b7de492efa8d6ff8aff98db157f16e27bb12e759f45c6a36e91ba7be70ada563

Analysis

max time kernel
150s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2024, 04:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7de492efa8d6ff8aff98db157f16e27bb12e759f45c6a36e91ba7be70ada563.exe
Size

465KB
MD5

4cb8e637913dbf01188b2d8751f7f866
SHA1

d948994130e626aea47ca1f26b7e77a2dd5871cf
SHA256

b7de492efa8d6ff8aff98db157f16e27bb12e759f45c6a36e91ba7be70ada563
SHA512

de046d0e44cbab57c05de79ca63ce14a13f2d01b6a7fbd03e86de19e2aa56dc0139884a76d326c5c60a1a6b960bff83ba0e13dea1e272635c6628a6736ec4a0d
SSDEEP

12288:cNUhiHOR4LucvSFSrux88ndNtJXzLFzio:GUhiHOeE8rin3thLj

Score

9^/10

ransomware

Malware Config

Signatures

Renames multiple (5187) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	_AdobeARMHelper.exe

Executes dropped EXE 2 IoCs

pid	Process
4416	Zombie.exe
4312	_AdobeARMHelper.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	b7de492efa8d6ff8aff98db157f16e27bb12e759f45c6a36e91ba7be70ada563.exe
File created	C:\Windows\SysWOW64\Zombie.exe	b7de492efa8d6ff8aff98db157f16e27bb12e759f45c6a36e91ba7be70ada563.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\WindowsFormsIntegration.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\vk_swiftshader.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_WHATSNEW.XML.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\LTSHYPH_EN.LEX.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\AdjacencyResume.dotx.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\sl.txt.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\Microsoft.VisualBasic.Forms.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-file-l1-2-0.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\cldr.md.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHLEX.DAT.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\ga.txt.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\ado\msader15.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\Microsoft.VisualBasic.Forms.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\msvcr120.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BOOKOS.TTF.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.MemoryMappedFiles.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\bin\prism_sw.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Office Theme.thmx.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GOTHICBI.TTF.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.MemoryMappedFiles.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dt_shmem.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sunec.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL044.XML.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\BHOINTL.DLL.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ThirdPartyNotices.txt.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipTsf.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Quic.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ul-phn.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\7zCon.sfx.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\mshwLatin.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\office.core.operational.js.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ul-phn.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\rsod\word.x-none.msi.16.x-none.boot.tree.dat.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ko-kr.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Primitives.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightRegular.ttf.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NL7MODELS000C.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Formatters.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Forms.Primitives.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\bin\server\classes.jsa.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ul-phn.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\rsod\powerpivot.x-none.msi.16.x-none.tree.dat.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL077.XML.tmp	Zombie.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4312	_AdobeARMHelper.exe
4312	_AdobeARMHelper.exe
4312	_AdobeARMHelper.exe
4312	_AdobeARMHelper.exe
4312	_AdobeARMHelper.exe
4312	_AdobeARMHelper.exe
4312	_AdobeARMHelper.exe
4312	_AdobeARMHelper.exe
4312	_AdobeARMHelper.exe
4312	_AdobeARMHelper.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3688	AdobeARM.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4020 wrote to memory of 4416	4020	b7de492efa8d6ff8aff98db157f16e27bb12e759f45c6a36e91ba7be70ada563.exe	83
PID 4020 wrote to memory of 4416	4020	b7de492efa8d6ff8aff98db157f16e27bb12e759f45c6a36e91ba7be70ada563.exe	83
PID 4020 wrote to memory of 4416	4020	b7de492efa8d6ff8aff98db157f16e27bb12e759f45c6a36e91ba7be70ada563.exe	83
PID 4020 wrote to memory of 4312	4020	b7de492efa8d6ff8aff98db157f16e27bb12e759f45c6a36e91ba7be70ada563.exe	84
PID 4020 wrote to memory of 4312	4020	b7de492efa8d6ff8aff98db157f16e27bb12e759f45c6a36e91ba7be70ada563.exe	84
PID 4020 wrote to memory of 4312	4020	b7de492efa8d6ff8aff98db157f16e27bb12e759f45c6a36e91ba7be70ada563.exe	84
PID 4312 wrote to memory of 3688	4312	_AdobeARMHelper.exe	88
PID 4312 wrote to memory of 3688	4312	_AdobeARMHelper.exe	88
PID 4312 wrote to memory of 3688	4312	_AdobeARMHelper.exe	88
PID 3688 wrote to memory of 5080	3688	AdobeARM.exe	90
PID 3688 wrote to memory of 5080	3688	AdobeARM.exe	90
PID 3688 wrote to memory of 5080	3688	AdobeARM.exe	90

C:\Users\Admin\AppData\Local\Temp\b7de492efa8d6ff8aff98db157f16e27bb12e759f45c6a36e91ba7be70ada563.exe
"C:\Users\Admin\AppData\Local\Temp\b7de492efa8d6ff8aff98db157f16e27bb12e759f45c6a36e91ba7be70ada563.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4020
- C:\Windows\SysWOW64\Zombie.exe
  "C:\Windows\system32\Zombie.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:4416
- C:\Users\Admin\AppData\Local\Temp\_AdobeARMHelper.exe
  "_AdobeARMHelper.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3688
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
      4⤵
      PID:5080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1176886754-713327781-2233697964-1000\desktop.ini.tmp

Filesize
78KB

MD5
9668b747cffe841ae25c6f3ac941a2d9

SHA1
c5dee0ecf658b7109457cf763368bbcfcdee3c39

SHA256
2218c475d4fd733678cc96102027cbc31767f6906f5918b4b58780a32d99c78b

SHA512
d3d5fe72e4060ae19d7c9c22cb500768a44fa87b338c54c93c4730e8c169a33e6a25c6d3d74a998999c31634e8093fb0a52fc57cdf7ab58102a29db80ee7d8af

