ac6e3d73ba05c9b31aeff8ad1ab28d4ce22cd9664f282af3b7684e5bcdfc0ae3

Analysis

max time kernel
144s
max time network
61s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05-07-2024 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac6e3d73ba05c9b31aeff8ad1ab28d4ce22cd9664f282af3b7684e5bcdfc0ae3.exe
Size

467KB
MD5

8cf20207163b6c4ac6cf6dddf4ec0335
SHA1

ed9d1422fc9ec20d54a16ec4cac55af7bac225bc
SHA256

ac6e3d73ba05c9b31aeff8ad1ab28d4ce22cd9664f282af3b7684e5bcdfc0ae3
SHA512

b3337078bcf3d27ba67d4f4c9498afa672a2424fe65ad70ae64657515ba918fcdf9de4ec5053d57fd489e703dd5b88b7c29faabe140fc596ba78df651fc2869b
SSDEEP

12288:iFF2uqNUhiHOR4LucvSFSrux88ndNtJXzLFziB:iFF2PUhiHOeE8rin3thLa

Score

9^/10

ransomware

Malware Config

Signatures

Renames multiple (4855) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	_AdobeARMHelper.exe

Executes dropped EXE 2 IoCs

pid	Process
3120	Zombie.exe
4572	_AdobeARMHelper.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	ac6e3d73ba05c9b31aeff8ad1ab28d4ce22cd9664f282af3b7684e5bcdfc0ae3.exe
File created	C:\Windows\SysWOW64\Zombie.exe	ac6e3d73ba05c9b31aeff8ad1ab28d4ce22cd9664f282af3b7684e5bcdfc0ae3.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationFramework.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\public_suffix_list.dat.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\hijrah-config-umalqura.properties.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\ga.txt.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64.dll.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\el.pak.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Grace-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Numerics.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-180.png.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Numerics.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.AppContext.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\mesa3d.md.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\LyncBasic_Eula.txt.tmp	Zombie.exe
File created	C:\Program Files\ConvertFromClose.zip.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Controls.Ribbon.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.AeroLite.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-80.png.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicstylish.dotx.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XmlDocument.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\vcruntime140_1.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-heap-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri-Cambria.xml.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Luna.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\Office.Runtime.js.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationCore.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Cryptography.Xml.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\lib\content-types.properties.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\gl\msipc.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.NetworkInformation.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-phn.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jmap.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\JAWTAccessBridge-64.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.html.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationClient.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Cryptography.ProtectedData.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\net.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.PerformanceCounter.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Client\vcruntime140.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ppd.xrm-ms.tmp	Zombie.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4572	_AdobeARMHelper.exe
4572	_AdobeARMHelper.exe
4572	_AdobeARMHelper.exe
4572	_AdobeARMHelper.exe
4572	_AdobeARMHelper.exe
4572	_AdobeARMHelper.exe
4572	_AdobeARMHelper.exe
4572	_AdobeARMHelper.exe
4572	_AdobeARMHelper.exe
4572	_AdobeARMHelper.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3468	AdobeARM.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 3120	1460	ac6e3d73ba05c9b31aeff8ad1ab28d4ce22cd9664f282af3b7684e5bcdfc0ae3.exe	81
PID 1460 wrote to memory of 3120	1460	ac6e3d73ba05c9b31aeff8ad1ab28d4ce22cd9664f282af3b7684e5bcdfc0ae3.exe	81
PID 1460 wrote to memory of 3120	1460	ac6e3d73ba05c9b31aeff8ad1ab28d4ce22cd9664f282af3b7684e5bcdfc0ae3.exe	81
PID 1460 wrote to memory of 4572	1460	ac6e3d73ba05c9b31aeff8ad1ab28d4ce22cd9664f282af3b7684e5bcdfc0ae3.exe	82
PID 1460 wrote to memory of 4572	1460	ac6e3d73ba05c9b31aeff8ad1ab28d4ce22cd9664f282af3b7684e5bcdfc0ae3.exe	82
PID 1460 wrote to memory of 4572	1460	ac6e3d73ba05c9b31aeff8ad1ab28d4ce22cd9664f282af3b7684e5bcdfc0ae3.exe	82
PID 4572 wrote to memory of 3468	4572	_AdobeARMHelper.exe	83
PID 4572 wrote to memory of 3468	4572	_AdobeARMHelper.exe	83
PID 4572 wrote to memory of 3468	4572	_AdobeARMHelper.exe	83

