0be1649f0bde0246c12eacb58518be98ece87a613367b9b43a5df15ac4e50909

Analysis

max time kernel
150s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03/07/2024, 21:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0be1649f0bde0246c12eacb58518be98ece87a613367b9b43a5df15ac4e50909.exe
Size

182KB
MD5

7642d3b428b14859113aace04c65bd00
SHA1

a346ed7311f1f97dee53aab021bf36c23a3e5043
SHA256

0be1649f0bde0246c12eacb58518be98ece87a613367b9b43a5df15ac4e50909
SHA512

b943434f67a6fa5ab202d999ee5cab3d7a23b2fa9ceb491d5fb0ea38c3fb4c82e4860d32d9f1b343e5639fc37600032c3d6bffca0627fa18d08e973099e09ebb
SSDEEP

3072:6pWpBwchcYw9mHpKZNGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2ZTxH:PM9UpK7ShcHUaZZ

Score

9^/10

ransomware

Malware Config

Signatures

Renames multiple (5301) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 2 IoCs

pid	Process
3720	Zombie.exe
3972	_cinst.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Zombie.exe	0be1649f0bde0246c12eacb58518be98ece87a613367b9b43a5df15ac4e50909.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	0be1649f0bde0246c12eacb58518be98ece87a613367b9b43a5df15ac4e50909.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ul-phn.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.X509Certificates.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.WindowsDesktop.App.runtimeconfig.json.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\LEELAWAD.TTF.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.Native.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Forms.Design.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-80.png.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote-manifest.ini.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\rsod\osmmui.msi.16.en-us.boot.tree.dat.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationUI.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\bin\vcruntime140_1.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-timezone-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\VVIEWRES.DLL.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\TPN.txt.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemDrawing.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jpeg.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSSRINTL.DLL.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ko-KR\tipresx.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\PresentationCore.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\verify.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime2019_eula.txt.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msotdaddin.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.ThreadPool.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationProvider.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Forms.Primitives.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7ES.dub.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipRes.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\ado\msadrh15.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationProvider.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Xaml.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-180.png.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN105.XML.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TabTip.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\ado\msado60.tlb.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN108.XML.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationFramework.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fr-fr.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-convert-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.Specialized.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.Common.FrontEnd.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OFFSYMT.TTF.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationCore.resources.dll.tmp	Zombie.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 3720	2464	0be1649f0bde0246c12eacb58518be98ece87a613367b9b43a5df15ac4e50909.exe	88
PID 2464 wrote to memory of 3720	2464	0be1649f0bde0246c12eacb58518be98ece87a613367b9b43a5df15ac4e50909.exe	88
PID 2464 wrote to memory of 3720	2464	0be1649f0bde0246c12eacb58518be98ece87a613367b9b43a5df15ac4e50909.exe	88
PID 2464 wrote to memory of 3972	2464	0be1649f0bde0246c12eacb58518be98ece87a613367b9b43a5df15ac4e50909.exe	89
PID 2464 wrote to memory of 3972	2464	0be1649f0bde0246c12eacb58518be98ece87a613367b9b43a5df15ac4e50909.exe	89

C:\Users\Admin\AppData\Local\Temp\0be1649f0bde0246c12eacb58518be98ece87a613367b9b43a5df15ac4e50909.exe
"C:\Users\Admin\AppData\Local\Temp\0be1649f0bde0246c12eacb58518be98ece87a613367b9b43a5df15ac4e50909.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\SysWOW64\Zombie.exe
  "C:\Windows\system32\Zombie.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:3720
- C:\Users\Admin\AppData\Local\Temp\_cinst.exe
  "_cinst.exe"
  2⤵
  - Executes dropped EXE
  PID:3972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3744,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=1020 /prefetch:8
1⤵
PID:5036

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1181767204-2009306918-3718769404-1000\desktop.ini.exe

Filesize
39KB

MD5
350cc5fac08973d308ccb7f733f10c48

SHA1
0ff39b28f7b2f0bbb5f43a67a318955b14d87833

SHA256
868741eec47c0804feb335ac386516686154a1892faccf94c0b64d65716395e4

SHA512
e813383c1b0cef6c19d5d103f328721afa41959745e2eefe7bb619cda24051ffa1569b45cc004e9d56b61b61be0213854f118408efeac71c628362e4aa727fff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_cinst.exe

Filesize
143KB

MD5
2fdb371d45181dff59577110ba1064e2

SHA1
42a5833cb0ac90e38d734d1327bb3f7c7a6aa453

SHA256
80d7ec8ce3913d81ea5d4f304b8609e56f0e49778c52af9279e742ea54f4a155

SHA512
52982041ba9ca552b90b79b251501ec6c33c5251d09ca9969a1b179af2ec17aca6eb81db6e588e12751bcea04208e1da8d5a754a979dd98ceb3f50780aadea20

Download Submit
C:\Windows\SysWOW64\Zombie.exe

Filesize
39KB

MD5
52c4ca6c94fa29e1791d7f68f054bc1a

SHA1
79e3ac6e34a5b336bbd58e12f257eace7b2a4454

SHA256
57b9654597732d7caf9f9c285b25d8cbdf686025ff1c1f07c964e4cac45d9fdd

SHA512
61f9954dbf05d528bbfc26aa4ab289368eff62a734a5dd424abb6a22899926a860915ad73c639cb46d55a67f88ffb383edbc65a47ab22274af4c667b1dc2ca37

Download Submit
memory/3972-21-0x0000000000CD0000-0x0000000000CF8000-memory.dmp

Filesize
160KB

Download
memory/3972-22-0x00007FFF759E3000-0x00007FFF759E5000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads