327acee27ed43cd45667d5a49fbf86b4281e4ff499fb8617fe12b54b24fdeaba

Analysis

max time kernel
120s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
28/07/2024, 00:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fd08a255f99a0dcbb87f4b7cae40020N.exe
Size

184KB
MD5

1fd08a255f99a0dcbb87f4b7cae40020
SHA1

2ad9e9c8c37e18163d120493be7bad218a77ace6
SHA256

327acee27ed43cd45667d5a49fbf86b4281e4ff499fb8617fe12b54b24fdeaba
SHA512

5a7635076385f86abb6d0c97c48b2b225b07069e36dab5e9296f5aaf6508772a38be5f40564023651105f1a5ed2eabe64c02a892f95e81e8542e5e2559e72969
SSDEEP

3072:6NLWpCZLYwWTSIoXkZA/gwjHnrhtVufJO05m4uvHwog8yT5FoC:u6SYwWTSIoXNHnr1GJOl4uvjgddFB

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4026) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 2 IoCs

pid	Process
4636	_dotnet.exe
212	Zombie.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Zombie.exe	1fd08a255f99a0dcbb87f4b7cae40020N.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	1fd08a255f99a0dcbb87f4b7cae40020N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\glib.md.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\rtscom.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tabskb.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\ado\msado28.tlb.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.OpenSsl.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processthreads-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\bin\prism_common.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcr120.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.Win32.Registry.AccessControl.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\PYCC.pf.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\kaa.txt.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\msadc\msaddsr.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemXml.dll.tmp	Zombie.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\install.ins.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Controls.Ribbon.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\directshow.md.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ul.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.CompilerServices.VisualC.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_COL.HXC.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee100.tlb.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Xaml.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\prism_sw.dll.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\yo.txt.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordaccore.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.Primitives.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.ProtectedData.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationClientSideProviders.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.IO.Packaging.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\javafx-src.zip.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-string-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\bin\zip.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\splash.gif.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Json.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationUI.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Memory.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\et.txt.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.kk-kz.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\PresentationFramework.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\Office16\OSPP.HTM.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pidgenx.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\WindowsFormsIntegration.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.WindowsDesktop.App.runtimeconfig.json.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-ppd.xrm-ms.tmp	Zombie.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1fd08a255f99a0dcbb87f4b7cae40020N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zombie.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1892 wrote to memory of 4636	1892	1fd08a255f99a0dcbb87f4b7cae40020N.exe	84
PID 1892 wrote to memory of 4636	1892	1fd08a255f99a0dcbb87f4b7cae40020N.exe	84
PID 1892 wrote to memory of 212	1892	1fd08a255f99a0dcbb87f4b7cae40020N.exe	85
PID 1892 wrote to memory of 212	1892	1fd08a255f99a0dcbb87f4b7cae40020N.exe	85
PID 1892 wrote to memory of 212	1892	1fd08a255f99a0dcbb87f4b7cae40020N.exe	85

C:\Users\Admin\AppData\Local\Temp\1fd08a255f99a0dcbb87f4b7cae40020N.exe
"C:\Users\Admin\AppData\Local\Temp\1fd08a255f99a0dcbb87f4b7cae40020N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Users\Admin\AppData\Local\Temp\_dotnet.exe
  "_dotnet.exe"
  2⤵
  - Executes dropped EXE
  PID:4636
- C:\Windows\SysWOW64\Zombie.exe
  "C:\Windows\system32\Zombie.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1750093773-264148664-1320403265-1000\desktop.ini.exe

Filesize
51KB

MD5
d52d5ffa1e79127bd4f98bd9534ab096

SHA1
99b2e63f6835be60100b48b869c18aad0a092417

SHA256
c0ab83a5303e92cf1d68dc2b44f7c86c39c14d211600c52d2be5a3c44ea8c9e8

SHA512
88e9280e5ea70fbc1d9b1bac92cfd917037809ca5bfc2517a075dc0a5cc4cadd3226473d1a145363808e2fa6f1e660e0f3ac77de1ae32d6f15855423c3dddf5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_dotnet.exe

Filesize
133KB

MD5
bd2e0226c5d444555a233930906e5779

SHA1
ed7b36f8a6802008bba17b70c7c6beb873ca68b6

SHA256
a8cd8b9bd4e4b99c7d6e509d1b4fefae7bc15c1e42a218e09ddfd4a924b3da9f

SHA512
d2cdb8f7a384bdb8cfb82e67da27d05ba30206542bf54d815b71b8ba1ef43ebd8cdef3ed7a2debeccd397aeeb7196b29af966d7ea9cbb41acadaafb854e00971

Download Submit
C:\Windows\SysWOW64\Zombie.exe

Filesize
50KB

MD5
7456257542437aa450ea741473e92e79

SHA1
1ecf31c4bca60b42dc2744f928d780c226fd3002

SHA256
673e837710838e88bcc4f807b6fff7cc48156be58f64226fafeabc702c9f9d30

SHA512
5041071a69de03b7a3c03eccf2e85a89859806ad6564ce7ab0ff93b86ede132dc44179a6c7bbae7d13b9f57ac3d5c5c733a26571ccd8532df1bf3b15fc91033c

Download Submit