1ddefb5f2cdce54fba949efb9939eec6ad304ebc4dbcd0e05efb85ed060b05a8

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 19:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ddefb5f2cdce54fba949efb9939eec6ad304ebc4dbcd0e05efb85ed060b05a8.exe
Size

217KB
MD5

94f870bfab204a26f1d57f2c1d88799e
SHA1

d7742b38f4987734323da4956483d4e26c6c63a1
SHA256

1ddefb5f2cdce54fba949efb9939eec6ad304ebc4dbcd0e05efb85ed060b05a8
SHA512

3ef346302d0848f88475b8d0f621ca6d1fb3f524603ca2df5a6cb91fe1f7a785334f95ac56e69f8e90c67b97e0bed699c9db75f6749f0057fb4b772c2cd39d2b
SSDEEP

3072:+nyiQSoiS791HpKIqGCLOwstyhZFChcssc56FUrgxvbSD4UQrO23x8:JiQSoiO9xpKbShcHUaa

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5038) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral2/memory/3320-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral2/files/0x000d00000002342e-8.dat	UPX
behavioral2/files/0x000700000002343b-12.dat	UPX
behavioral2/memory/3320-25-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

Executes dropped EXE 2 IoCs

pid	Process
2296	_cuninst.exe
448	Zombie.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3320-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000d00000002342e-8.dat	upx
behavioral2/files/0x000700000002343b-12.dat	upx
behavioral2/memory/3320-25-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Zombie.exe	1ddefb5f2cdce54fba949efb9939eec6ad304ebc4dbcd0e05efb85ed060b05a8.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	1ddefb5f2cdce54fba949efb9939eec6ad304ebc4dbcd0e05efb85ed060b05a8.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\PresentationFramework.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\WindowsFormsIntegration.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\libcurl64.dlla.manifest.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONBttnOL.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\ado\adojavas.inc.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7ES.DLL.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-util-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Luna.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glow Edge.eftx.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\wxpr.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSVG.DLL.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PG_INDEX.XML.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\WindowsBase.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-utility-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\xmlresolver.md.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Practices.Unity.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.AdomdClient.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-80.png.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONRES.DLL.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-profile-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL089.XML.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jli.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office15\pidgenx.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Xml.Linq.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\CIEXYZ.pf.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-180.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\xerces.md.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationClientSideProviders.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Globalization.Extensions.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\mesa3d.md.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL110.XML.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Controls.Ribbon.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\msotelemetryintl.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\XLMACRO.CHM.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\sbicuuc58_64.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\InputPersonalization.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\sbicuuc53_64.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri.xml.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XPath.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linessimple.dotx.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Extensions.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\bin\net.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-100.png.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Channels.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_sv.properties.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Models.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN065.XML.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\WindowsBase.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.Pkcs.dll.tmp	Zombie.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3320 wrote to memory of 2296	3320	1ddefb5f2cdce54fba949efb9939eec6ad304ebc4dbcd0e05efb85ed060b05a8.exe	83
PID 3320 wrote to memory of 2296	3320	1ddefb5f2cdce54fba949efb9939eec6ad304ebc4dbcd0e05efb85ed060b05a8.exe	83
PID 3320 wrote to memory of 448	3320	1ddefb5f2cdce54fba949efb9939eec6ad304ebc4dbcd0e05efb85ed060b05a8.exe	84
PID 3320 wrote to memory of 448	3320	1ddefb5f2cdce54fba949efb9939eec6ad304ebc4dbcd0e05efb85ed060b05a8.exe	84
PID 3320 wrote to memory of 448	3320	1ddefb5f2cdce54fba949efb9939eec6ad304ebc4dbcd0e05efb85ed060b05a8.exe	84

C:\Users\Admin\AppData\Local\Temp\1ddefb5f2cdce54fba949efb9939eec6ad304ebc4dbcd0e05efb85ed060b05a8.exe
"C:\Users\Admin\AppData\Local\Temp\1ddefb5f2cdce54fba949efb9939eec6ad304ebc4dbcd0e05efb85ed060b05a8.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3320
- C:\Users\Admin\AppData\Local\Temp\_cuninst.exe
  "_cuninst.exe"
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\SysWOW64\Zombie.exe
  "C:\Windows\system32\Zombie.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:448

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.exe

Filesize
74KB

MD5
56d6045c444f29898776c9d31d1ccdac

SHA1
a736661f3e35e9c258ab2a9fccec84bba7ae3ab4

SHA256
721e1508700cd69f71b507696c63629ebbb5e8452027ea6183e6bcf8ae77d2a9

SHA512
96ece8943dd099227d4502c2fa60be4414080339fa529abeef6d4eaf268d7cb1296f1802ff756525ea3b9d56e3f5ab72e565295c9b8d049a2dcf8e17370482e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_cuninst.exe

Filesize
143KB

MD5
7f9f981d970cbccece6ff126ab309045

SHA1
950a14dc6b636237c2f158cce02076b1a1b371e0

SHA256
82596d7d86d685087965457c297973c2aa1fbff0f6a0a3b8d8760f1cc65105cf

SHA512
ac59a2c6bc3b6fad47bac83d84336387b03b45d186c5d021f3c57c7fb160491e8344923d4978e50fb37f6c37e45bbb9c0f9b7cd4b93506ff571c82b795c6fb47

Download Submit
C:\Windows\SysWOW64\Zombie.exe

Filesize
74KB

MD5
80b586f26c916bf7423101894aa8a75f

SHA1
a5891f03633f57ef2352d128528aac7e4d45e143

SHA256
7af32c6513486e060001822d1a05ff9c8621e3bfa27ef9fad421276265542a5f

SHA512
a89c803d555c1b33cbb7bd2a192dd1501d5c3db556d3e017844eb98d327964bfcdc71fbad6c7ac4b34482149a1582115053661915cf6bd0867c0ecfbf4ab0443

Download Submit
memory/2296-21-0x00007FFB552B3000-0x00007FFB552B5000-memory.dmp

Filesize
8KB

Download
memory/2296-20-0x0000000000990000-0x00000000009B8000-memory.dmp

Filesize
160KB

Download
memory/3320-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3320-25-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download