Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10-06-2024 23:07
Behavioral task
behavioral1
Sample
6ad1912cbc7b771b829dc433db04aa8934b3c8ab429fc8891b344338dd01479f.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6ad1912cbc7b771b829dc433db04aa8934b3c8ab429fc8891b344338dd01479f.exe
Resource
win10v2004-20240226-en
General
-
Target
6ad1912cbc7b771b829dc433db04aa8934b3c8ab429fc8891b344338dd01479f.exe
-
Size
239KB
-
MD5
79f16bd2267886c88ca402c815ff44da
-
SHA1
55a9a4f672f3514f3e5dada2bdd01381384b7f1a
-
SHA256
6ad1912cbc7b771b829dc433db04aa8934b3c8ab429fc8891b344338dd01479f
-
SHA512
bc9ee10a21b6e55eefacca0a8d5335c4369c93013fcebe27974bd71ddf341b21b26cbd8c36539483453efa9bf47be15fb268d384b380956aac70f5f8decf8938
-
SSDEEP
3072:enaym3AIuZAIuyxJrQulAw9mHpKZNGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2S:wHm3AIuZAIuyxJrZ9UpK7ShcHUaZk
Malware Config
Signatures
-
Renames multiple (1627) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
UPX dump on OEP (original entry point) 4 IoCs
resource yara_rule behavioral2/memory/3604-0-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral2/files/0x0008000000023247-6.dat UPX behavioral2/files/0x000700000002324b-12.dat UPX behavioral2/memory/3604-23-0x0000000000400000-0x000000000040B000-memory.dmp UPX -
Executes dropped EXE 2 IoCs
pid Process 3100 Zombie.exe 4688 _cinst.exe -
resource yara_rule behavioral2/memory/3604-0-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/files/0x0008000000023247-6.dat upx behavioral2/files/0x000700000002324b-12.dat upx behavioral2/memory/3604-23-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Zombie.exe 6ad1912cbc7b771b829dc433db04aa8934b3c8ab429fc8891b344338dd01479f.exe File opened for modification C:\Windows\SysWOW64\Zombie.exe 6ad1912cbc7b771b829dc433db04aa8934b3c8ab429fc8891b344338dd01479f.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-string-l1-1-0.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\bci.dll.tmp Zombie.exe File created C:\Program Files\Common Files\System\Ole DB\it-IT\msdasqlr.dll.mui.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Threading.Tasks.Extensions.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ko\WindowsFormsIntegration.resources.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\Microsoft.WindowsDesktop.App.deps.json.tmp Zombie.exe File created C:\Program Files\Internet Explorer\iexplore.exe.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-process-l1-1-0.dll.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml.tmp Zombie.exe File created C:\Program Files\Common Files\System\Ole DB\de-DE\msdasqlr.dll.mui.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-console-l1-1-0.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-file-l1-2-0.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\UIAutomationProvider.dll.tmp Zombie.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\am.pak.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hans\System.Xaml.resources.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Transactions.Local.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\clrjit.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\System.Design.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hans\WindowsBase.resources.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hans\WindowsFormsIntegration.resources.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sv-se.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.IO.FileSystem.dll.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hant\UIAutomationClient.resources.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-math-l1-1-0.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-memory-l1-1-0.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Diagnostics.Process.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Private.DataContractSerialization.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ru\Microsoft.VisualBasic.Forms.resources.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgePackages.h.tmp Zombie.exe File created C:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ko\UIAutomationClientSideProviders.resources.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-memory-l1-1-0.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\sawindbg.dll.