Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
08/06/2024, 01:40
Static task
static1
Behavioral task
behavioral1
Sample
1ad991195f58f58ffd11c3c22058a4f0.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1ad991195f58f58ffd11c3c22058a4f0.exe
Resource
win10v2004-20240508-en
General
-
Target
1ad991195f58f58ffd11c3c22058a4f0.exe
-
Size
174KB
-
MD5
1ad991195f58f58ffd11c3c22058a4f0
-
SHA1
6b15646dc4dd0c269709cb0898c0ecbbc3e9a24f
-
SHA256
1f69c53d51fc865280ceafb04faa303e77b8173333311f783724d46e971a7910
-
SHA512
eea4e6004748b456010963197eb7ae5f3094b460cdfcfbcb890507eabd15232b30952ff9d40eefc92e2ee52264e9664b43d8fba443d2c03e738dc531eafd2f37
-
SSDEEP
3072:6pWpgD98HpKI6GCLOwstyhZFChcssc56FUrgxvbSD4UQrO2Lxm:Pm9GpKbShcHUac
Malware Config
Signatures
-
Renames multiple (5268) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 2 IoCs
pid Process 4380 Zombie.exe 2684 _choco.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Zombie.exe 1ad991195f58f58ffd11c3c22058a4f0.exe File opened for modification C:\Windows\SysWOW64\Zombie.exe 1ad991195f58f58ffd11c3c22058a4f0.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHLTS.DAT.tmp Zombie.exe File created C:\Program Files\Java\jre-1.8\bin\msvcp140_1.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ppd.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ppd.xrm-ms.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Cng.dll.tmp Zombie.exe File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\VisualElements\LogoDev.png.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-pl.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ul-phn.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] Zombie.exe File created C:\Program Files\Common Files\System\Ole DB\fr-FR\msdasqlr.dll.mui.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-console-l1-1-0.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-processthreads-l1-1-0.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\msipc.dll.mui.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-80.png.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL086.XML.tmp Zombie.exe File created C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.Primitives.resources.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-pl.xrm-ms.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.CompilerServices.Unsafe.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\java_crw_demo.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-oob.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar\msipc.dll.mui.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\tipresx.dll.mui.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ul-phn.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\ONBttnIE.dll.tmp Zombie.exe File created C:\Program Files\7-Zip\Lang\cy.txt.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Channels.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Forms.Primitives.resources.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Grace-ul-oob.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ppd.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ul-oob.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-pl.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-140.png.tmp Zombie.exe File created C:\Program Files\7-Zip\Lang\tg.txt.tmp Zombie.exe File created C:\Program Files\7-Zip\Lang\yo.txt.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\bin\jli.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Parallel.dll.tmp Zombie.exe File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\fi.pak.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\management-agent.jar.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ppd.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ppd.xrm-ms.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-filesystem-l1-1-0.dll.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ink\InkObj.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\clretwrc.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ppd.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHKEY.DAT.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linessimple.dotx.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-pl.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-ul-oob.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\msotdintl.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\JitV.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\mfc140u.dll.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-time-l1-1-0.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-phn.xrm-ms.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-interlocked-l1-1-0.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\legal\javafx\libxml2.md.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ppd.xrm-ms.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\WindowsFormsIntegration.resources.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProDemoR_BypassTrial180-ppd.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ul-phn.xrm-ms.tmp Zombie.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4184 wrote to memory of 4380 4184 1ad991195f58f58ffd11c3c22058a4f0.exe 82 PID 4184 wrote to memory of 4380 4184 1ad991195f58f58ffd11c3c22058a4f0.exe 82 PID 4184 wrote to memory of 4380 4184 1ad991195f58f58ffd11c3c22058a4f0.exe 82 PID 4184 wrote to memory of 2684 4184 1ad991195f58f58ffd11c3c22058a4f0.exe 81 PID 4184 wrote to memory of 2684 4184 1ad991195f58f58ffd11c3c22058a4f0.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ad991195f58f58ffd11c3c22058a4f0.exe"C:\Users\Admin\AppData\Local\Temp\1ad991195f58f58ffd11c3c22058a4f0.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Users\Admin\AppData\Local\Temp\_choco.exe"_choco.exe"2⤵
- Executes dropped EXE
PID:2684
-
-
C:\Windows\SysWOW64\Zombie.exe"C:\Windows\system32\Zombie.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4380
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32KB
MD504b7377a0a07e2d27cb2c170c04a7585
SHA146f69cfe270e00ff5d91e685f14bf936fd38ff70
SHA2561df22e6f2317526bf56c6fd8d9cefc0954e0591e6dc3f50d2291916192dc9448
SHA512df65d47335e62bcfce901d1c13ac5240f99b0102efd22229d33508058c6376787a0b5f02e878ea157bc06e2b49821c1d65184d7ecda3317f028b7f7d25a39d87
-
Filesize
142KB
MD581a7c181639679983efb07c2dea2ebd0
SHA193370e8e5cb0d89bf6786445f94dd02dbb84b574
SHA2568320c7f90f65b48e4031b680506a9579751789ded4d90fa2fbfc2fb7db7e3ec8
SHA512599cca13e527c92cdf88df06ed8a01eee1bc602c565ab69e251f7414e19833ce42f0453771bfdf27d16f9f70112835b599d26a6ed92901fdf86bbdf8adf4d2f7
-
Filesize
32KB
MD5b64ca93f2326a0b98eb9780532ad0ab2
SHA139b09561546903d686762ed54b139f000e199a51
SHA25684085bfca161be4362c667c4352d92220d1f41f7c4bb35eb0431a0b53a8389d1
SHA5125afadbaf061826a8e14b1636e979d780b2fe6ee616f2e2a627d2a338dbcc018dd3e8e2436f6cd5dec139ce795fae9f4e42e6735684849cd46f8297b2f4bdc82d