Download Submit
C:\ProgramData\Adobe\ARM\ArmReport.ini

Filesize
634B

MD5
4600ea83e72c40d5b6d25248895c4d66

SHA1
666d119fa0398adce7093f434fc15437ca6913c5

SHA256
4f9b2f699943dc7a42321fde879d884202e9b3bd8391519cc69bd83d8d485aae

SHA512
08c1e1315bd3be50f47cce09a7b9c36aa38572495cdcbaa1053f6cc14af921437f3972c25d2d5c8df70a5b2e239a62d4cec6b3039de5b99e43b173eab4cb0bc9

Download Submit
C:\ProgramData\Adobe\ARM\ArmReport.ini

Filesize
746B

MD5
5757246b0746f04f7c6c7685c433d80f

SHA1
910a75876285c35fe0fa03c11f36257aeba8a2b3

SHA256
d33f7174ff6e717d72bfb38cf92e25135823d3d02273bf3f575f95d2afdc12dc

SHA512
8f2f3642154d4f016f7679567cc5879e8d4a794a07b62b9663905406a77aebb111b04032353588719a631d9e5223acf543499ef7f7b36e0e15ec966c638219f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdobeARM.log

Filesize
178B

MD5
3fa38a5b66426f8419cceac02e2e1055

SHA1
a094e1c38a1ddc929d1a79232846d8d76d2b6d9b

SHA256
8fbb83a37d2e71d6b62c770f8c143495f69bc4d858470dc5e6a289c7fee7b846

SHA512
39e557542fb9e5a6353c54b7626a9126afb789dea11c7d7dfa40daef18d925250d9dfb7811907b1f9209ff9caeb3eee4060125073b747ef5b17807b345cb27aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ArmUI.ini

Filesize
251KB

MD5
864c22fb9a1c0670edf01c6ed3e4fbe4

SHA1
bf636f8baed998a1eb4531af9e833e6d3d8df129

SHA256
b4d4dcd9594d372d7c0c975d80ef5802c88502895ed4b8a26ca62e225f2f18b0

SHA512
ff23616ee67d51daa2640ae638f59a8d331930a29b98c2d1bd3b236d2f651f243f9bae38d58515714886cfbb13b9be721d490aad4f2d10cbba74d7701ab34e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpC95B.tmp

Filesize
3KB

MD5
bbb796dd2b53f7fb7ce855bb39535e2f

SHA1
dfb022a179775c82893fe8c4f59df8f6d19bd2fd

SHA256
ff9b4cf04e3202f150f19c1711767361343935da7841c98b876c42fd2cabce9b

SHA512
0d122f454fcbf4524c2756692f0f33dc98f5bd2426839c6f03cd5c5f4fd507a8a15cf489d7a7ceadd1b95cf31b506c04bf03d613a9ba7d76add92766b1dc5c2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpE1C7.tmp

Filesize
3KB

MD5
ec946860cff4f4a6d325a8de7d6254d2

SHA1
7c909f646d9b2d23c58f73ec2bb603cd59dc11fd

SHA256
19fe53c801ad7edc635f61e9e28d07da31780c2480e6f37ecfc63fffe1b250fe

SHA512
38a98b18dbae063bc533a1ff25a3467a7de197651e07e77a1b22cf8ce251282ab31f61dcff5c51ef186cfd115dc506181d480eabffbe92af01dee6282cbee13e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpE1D7.tmp

Filesize
3KB

MD5
fc2430057cb1be74c788f10c2d4540c8

SHA1
cab67ee8d5191fbf9f25545825e06c1a822af2f2

SHA256
dcc9d2695125406282ba990fec39403c44b12964acf51b5e0dc7f2080d714398

SHA512
4e2b9709a9e3ca5173abb35816e5a0aebbf2a7aaf971d7f75f3ae66e4a812cbade103baa5016525f5ab83a60c18f8d3c278c90ff83e4afdae419f81673cb5aee

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpE35F.tmp

Filesize
3KB

MD5
a58599260c64cb41ed7d156db8ac13ef

SHA1
fb9396eb1270e9331456a646ebf1419fc283dc06

SHA256
aabf92089e16fdb28706356dbc4efb5a81f5277946f2e67695b31676616ed2d2

SHA512
6970cbc42e7ec64ccdb8e5633b7017b1e9ec0d4ad094869e221e9275b814b1442b84827996190159543bdb5e86df6885c45197c533d657db4660fca8ad761a71

Download Submit
C:\Users\Admin\AppData\Local\Temp\_AdobeARMHelper.exe

Filesize
387KB

MD5
c18baf4d858b36dbf1e679c79c659a70

SHA1
f5638a26a57a9ef9dbfb0b1a324c13f2b548f308

SHA256
843dd18df8fd40e9e8ab2cecc52c03f2e95b0c2933162ba860d83e23c207b82c

SHA512
a46d780398f5066a90de5e0772a0a0f55f802dca023e8c90db271507aacec8f73a6f3a8cbd086031235e2037eab83975b68e52c17519efc4c6148b48f2ad2ee2

Download Submit
C:\Windows\SysWOW64\Zombie.exe

Filesize
78KB

MD5
a2e9d76030ff69598f0066449d860df0

SHA1
076faa1130cc9ba2e33f3955351348b218a4716b

SHA256
d2a634e68db28eeef58a58c9918b5fb27281b53697d8b5e82fd7bad6c7487620

SHA512
6eb21a5327fef39bbb85329c968aeadb055397b3ada27f30a5f91cf0df93d29e0ba9e413ba4a817bdd4f95b96a506524942c98ad728a871860e5dd8da6c30b6b

Download Submit