Malware Analysis Report

2025-01-03 08:26

Sample ID 240617-c5mvzavcrr
Target d36b4ceb110529e42d2918055d2c2290952d936c5803131f50e3cefd83b4f0c7
SHA256 d36b4ceb110529e42d2918055d2c2290952d936c5803131f50e3cefd83b4f0c7
Tags
discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

d36b4ceb110529e42d2918055d2c2290952d936c5803131f50e3cefd83b4f0c7

Threat Level: Likely malicious

The file d36b4ceb110529e42d2918055d2c2290952d936c5803131f50e3cefd83b4f0c7 was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware

Renames multiple (3693) files with added filename extension

Renames multiple (4865) files with added filename extension

Loads dropped DLL

Executes dropped EXE

Checks installed software on the system

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-17 02:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 02:39

Reported

2024-06-17 02:42

Platform

win7-20240508-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d36b4ceb110529e42d2918055d2c2290952d936c5803131f50e3cefd83b4f0c7.exe"

Signatures

Renames multiple (3693) files with added filename extension

ransomware

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\d36b4ceb110529e42d2918055d2c2290952d936c5803131f50e3cefd83b4f0c7.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\d36b4ceb110529e42d2918055d2c2290952d936c5803131f50e3cefd83b4f0c7.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_ButtonGraphic.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jmc.ini.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-queries.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Indiana\Petersburg.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Chatham.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\26.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\sk.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InkWatson.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_PreComp_MATTE_PAL.wmv.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\JAWTAccessBridge-64.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Antarctica\Macquarie.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libdvdnav_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\control\libdummy_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libupnp_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libskiptags_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\oledb32.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-lib-uihandler.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Indian\Chagos.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dialdot.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\settings.js.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsrus.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-14.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql_2.0.100.v20131211-1531.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-filesystems.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\text_renderer\libfreetype_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\calendar.html.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Halifax.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Mozilla Firefox\api-ms-win-crt-process-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Mozilla Firefox\platform.ini.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Mozilla Firefox\updater.ini.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Runtime.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ku_IQ\LC_MESSAGES\vlc.mo.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\5.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\settings.css.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-overlay.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\PresentationFramework.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\he.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\icon.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\row_over.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipTsf.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\micaut.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Berlin.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Argentina\San_Luis.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\bckgzm.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Apia.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\misc\libexport_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\IPSEventLogMsg.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_ButtonGraphic.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Chicago.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\bin\jp2launcher.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Dushanbe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Etc\GMT-3.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Majuro.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadcfr.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2060 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\d36b4ceb110529e42d2918055d2c2290952d936c5803131f50e3cefd83b4f0c7.exe C:\Windows\SysWOW64\Zombie.exe
PID 2060 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\d36b4ceb110529e42d2918055d2c2290952d936c5803131f50e3cefd83b4f0c7.exe C:\Windows\SysWOW64\Zombie.exe
PID 2060 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\d36b4ceb110529e42d2918055d2c2290952d936c5803131f50e3cefd83b4f0c7.exe C:\Windows\SysWOW64\Zombie.exe
PID 2060 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\d36b4ceb110529e42d2918055d2c2290952d936c5803131f50e3cefd83b4f0c7.exe C:\Windows\SysWOW64\Zombie.exe
PID 2060 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\d36b4ceb110529e42d2918055d2c2290952d936c5803131f50e3cefd83b4f0c7.exe C:\Users\Admin\AppData\Local\Temp\_VC_redist.x64.exe
PID 2060 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\d36b4ceb110529e42d2918055d2c2290952d936c5803131f50e3cefd83b4f0c7.exe C:\Users\Admin\AppData\Local\Temp\_VC_redist.x64.exe
PID 2060 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\d36b4ceb110529e42d2918055d2c2290952d936c5803131f50e3cefd83b4f0c7.exe C:\Users\Admin\AppData\Local\Temp\_VC_redist.x64.exe
PID 2060 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\d36b4ceb110529e42d2918055d2c2290952d936c5803131f50e3cefd83b4f0c7.exe C:\Users\Admin\AppData\Local\Temp\_VC_redist.x64.exe
PID 2060 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\d36b4ceb110529e42d2918055d2c2290952d936c5803131f50e3cefd83b4f0c7.exe C:\Users\Admin\AppData\Local\Temp\_VC_redist.x64.exe
PID 2060 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\d36b4ceb110529e42d2918055d2c2290952d936c5803131f50e3cefd83b4f0c7.exe C:\Users\Admin\AppData\Local\Temp\_VC_redist.x64.exe
PID 2060 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\d36b4ceb110529e42d2918055d2c2290952d936c5803131f50e3cefd83b4f0c7.exe C:\Users\Admin\AppData\Local\Temp\_VC_redist.x64.exe
PID 1280 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\_VC_redist.x64.exe C:\Windows\Temp\{68DADBB1-C343-4370-A2A1-2D0BA8B67F9F}\.cr\_VC_redist.x64.exe
PID 1280 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\_VC_redist.x64.exe C:\Windows\Temp\{68DADBB1-C343-4370-A2A1-2D0BA8B67F9F}\.cr\_VC_redist.x64.exe
PID 1280 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\_VC_redist.x64.exe C:\Windows\Temp\{68DADBB1-C343-4370-A2A1-2D0BA8B67F9F}\.cr\_VC_redist.x64.exe
PID 1280 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\_VC_redist.x64.exe C:\Windows\Temp\{68DADBB1-C343-4370-A2A1-2D0BA8B67F9F}\.cr\_VC_redist.x64.exe
PID 1280 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\_VC_redist.x64.exe C:\Windows\Temp\{68DADBB1-C343-4370-A2A1-2D0BA8B67F9F}\.cr\_VC_redist.x64.exe
PID 1280 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\_VC_redist.x64.exe C:\Windows\Temp\{68DADBB1-C343-4370-A2A1-2D0BA8B67F9F}\.cr\_VC_redist.x64.exe
PID 1280 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\_VC_redist.x64.exe C:\Windows\Temp\{68DADBB1-C343-4370-A2A1-2D0BA8B67F9F}\.cr\_VC_redist.x64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d36b4ceb110529e42d2918055d2c2290952d936c5803131f50e3cefd83b4f0c7.exe

