Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12-08-2024 02:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cff8ab1dfa13e7bef413d2578502cf466d75f05c5a73bab7bfb634470dba57ea.exe
Resource
win7-20240705-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
cff8ab1dfa13e7bef413d2578502cf466d75f05c5a73bab7bfb634470dba57ea.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
cff8ab1dfa13e7bef413d2578502cf466d75f05c5a73bab7bfb634470dba57ea.exe
-
Size
83KB
-
MD5
1319481afa3f52271810a1ace6fc7e2d
-
SHA1
93a31ba7fe4668bdd248d5d9c2deedf72958fdd0
-
SHA256
cff8ab1dfa13e7bef413d2578502cf466d75f05c5a73bab7bfb634470dba57ea
-
SHA512
9d052f2c64aa1efe07763ecfa055c8d8eec9641d0938fce95a79f2bf53e33a6f8bcb23365a4f59cfbd11e3a7a45ae305a08515e180565d74bc70d7db1c31ad80
-
SSDEEP
1536:W7ZhA7pApM21LOA1LO2c6b25gc6b25uCrbpSvr5xpYr0ARZF6NFVogjQlRv/L6:6e7WpMgLOiLO2c6b25gc6b25uwUhQ7X+
Score
9/10
Malware Config
Signatures
-
Renames multiple (5254) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 2 IoCs
pid Process 3700 _checksum.exe 3728 Zombie.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Zombie.exe cff8ab1dfa13e7bef413d2578502cf466d75f05c5a73bab7bfb634470dba57ea.exe File opened for modification C:\Windows\SysWOW64\Zombie.exe cff8ab1dfa13e7bef413d2578502cf466d75f05c5a73bab7bfb634470dba57ea.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ul-phn.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql70.xsl.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\OneNote\prnSendToOneNote.cat.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\rsod\dcfmui.msi.16.en-us.tree.dat.tmp Zombie.exe File created C:\Program Files\7-Zip\Lang\ext.txt.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-pl.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_K_COL.HXK.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\da\msipc.dll.mui.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ink\Content.xml.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\ReachFramework.resources.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul-oob.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART14.BDR.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\eula.dll.tmp Zombie.exe File created C:\Program Files\Java\jre-1.8\lib\deploy\messages_ja.properties.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\openssl64.dlla.manifest.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ink\en-US\ShapeCollector.exe.mui.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Controls.Ribbon.resources.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationClient.resources.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-ul-oob.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ul-phn.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-pl.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-oob.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GostName.XSL.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tipresx.dll.mui.tmp Zombie.exe File created C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\ReachFramework.resources.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\ONPPTAddin.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] Zombie.exe File created C:\Program Files\Microsoft Office\root\Templates\1033\SalesReport.xltx.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Forms.resources.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\FilterModule.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-pl.xrm-ms.tmp Zombie.exe File created C:\Program Files\dotnet\ThirdPartyNotices.txt.tmp Zombie.exe File created C:\Program Files\Java\jre-1.8\bin\jawt.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-string-l1-1-0.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-convert-l1-1-0.dll.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.id-id.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Xaml.resources.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PenImc_cor3.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\mfc140u.dll.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ink\fr-CA\tipresx.dll.mui.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\README.html.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Process.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ppd.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ppd.xrm-ms.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationTypes.resources.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\Microsoft.VisualBasic.Forms.resources.dll.tmp Zombie.exe File created C:\Program Files\HideUnregister.svg.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\local_policy.jar.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.ILGeneration.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationFramework.resources.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationClientSideProviders.resources.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processenvironment-l1-1-0.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\rsod\proof.es-es.msi.16.es-es.tree.dat.tmp Zombie.exe File created C:\Program Files\7-Zip\License.txt.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebHeaderCollection.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationProvider.resources.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.Win32.SystemEvents.dll.tmp Zombie.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cff8ab1dfa13e7bef413d2578502cf466d75f05c5a73bab7bfb634470dba57ea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Zombie.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 3492 wrote to memory of 3728 3492 cff8ab1dfa13e7bef413d2578502cf466d75f05c5a73bab7bfb634470dba57ea.exe 84 PID 3492 wrote to memory of 3728 3492 cff8ab1dfa13e7bef413d2578502cf466d75f05c5a73bab7bfb634470dba57ea.exe 84 PID 3492 wrote to memory of 3728 3492 cff8ab1dfa13e7bef413d2578502cf466d75f05c5a73bab7bfb634470dba57ea.exe 84 PID 3492 wrote to memory of 3700 3492 cff8ab1dfa13e7bef413d2578502cf466d75f05c5a73bab7bfb634470dba57ea.exe 85 PID 3492 wrote to memory of 3700 3492 cff8ab1dfa13e7bef413d2578502cf466d75f05c5a73bab7bfb634470dba57ea.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\cff8ab1dfa13e7bef413d2578502cf466d75f05c5a73bab7bfb634470dba57ea.exe"C:\Users\Admin\AppData\Local\Temp\cff8ab1dfa13e7bef413d2578502cf466d75f05c5a73bab7bfb634470dba57ea.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\SysWOW64\Zombie.exe"C:\Windows\system32\Zombie.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3728
-
-
C:\Users\Admin\AppData\Local\Temp\_checksum.exe"_checksum.exe"2⤵
- Executes dropped EXE
PID:3700
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48KB
MD5fab6fabf558b4877cd25ecc06ab37e73
SHA18d3d3078dc00a9a968c323f23cea7a76d426eb82
SHA25646c06892ce1404bfc2ef126f6e30619ffb9c9813a146b1788faf5686d1ce53df
SHA512b288eacc0c6bf5d893563baa142198519272c420877a58b9750b549e5c0c62116cc9a3781fb0ffebda6e3d2b3492d5eb85fc19c060184c63fb4b9870d57222fc
-
Filesize
35KB
MD523f049f14ca0e68af4b9883514791dfe
SHA11224ecfda221e54d4536a4ac102a56235320ee25
SHA2569562aabe1f71d7ff5ec879fd2fb5cfe4be2c8f62a7fa5a1aa49660c3a495f1fb
SHA512ce91cd089a299ba88f047cf15fd06673389942dabbf8be5bf2e2666e1048bc6da261ce30cae1e2ecb3b50392441a335bf97cc4ed51540554bedabe65590be677
-
Filesize
47KB
MD507eb1d1f5a0529b62a8d20202adf1fa6
SHA15cd62b14600234c4d3b2b9e182684a9512b1dcca
SHA256af173d1a09b37de8f1d3fe3976c30d8f26cbf58cc20dae6a14f7b5b77f8fd212
SHA5125402a62896f7971faa59ccc4d9e13cbdf64e58d67e1774318c676de661e65c1dd44ff5e123ee89098899122d501c42f9b9b11ff2eae37adb0015da296507ac37