Analysis

  • max time kernel
    146s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    08/06/2024, 01:40

General

  • Target

    1ad991195f58f58ffd11c3c22058a4f0.exe

  • Size

    174KB

  • MD5

    1ad991195f58f58ffd11c3c22058a4f0

  • SHA1

    6b15646dc4dd0c269709cb0898c0ecbbc3e9a24f

  • SHA256

    1f69c53d51fc865280ceafb04faa303e77b8173333311f783724d46e971a7910

  • SHA512

    eea4e6004748b456010963197eb7ae5f3094b460cdfcfbcb890507eabd15232b30952ff9d40eefc92e2ee52264e9664b43d8fba443d2c03e738dc531eafd2f37

  • SSDEEP

    3072:6pWpgD98HpKI6GCLOwstyhZFChcssc56FUrgxvbSD4UQrO2Lxm:Pm9GpKbShcHUac

Score
9/10

Malware Config

Signatures

  • Renames multiple (3837) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1ad991195f58f58ffd11c3c22058a4f0.exe
    "C:\Users\Admin\AppData\Local\Temp\1ad991195f58f58ffd11c3c22058a4f0.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1912
    • C:\Windows\SysWOW64\Zombie.exe
      "C:\Windows\system32\Zombie.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      PID:2648
    • C:\Users\Admin\AppData\Local\Temp\_choco.exe
      "_choco.exe"
      2⤵
      • Executes dropped EXE
      PID:2456

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini.tmp

          Filesize

          32KB

          MD5

          ad2d85bbfb84791b60393b7d6f44ff9a

          SHA1

          83f165f4b5cc6b932e1db9925c3290826b5aee2e

          SHA256

          6d9609af833c33a981c81700d9e4b18e29a1fc51887f615fa9b601662f23db51

          SHA512

          72eb7081a3b53cc8aa36cc1f1d386cf3e976af065b03112e04dc1a5848956df828698841a0746f70ca59a775f3287268290606078e1877e1839eb1be7b412042

        • \Users\Admin\AppData\Local\Temp\_choco.exe

          Filesize

          142KB

          MD5

          81a7c181639679983efb07c2dea2ebd0

          SHA1

          93370e8e5cb0d89bf6786445f94dd02dbb84b574

          SHA256

          8320c7f90f65b48e4031b680506a9579751789ded4d90fa2fbfc2fb7db7e3ec8

          SHA512

          599cca13e527c92cdf88df06ed8a01eee1bc602c565ab69e251f7414e19833ce42f0453771bfdf27d16f9f70112835b599d26a6ed92901fdf86bbdf8adf4d2f7

        • \Windows\SysWOW64\Zombie.exe

          Filesize

          32KB

          MD5

          b64ca93f2326a0b98eb9780532ad0ab2

          SHA1

          39b09561546903d686762ed54b139f000e199a51

          SHA256

          84085bfca161be4362c667c4352d92220d1f41f7c4bb35eb0431a0b53a8389d1

          SHA512

          5afadbaf061826a8e14b1636e979d780b2fe6ee616f2e2a627d2a338dbcc018dd3e8e2436f6cd5dec139ce795fae9f4e42e6735684849cd46f8297b2f4bdc82d

        • memory/2456-19-0x000007FEF5B03000-0x000007FEF5B04000-memory.dmp

          Filesize

          4KB

        • memory/2456-20-0x0000000000F30000-0x0000000000F58000-memory.dmp

          Filesize

          160KB