"C:\Users\Admin\AppData\Local\Temp\d36b4ceb110529e42d2918055d2c2290952d936c5803131f50e3cefd83b4f0c7.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_VC_redist.x64.exe

"_VC_redist.x64.exe"

C:\Windows\Temp\{68DADBB1-C343-4370-A2A1-2D0BA8B67F9F}\.cr\_VC_redist.x64.exe

"C:\Windows\Temp\{68DADBB1-C343-4370-A2A1-2D0BA8B67F9F}\.cr\_VC_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\_VC_redist.x64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188

Network

N/A

Files

\Windows\SysWOW64\Zombie.exe

MD5 1a20a3c3189e215b326b43855375999b
SHA1 5782f0532579297be4b9cd0e6f5b014b166f370e
SHA256 bd2d009e419178d1c479c627ca7284d714836d6c0849edfd4a685dc509b6e2f2
SHA512 9b211d186501de9a035428dcf4efacf7b43bcb8b8655279df6ad71f367284300fbb38083f41d77e6e02ad30bb911666d2d317a3fd83f97643d02bd4d4ca816e3

C:\$Recycle.Bin\S-1-5-21-3691908287-3775019229-3534252667-1000\desktop.ini.tmp

MD5 1a137ff01dff7235aabad45a79331dc1
SHA1 4efad71def179ddbf99e4e088b72d0c443359718
SHA256 c5d1289de4de65de8a3351a7e4f53e301d2b2e85505f2370436e78d886794bd0
SHA512 dece0d3afd39098c1cd1142e40cbecc7ac9e8c76194ea1d98a2c52bd8f87eff1e1a846dbcbfb1940a8f0a27e65e1e3411c7e3016919142c2ba55045222396b19

\Users\Admin\AppData\Local\Temp\_VC_redist.x64.exe

MD5 7cf46d8dfb686998aaaf81e27b995e8c
SHA1 c5638a049787ce441c9720c92d3cd02aa3b02429
SHA256 120019a0ac9f54224fc9787afba241bd9faaecef489be5a660bb16e85df052e4
SHA512 66cf76324e373d3be6cbef39535b419eda486a8f43c305c38a8c01cfc05f9e4073aeade808db8dea306fd3251955e177e45ab578a57114bac1d2df54b4e95efe

\Windows\Temp\{D94E56E1-1F6E-4C17-88A2-B2E668D248BD}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

C:\Windows\Temp\{D94E56E1-1F6E-4C17-88A2-B2E668D248BD}\.ba\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 02:39

Reported

2024-06-17 02:42

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d36b4ceb110529e42d2918055d2c2290952d936c5803131f50e3cefd83b4f0c7.exe"

