99368b347d3b694e80673c97cd28ada9a552eb3af8c0d5d3ec64d7da502a28e8

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
30/06/2024, 00:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

99368b347d3b694e80673c97cd28ada9a552eb3af8c0d5d3ec64d7da502a28e8.exe
Size

224KB
MD5

b37893cc2798e37665e3d62e4ea527cd
SHA1

2d942e4b5ea3c336829a736201c3ece779c6fcb4
SHA256

99368b347d3b694e80673c97cd28ada9a552eb3af8c0d5d3ec64d7da502a28e8
SHA512

eb5c6851c110037e56e00399b3ec16f705887be30ff91671975a570033e435b03fd6f61a152c7854ec2cdeb5bd8b2184834768865b348823ebd8acef885bc8b9
SSDEEP

3072:6DWp2R9vHpKmEGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2ixMF:d29/pKvShcHUaZ

Score

9^/10

ransomware

Malware Config

Signatures

Renames multiple (4839) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 2 IoCs

pid	Process
2580	_cup.exe
1796	Zombie.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Zombie.exe	99368b347d3b694e80673c97cd28ada9a552eb3af8c0d5d3ec64d7da502a28e8.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	99368b347d3b694e80673c97cd28ada9a552eb3af8c0d5d3ec64d7da502a28e8.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\libEGL.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\currency.data.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Grace-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRINTL32.DLL.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\fa.pak.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\accessibility.properties.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\YEAR.XSL.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Controls.Ribbon.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\config.xml.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OSFUI.DLL.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_fr.properties.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encoding.Extensions.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-sysinfo-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\prism_sw.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\xalan.md.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\bin\w2k_lsa_auth.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\mesa3d.md.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Grace-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Grace-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSO.FRAMEPROTOCOLWIN32.DLL.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\msinfo32.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationCore.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\TURABIAN.XSL.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OFFSYMB.TTF.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemui.msi.16.en-us.xml.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_F_COL.HXK.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jsdt.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RIntLoc.en-us.16.msi.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-phn.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-timezone-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ul.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-180.png.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\PGOMESSAGES.XML.tmp	Zombie.exe
File created	C:\Program Files\CompressReset.wav.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\include\jvmti.h.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-phn.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ul-phn.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1036\MSO.ACL.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\TYPE.WAV.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBCTRAC.DLL.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-140.png.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TabTip.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\tr.pak.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-sysinfo-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-oob.xrm-ms.tmp	Zombie.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3480 wrote to memory of 1796	3480	99368b347d3b694e80673c97cd28ada9a552eb3af8c0d5d3ec64d7da502a28e8.exe	90
PID 3480 wrote to memory of 1796	3480	99368b347d3b694e80673c97cd28ada9a552eb3af8c0d5d3ec64d7da502a28e8.exe	90
PID 3480 wrote to memory of 1796	3480	99368b347d3b694e80673c97cd28ada9a552eb3af8c0d5d3ec64d7da502a28e8.exe	90
PID 3480 wrote to memory of 2580	3480	99368b347d3b694e80673c97cd28ada9a552eb3af8c0d5d3ec64d7da502a28e8.exe	91
PID 3480 wrote to memory of 2580	3480	99368b347d3b694e80673c97cd28ada9a552eb3af8c0d5d3ec64d7da502a28e8.exe	91

C:\Users\Admin\AppData\Local\Temp\99368b347d3b694e80673c97cd28ada9a552eb3af8c0d5d3ec64d7da502a28e8.exe
"C:\Users\Admin\AppData\Local\Temp\99368b347d3b694e80673c97cd28ada9a552eb3af8c0d5d3ec64d7da502a28e8.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3480
- C:\Windows\SysWOW64\Zombie.exe
  "C:\Windows\system32\Zombie.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1796
- C:\Users\Admin\AppData\Local\Temp\_cup.exe
  "_cup.exe"
  2⤵
  - Executes dropped EXE
  PID:2580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1032,i,4778049104057176787,6631751660692402210,262144 --variations-seed-version --mojo-platform-channel-handle=4188 /prefetch:8
1⤵
PID:572

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3665033694-1447845302-680750983-1000\desktop.ini.exe

Filesize
81KB

MD5
a3b25431ca73fcbf859fa45615a9a819

SHA1
e70113e9aeb126d376515d1c81515afcf8939e2a

SHA256
dd5f1ad44ac7040379ed516c90f4c269c7dfba89e9dc8a1a51712a7e0906de71

SHA512
850a70257de1f6c499618430ef21723a55488623cf3b0694d88d27cafdea97979d88c1a0f5fa040353540ee64c527b7d6b2b93718316f625c3aaba58d7dd2836

Download Submit
C:\Users\Admin\AppData\Local\Temp\_cup.exe

Filesize
143KB

MD5
38f108cddb6619fba80f8382d5227ece

SHA1
12fd277bf756f22cfae3043900e4aff8b9f05ed9

SHA256
8296fe257b8c34398e3f291764454ec3cd9cbe06d60989b632ef4ba6c73ae5dc

SHA512
3db732c23f10122c78cffc6b6a5b11836ade1a23f5c6f9a192f2be2fa99c5bd7afb7a9e29c5d518a888cdd2091f9ac41b244214be226152830e96f5ec2cca424

Download Submit
C:\Windows\SysWOW64\Zombie.exe

Filesize
81KB

MD5
0a87e06d5a935342aab8136026b46979

SHA1
190824424bbe2629e22c84629bfc1c8dba87eecc

SHA256
e66a56fd82ed90aa50a1f38dc33658768e4d97604bac556f7fec7f49a7213669

SHA512
7622ba60fd6c62a35c82429a885ba57e46c76aad0b48ad4053169a5457f6612c78a1bd614cf78d87f10ec5b5d37ff3b096dcbc4c01e72084b5e5f00b5d1fa8e5

Download Submit
memory/2580-24-0x00007FFB91823000-0x00007FFB91825000-memory.dmp

Filesize
8KB

Download
memory/2580-21-0x0000000000930000-0x0000000000958000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads