula.txt.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Edit.White.png.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Json.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationUI.resources.dll.tmp Zombie.exe File created C:\Program Files\Internet Explorer\uk-UA\ieinstal.exe.mui.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_Grace-ppd.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ppd.xrm-ms.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Sockets.dll.tmp Zombie.exe File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-stdio-l1-1-0.dll.tmp Zombie.exe File created C:\Program Files\Java\jre-1.8\lib\fontconfig.properties.src.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ul-oob.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-ppd.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] Zombie.exe File created C:\Program Files\7-Zip\Lang\de.txt.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PenImc_cor3.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemXmlLinq.dll.tmp Zombie.exe File created C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightDemiBold.ttf.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ppd.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\FilterModule.dll.tmp Zombie.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2556 wrote to memory of 4976 2556 020d9d037cad355e5c8bece6ab4da432b6f0858d6b0f0a347834fc563520bc58.exe 83 PID 2556 wrote to memory of 4976 2556 020d9d037cad355e5c8bece6ab4da432b6f0858d6b0f0a347834fc563520bc58.exe 83 PID 2556 wrote to memory of 4976 2556 020d9d037cad355e5c8bece6ab4da432b6f0858d6b0f0a347834fc563520bc58.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\020d9d037cad355e5c8bece6ab4da432b6f0858d6b0f0a347834fc563520bc58.exe"C:\Users\Admin\AppData\Local\Temp\020d9d037cad355e5c8bece6ab4da432b6f0858d6b0f0a347834fc563520bc58.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Zombie.exe"C:\Windows\system32\Zombie.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4976
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
49KB
MD59f8334ede95f80864636386f993e926d
SHA1077ad6f63784d076dcbbd06a494733aa76292b67
SHA256e65107bf2408812f9f928fa98d40ef5c328f47116af3c3b14feaa36ea04deab2
SHA5128c8fc3361720f42025b8eaaa26a239c92a335e5562553f9f16bf366b5b95002bf94ec389b492c3547dbb627b64d06934706f83c33e0049c61eb492127a54fd84
-
Filesize
49KB
MD57920759bcda2498fa037298f98f3e65a
SHA12c47a46837107bf94ad4432825c32a70f557a81b
SHA256e4dcf735a07ede46a4ca2a84b4d44119a4a1484f3263e2923d141428e0507676
SHA512c3ee88a3eeba82c759b0d57245736b96b9d3284f493c0a632f51d8a87516fdfdbfe813dea81c14ca317e7baacda4fb976f5e05219ffda0949d1fe1ce49005a3c