8beabd20eb19cc7738fb706a82663a148c62d88b3ba5a3408d37b9184ff73034

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 18:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1086e3ab451fa7702ae4fd924a91a50N.exe
Size

49KB
MD5

c1086e3ab451fa7702ae4fd924a91a50
SHA1

0499d7d9e67ea85780c86abf2f1b6581591c2dc1
SHA256

8beabd20eb19cc7738fb706a82663a148c62d88b3ba5a3408d37b9184ff73034
SHA512

629ef5ce076f02da84784f503236897747bcd028937bc0211824981a5351a2c56c7dad26e63e0ed24b189a955d5246f73443dfde9c3e2d0350b573385c68cb41
SSDEEP

768:W7BlpppARFbhknrzzA8JQ2AdJCzA8JQ2AdJcUYU30N7AVn0N7AVaYW:W7ZppApkxUYU30NQn0NQaYW

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4654) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 1 IoCs

pid	Process
1824	Zombie.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Zombie.exe	c1086e3ab451fa7702ae4fd924a91a50N.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	c1086e3ab451fa7702ae4fd924a91a50N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\PresentationFramework.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Internet Explorer\es-ES\iexplore.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\th-TH\tipresx.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Pipes.AccessControl.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-process-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\wsdetect.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\splash.gif.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.BackEnd.dll.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\eo.txt.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.FileVersionInfo.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\bin\w2k_lsa_auth.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationCore.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\[email protected]	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-processthreads-l1-1-1.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-convert-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\cryptix.md.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Drawing.Primitives.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_F_COL.HXK.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\DocumentFormat.OpenXml.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\bin\vcruntime140.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART12.BDR.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\es\msipc.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\msadc\msadcer.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Http.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glow Edge.eftx.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\bg.txt.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationClient.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Forms.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-phn.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-synch-l1-2-0.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Numerics.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXPTOOWS.DLL.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationUI.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-100.png.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\fi.txt.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.DiaSymReader.Native.amd64.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Process.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemCore.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\PresentationUI.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationCore.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\colorimaging.md.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\ga.txt.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ul-phn.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\TITLE.XSL.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\thaidict.md.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\WindowsFormsIntegration.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Grace-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationClientSideProviders.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-ul-oob.xrm-ms.tmp	Zombie.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c1086e3ab451fa7702ae4fd924a91a50N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zombie.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 1824	4892	c1086e3ab451fa7702ae4fd924a91a50N.exe	81
PID 4892 wrote to memory of 1824	4892	c1086e3ab451fa7702ae4fd924a91a50N.exe	81
PID 4892 wrote to memory of 1824	4892	c1086e3ab451fa7702ae4fd924a91a50N.exe	81

C:\Users\Admin\AppData\Local\Temp\c1086e3ab451fa7702ae4fd924a91a50N.exe
"C:\Users\Admin\AppData\Local\Temp\c1086e3ab451fa7702ae4fd924a91a50N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Windows\SysWOW64\Zombie.exe
  "C:\Windows\system32\Zombie.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:1824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini.exe

Filesize
49KB

MD5
cdcd8aec96e3cd6ca16933886ab63db5

SHA1
375be9f68d6077b7e928e6d2a95393d3c479ebf1

SHA256
bee9f6797e5a3abf1c268b281e7df8c0244eb6f4c875b98428bec32c3dc7813f

SHA512
feb2ab1565fcd80adf87d08e17c8428c14d5d0c2d64e4f311636a0b199e5fc3d275e81ab6699f8fe2e636daadaa86018d41a9fa18e566f74adc906fdb232e71e

Download Submit
C:\Windows\SysWOW64\Zombie.exe

Filesize
49KB

MD5
ff68e4388b0c284a46a79f9462b4358b

SHA1
aff71336f7d218dd76664368fbec19676b78bc76

SHA256
a78f4094fac5742b474ec8cd3ccea90f3d0b1abba3da53683041f90c96c6a372

SHA512
06c1a009df9e1ad0e80cf582697d5d69d9a8b7c84467079bf046a2a07c93f1b298b10b016550a0f7009b19a8672d0b08d63dc5cf381153ced408afef8b6d3c2e

Download Submit