Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/06/2024, 01:40

General

  • Target

    1ad991195f58f58ffd11c3c22058a4f0.exe

  • Size

    174KB

  • MD5

    1ad991195f58f58ffd11c3c22058a4f0

  • SHA1

    6b15646dc4dd0c269709cb0898c0ecbbc3e9a24f

  • SHA256

    1f69c53d51fc865280ceafb04faa303e77b8173333311f783724d46e971a7910

  • SHA512

    eea4e6004748b456010963197eb7ae5f3094b460cdfcfbcb890507eabd15232b30952ff9d40eefc92e2ee52264e9664b43d8fba443d2c03e738dc531eafd2f37

  • SSDEEP

    3072:6pWpgD98HpKI6GCLOwstyhZFChcssc56FUrgxvbSD4UQrO2Lxm:Pm9GpKbShcHUac

Score
9/10

Malware Config

Signatures

  • Renames multiple (5268) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1ad991195f58f58ffd11c3c22058a4f0.exe
    "C:\Users\Admin\AppData\Local\Temp\1ad991195f58f58ffd11c3c22058a4f0.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:4184
    • C:\Users\Admin\AppData\Local\Temp\_choco.exe
      "_choco.exe"
      2⤵
      • Executes dropped EXE
      PID:2684
    • C:\Windows\SysWOW64\Zombie.exe
      "C:\Windows\system32\Zombie.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      PID:4380

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-3558294865-3673844354-2255444939-1000\desktop.ini.exe

          Filesize

          32KB

          MD5

          04b7377a0a07e2d27cb2c170c04a7585

          SHA1

          46f69cfe270e00ff5d91e685f14bf936fd38ff70

          SHA256

          1df22e6f2317526bf56c6fd8d9cefc0954e0591e6dc3f50d2291916192dc9448

          SHA512

          df65d47335e62bcfce901d1c13ac5240f99b0102efd22229d33508058c6376787a0b5f02e878ea157bc06e2b49821c1d65184d7ecda3317f028b7f7d25a39d87

        • C:\Users\Admin\AppData\Local\Temp\_choco.exe

          Filesize

          142KB

          MD5

          81a7c181639679983efb07c2dea2ebd0

          SHA1

          93370e8e5cb0d89bf6786445f94dd02dbb84b574

          SHA256

          8320c7f90f65b48e4031b680506a9579751789ded4d90fa2fbfc2fb7db7e3ec8

          SHA512

          599cca13e527c92cdf88df06ed8a01eee1bc602c565ab69e251f7414e19833ce42f0453771bfdf27d16f9f70112835b599d26a6ed92901fdf86bbdf8adf4d2f7

        • C:\Windows\SysWOW64\Zombie.exe

          Filesize

          32KB

          MD5

          b64ca93f2326a0b98eb9780532ad0ab2

          SHA1

          39b09561546903d686762ed54b139f000e199a51

          SHA256

          84085bfca161be4362c667c4352d92220d1f41f7c4bb35eb0431a0b53a8389d1

          SHA512

          5afadbaf061826a8e14b1636e979d780b2fe6ee616f2e2a627d2a338dbcc018dd3e8e2436f6cd5dec139ce795fae9f4e42e6735684849cd46f8297b2f4bdc82d

        • memory/2684-20-0x00007FFD08D83000-0x00007FFD08D85000-memory.dmp

          Filesize

          8KB

        • memory/2684-19-0x0000000000890000-0x00000000008B8000-memory.dmp

          Filesize

          160KB