C:\Users\Admin\AppData\Local\Temp\ac6e3d73ba05c9b31aeff8ad1ab28d4ce22cd9664f282af3b7684e5bcdfc0ae3.exe
"C:\Users\Admin\AppData\Local\Temp\ac6e3d73ba05c9b31aeff8ad1ab28d4ce22cd9664f282af3b7684e5bcdfc0ae3.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Windows\SysWOW64\Zombie.exe
  "C:\Windows\system32\Zombie.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:3120
- C:\Users\Admin\AppData\Local\Temp\_AdobeARMHelper.exe
  "_AdobeARMHelper.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:3468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2539840389-1261165778-1087677076-1000\desktop.ini.exe

Filesize
80KB

MD5
59670d7a94544c1b6d4200997e23be2d

SHA1
b560da82696ef745f59369198f35fe2e800c42ca

SHA256
6d05d3a58eaf877b4fd992a6da77eb4bd0f0182ebbb48785179fdc0d83c9a755

SHA512
5e838eaacb0f200452ffaf1c8b1d7f8e75b0f3c0d605c6fd5de5b41a627b42ba0ebf1970e9c010ff57b1e66225e8f27185acf57d3c17152ed5deeec8f15de5c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdobeARM.log

Filesize
178B

MD5
f8d4127dbc82b43639f8aa3257d46837

SHA1
cea55c82102f51b260d3bd51b702846717793d17

SHA256
48502bef4cb1490defc0884ab8700800b5b5549dffbec984cce2c138f6d35a09

SHA512
32bbd8f487c74548230ffb55ca76addbd162bd93aa5c1321834b2d5e3ded32f7febc405aa9ebf8201fa46c84ef98873f59ee8fc1b8e4f065e25baf21cea4f406

Download Submit
C:\Users\Admin\AppData\Local\Temp\ArmUI.ini

Filesize
251KB

MD5
864c22fb9a1c0670edf01c6ed3e4fbe4

SHA1
bf636f8baed998a1eb4531af9e833e6d3d8df129

SHA256
b4d4dcd9594d372d7c0c975d80ef5802c88502895ed4b8a26ca62e225f2f18b0

SHA512
ff23616ee67d51daa2640ae638f59a8d331930a29b98c2d1bd3b236d2f651f243f9bae38d58515714886cfbb13b9be721d490aad4f2d10cbba74d7701ab34e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_AdobeARMHelper.exe

Filesize
387KB

MD5
c18baf4d858b36dbf1e679c79c659a70

SHA1
f5638a26a57a9ef9dbfb0b1a324c13f2b548f308

SHA256
843dd18df8fd40e9e8ab2cecc52c03f2e95b0c2933162ba860d83e23c207b82c

SHA512
a46d780398f5066a90de5e0772a0a0f55f802dca023e8c90db271507aacec8f73a6f3a8cbd086031235e2037eab83975b68e52c17519efc4c6148b48f2ad2ee2

Download Submit
C:\Windows\SysWOW64\Zombie.exe

Filesize
80KB

MD5
cee3d3936b76117281699bcef8345216

SHA1
8bb1aaf10c93a02b0340c9b57487635ff4a5a623

SHA256
51a4f37d183ef2d73f15442c5d6ad4e607b438ac970264470a7c8fd85c455962

SHA512
cb3f9b21d7e588c3edc37423f1a93b4e9ed43d859ac1cef3a62e4b9833438dc1694ae44532f235e328dedfa6a089f2c9829ab966da823790d574e22c3132bf9c

Download Submit