6e90ce9865b0268e368e4dbeb0b1b8d14c36096c65d3733b4d2b6b12ad5898b8

Analysis

max time kernel
120s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2024, 20:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

044916cb5912a4af99997ab93e9c4a90N.exe
Size

485KB
MD5

044916cb5912a4af99997ab93e9c4a90
SHA1

d868476df6d8ac58281e66e7bd45d2870989405b
SHA256

6e90ce9865b0268e368e4dbeb0b1b8d14c36096c65d3733b4d2b6b12ad5898b8
SHA512

9588bc20098420cb33c6936b35a30446cae65fcc2ef2e995436716892300b44e258ddcdaed42fc2d4d33d3356f76bb0d0e41b56130f5dc4d4088c4101bb537dd
SSDEEP

6144:eYrIOXsqmWzJrdc6GJRQUWGUA9PRWLiFSbE56FORF6:+2lWRPWhA9PRWg9q

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4666) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 2 IoCs

pid	Process
4548	Zombie.exe
5700	_setup.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2948-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x0009000000023472-6.dat	upx
behavioral2/memory/4548-9-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x00070000000234dc-13.dat	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Zombie.exe	044916cb5912a4af99997ab93e9c4a90N.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	044916cb5912a4af99997ab93e9c4a90N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-synch-l1-2-0.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\[email protected]	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GKPowerPoint.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\lib\ir.idl.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-180.png.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-180.png.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\StreamServer.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\jawt_md.h.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\lcms.md.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\WindowsFormsIntegration.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\colorimaging.md.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\pkcs11cryptotoken.md.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-memory-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\kaa.txt.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\nn.txt.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-GB\tipresx.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProDemoR_BypassTrial180-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\WindowsBase.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Grace-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue.xml.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\UIAutomationTypes.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\giflib.md.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymk.ttf.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\splashscreen.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2ssv.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrlatinlm.dat.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationClientSideProviders.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\libcurl.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\icudtl.dat.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\bin\jli.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\ado\msadrh15.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XDocument.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationClient.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Forms.Design.Editors.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\vcruntime140_1.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer_eula.txt.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Spatial.NetFX35.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XDocument.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\WindowsFormsIntegration.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-100.png.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationFramework.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\PresentationCore.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\bin\fontmanager.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOARIACAPI.DLL.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Forms.Primitives.resources.dll.tmp	Zombie.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	044916cb5912a4af99997ab93e9c4a90N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zombie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_setup.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
5700	_setup.exe
5700	_setup.exe
5700	_setup.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 4548	2948	044916cb5912a4af99997ab93e9c4a90N.exe	83
PID 2948 wrote to memory of 4548	2948	044916cb5912a4af99997ab93e9c4a90N.exe	83
PID 2948 wrote to memory of 4548	2948	044916cb5912a4af99997ab93e9c4a90N.exe	83
PID 2948 wrote to memory of 5700	2948	044916cb5912a4af99997ab93e9c4a90N.exe	84
PID 2948 wrote to memory of 5700	2948	044916cb5912a4af99997ab93e9c4a90N.exe	84
PID 2948 wrote to memory of 5700	2948	044916cb5912a4af99997ab93e9c4a90N.exe	84

C:\Users\Admin\AppData\Local\Temp\044916cb5912a4af99997ab93e9c4a90N.exe
"C:\Users\Admin\AppData\Local\Temp\044916cb5912a4af99997ab93e9c4a90N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Windows\SysWOW64\Zombie.exe
  "C:\Windows\system32\Zombie.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:4548
- C:\Users\Admin\AppData\Local\Temp\_setup.exe
  "_setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
28KB

MD5
0566ea96e4a7b157b0b0ed6b796f0718

SHA1
0343d7d1365961c088fa38dc33c8cce754a218d6

SHA256
45f9e5661d32b8904792e1b9ecad5f1e573a84df3d03184c88bf37efb54afcfd

SHA512
e59cd6ee1b375c498a1637dd03db1d0961f41eb6e8b3a5c274be86173532df6a94faeb11018dec2e4951f76597addabd66295be94a018219a629bb76b50a91c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_setup.exe

Filesize
457KB

MD5
446366ca32877e2290d0bd8f22e11809

SHA1
b620d296d53566d9a07c1cabc92c50d0f5c4f34a

SHA256
4b76c0ea832d58966f824cfedb9a3831b1c286b13cc22d56e29dad7966847184

SHA512
edbb4cd70b9c372f827136db217087451732f83a34af854ff031a659e9aee0fe849c0005a38d2bd19f438f8277147101a577fa900b89e2e1f804b369134255cf

Download Submit
C:\Windows\SysWOW64\Zombie.exe

Filesize
28KB

MD5
7f11a9c186a2bad84ea9d082601472c1

SHA1
38fa0ff56f89bfc933116d5e48e5a0bea089eee9

SHA256
50f2396a9cd91c2a251b692ed073b5d208e61c90d6c754364c1ce9b2b0286bad

SHA512
78f2d0be3fdd54593b948a84c15f2a90858c30cbc361987bec312e04ffd494ff3868ce0be380534097290ad489933f1831f9fbb4a620be0f41021f015b55091c

Download Submit
memory/2948-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4548-9-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download