Signatures

Renames multiple (4865) files with added filename extension

ransomware

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Temp\{2055AEEA-6BF3-4A8C-8725-8FBA34460350}\.cr\_VC_redist.x64.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\d36b4ceb110529e42d2918055d2c2290952d936c5803131f50e3cefd83b4f0c7.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\d36b4ceb110529e42d2918055d2c2290952d936c5803131f50e3cefd83b4f0c7.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk-1.8\jre\bin\server\jvm.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Forms.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\XLINTL32.DLL.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\micaut.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationClientSideProviders.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Internet Explorer\sqmapi.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-80.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationFramework.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Threading.AccessControl.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.Primitives.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\JAWTAccessBridge-64.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ul.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONENGINE.DLL.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Primitives.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPackEula.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\icu.md.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-libraryloader-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ul-phn.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\LICENSE.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationProvider.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Configuration.ConfigurationManager.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\javafx_iio.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub_eula.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebHeaderCollection.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUICellModel.bin.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt\msipc.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ONMAIN.DLL.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationClient.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\fil.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\ko.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.Primitives.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\PresentationUI.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemCore.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-phn.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_COL.HXT.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.config.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-datetime-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\gu.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\DirectWriteForwarder.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\ast.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\de-DE\wab32res.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\uk-UA\wab32res.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Grace-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-timezone-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5032 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\d36b4ceb110529e42d2918055d2c2290952d936c5803131f50e3cefd83b4f0c7.exe C:\Windows\SysWOW64\Zombie.exe
PID 5032 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\d36b4ceb110529e42d2918055d2c2290952d936c5803131f50e3cefd83b4f0c7.exe C:\Windows\SysWOW64\Zombie.exe
PID 5032 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\d36b4ceb110529e42d2918055d2c2290952d936c5803131f50e3cefd83b4f0c7.exe C:\Windows\SysWOW64\Zombie.exe
PID 5032 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\d36b4ceb110529e42d2918055d2c2290952d936c5803131f50e3cefd83b4f0c7.exe C:\Users\Admin\AppData\Local\Temp\_VC_redist.x64.exe
PID 5032 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\d36b4ceb110529e42d2918055d2c2290952d936c5803131f50e3cefd83b4f0c7.exe C:\Users\Admin\AppData\Local\Temp\_VC_redist.x64.exe
PID 5032 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\d36b4ceb110529e42d2918055d2c2290952d936c5803131f50e3cefd83b4f0c7.exe C:\Users\Admin\AppData\Local\Temp\_VC_redist.x64.exe
PID 1624 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\_VC_redist.x64.exe C:\Windows\Temp\{2055AEEA-6BF3-4A8C-8725-8FBA34460350}\.cr\_VC_redist.x64.exe
PID 1624 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\_VC_redist.x64.exe C:\Windows\Temp\{2055AEEA-6BF3-4A8C-8725-8FBA34460350}\.cr\_VC_redist.x64.exe
PID 1624 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\_VC_redist.x64.exe C:\Windows\Temp\{2055AEEA-6BF3-4A8C-8725-8FBA34460350}\.cr\_VC_redist.x64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d36b4ceb110529e42d2918055d2c2290952d936c5803131f50e3cefd83b4f0c7.exe

"C:\Users\Admin\AppData\Local\Temp\d36b4ceb110529e42d2918055d2c2290952d936c5803131f50e3cefd83b4f0c7.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_VC_redist.x64.exe

"_VC_redist.x64.exe"

C:\Windows\Temp\{2055AEEA-6BF3-4A8C-8725-8FBA34460350}\.cr\_VC_redist.x64.exe

"C:\Windows\Temp\{2055AEEA-6BF3-4A8C-8725-8FBA34460350}\.cr\_VC_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\_VC_redist.x64.exe" -burn.filehandle.attached=532 -burn.filehandle.self=692

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.73.50.20.in-addr.arpa udp

Files

C:\Windows\SysWOW64\Zombie.exe

MD5 1a20a3c3189e215b326b43855375999b
SHA1 5782f0532579297be4b9cd0e6f5b014b166f370e
SHA256 bd2d009e419178d1c479c627ca7284d714836d6c0849edfd4a685dc509b6e2f2
SHA512 9b211d186501de9a035428dcf4efacf7b43bcb8b8655279df6ad71f367284300fbb38083f41d77e6e02ad30bb911666d2d317a3fd83f97643d02bd4d4ca816e3

C:\Users\Admin\AppData\Local\Temp\_VC_redist.x64.exe

MD5 7cf46d8dfb686998aaaf81e27b995e8c
SHA1 c5638a049787ce441c9720c92d3cd02aa3b02429
SHA256 120019a0ac9f54224fc9787afba241bd9faaecef489be5a660bb16e85df052e4
SHA512 66cf76324e373d3be6cbef39535b419eda486a8f43c305c38a8c01cfc05f9e4073aeade808db8dea306fd3251955e177e45ab578a57114bac1d2df54b4e95efe

C:\$Recycle.Bin\S-1-5-21-2447855248-390457009-3660902674-1000\desktop.ini.tmp

MD5 ec6319d12e88b2db131febb53c945f36
SHA1 34f709db530a1788604a4bd717700ee88c7ddd64
SHA256 f9df40037e5bc5ff4d56d97362888892ea026662786eb111940a00ade49732e1
SHA512 b492837655731cc08811c836ff0557027a41fe6a0dec4c91b6aef9ebb63a954ebf7301134dd8df1975754c453c3309f856dfe6c6b45ffcbc7ef7750841d19e8e

C:\Windows\Temp\{5A05D76B-BCE1-43D9-B96D-D59355B52FCA}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

C:\Windows\Temp\{5A05D76B-BCE1-43D9-B96D-D59355B52FCA}\.ba\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b