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe.tmp Zombie.exe File created C:\Program Files\Common Files\System\Ole DB\msdaosp.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.ComponentModel.DataAnnotations.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Reflection.Emit.Lightweight.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Runtime.Handles.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Runtime.Serialization.Xml.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\de\WindowsFormsIntegration.resources.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processthreads-l1-1-1.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\System.Drawing.Common.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\es\System.Windows.Controls.Ribbon.resources.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\de\UIAutomationClientSideProviders.resources.dll.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pl-pl.dll.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\tipresx.dll.mui.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\msinfo32.exe.mui.tmp Zombie.exe File created C:\Program Files\Common Files\System\msadc\msadce.dll.tmp Zombie.exe File created C:\Program Files\Common Files\System\uk-UA\wab32res.dll.mui.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\clretwrc.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\it\System.Windows.Forms.resources.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\bin\extcheck.exe.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-process-l1-1-0.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Diagnostics.FileVersionInfo.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pl\PresentationCore.resources.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-file-l2-1-0.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-timezone-l1-1-0.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\fr\System.Xaml.resources.dll.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ink\InkObj.dll.tmp Zombie.exe File created C:\Program Files\Common Files\Services\verisign.bmp.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Runtime.InteropServices.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\Microsoft.Win32.SystemEvents.dll.tmp Zombie.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 3604 wrote to memory of 3100 3604 6ad1912cbc7b771b829dc433db04aa8934b3c8ab429fc8891b344338dd01479f.exe 90 PID 3604 wrote to memory of 3100 3604 6ad1912cbc7b771b829dc433db04aa8934b3c8ab429fc8891b344338dd01479f.exe 90 PID 3604 wrote to memory of 3100 3604 6ad1912cbc7b771b829dc433db04aa8934b3c8ab429fc8891b344338dd01479f.exe 90 PID 3604 wrote to memory of 4688 3604 6ad1912cbc7b771b829dc433db04aa8934b3c8ab429fc8891b344338dd01479f.exe 91 PID 3604 wrote to memory of 4688 3604 6ad1912cbc7b771b829dc433db04aa8934b3c8ab429fc8891b344338dd01479f.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ad1912cbc7b771b829dc433db04aa8934b3c8ab429fc8891b344338dd01479f.exe"C:\Users\Admin\AppData\Local\Temp\6ad1912cbc7b771b829dc433db04aa8934b3c8ab429fc8891b344338dd01479f.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\SysWOW64\Zombie.exe"C:\Windows\system32\Zombie.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3100
-
-
C:\Users\Admin\AppData\Local\Temp\_cinst.exe"_cinst.exe"2⤵
- Executes dropped EXE
PID:4688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3896 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:81⤵PID:220
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD59a0a5eab387fec57180ddabf05f87f6a
SHA1a854696db7647cc576c1323fa68f04c50339920a
SHA25678cca3abe2a0fecedb24714b5b6f2507bd21f6a10670b74564284534c5c4d33d
SHA5128a4a93b11ab931ce32868e14e40c05e48b6c4a74423fba4486e552bbb970b5adcb45d04bec8c342f8c4a82b4129a5fa448e20b62bd91e2a0f8f2c04aa56f86d7
-
Filesize
143KB
MD52fdb371d45181dff59577110ba1064e2
SHA142a5833cb0ac90e38d734d1327bb3f7c7a6aa453
SHA25680d7ec8ce3913d81ea5d4f304b8609e56f0e49778c52af9279e742ea54f4a155
SHA51252982041ba9ca552b90b79b251501ec6c33c5251d09ca9969a1b179af2ec17aca6eb81db6e588e12751bcea04208e1da8d5a754a979dd98ceb3f50780aadea20
-
Filesize
96KB
MD55829fa8dc997f814aec5aab48c031cf2
SHA1bfcb09138d6f55824c5ccb1f3c3efa7c4b0ec180
SHA2567b61abab5027b6452db8e8405e64b902d9f83aa6f65854a7055f48daad8ef6b2
SHA512c61def35c728dadfbbf097cc0c06aa4f5de1663ad17003b0339c6d0d591cb1ef3adcf6eb9cf7555e5de3e0c942e514e55139dc1dee68084b399e7fdc3a782774