28afc3241063e9d5d70540185e3ae7a14fb0a33649bbbbf14cc6c0b36b3d4d36

Analysis

max time kernel
120s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-09-2024 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04a71f4429bed8d039e6ef7b8f500e00N.exe
Size

89KB
MD5

04a71f4429bed8d039e6ef7b8f500e00
SHA1

ee9328166626a40c390081d42d82b663cab8cd7d
SHA256

28afc3241063e9d5d70540185e3ae7a14fb0a33649bbbbf14cc6c0b36b3d4d36
SHA512

d76e08828af3f142f3624594b4ae3ba9348dc508f1a63a4cc6d5695381d1543f6caee81000a1cfed4df0f5bba0e4df2ff33bfefdc968302b0163cf66608e2948
SSDEEP

1536:W7ZhA7pApM21LOA1LOl6Ad7ZhA7pApM21LOA1LOl6AOJOOJD:6e7WpMgLOiLOfe7WpMgLOiLOm

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4657) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 1 IoCs

pid	Process
444	Zombie.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Zombie.exe	04a71f4429bed8d039e6ef7b8f500e00N.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	04a71f4429bed8d039e6ef7b8f500e00N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\lv-LV\tipresx.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationProvider.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Diagnostics.EventLog.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\PresentationFramework.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\WindowsFormsIntegration.dll.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\SmallLogo.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_it.properties.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.proofing.msi.16.en-us.xml.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_PrepidBypass-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\PRIVATE_ODBC32.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationProvider.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\bin\policytool.exe.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Client\C2R64.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Controls.Ribbon.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-180.png.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\CLVWINTL.DLL.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fi-fi.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\rtscom.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ServiceModel.Web.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationClient.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.StackTrace.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemXmlLinq.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemData.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Grace-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Forms.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TabTip.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\WindowsFormsIntegration.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\ReachFramework.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\LICENSE.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\TYPE.WAV.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\bin\eula.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.VisualStudio.Tools.Applications.Runtime.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\EntityPicker.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XDocument.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Overlapped.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Input.Manipulations.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-synch-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOCR.DLL.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\tipresx.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-string-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\Microsoft.VisualBasic.Forms.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationClient.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.TypeConverter.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemData.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\ThirdPartyNotices.txt.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.ThreadPool.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Drawing.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Input.Manipulations.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Input.Manipulations.resources.dll.tmp	Zombie.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zombie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04a71f4429bed8d039e6ef7b8f500e00N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4428 wrote to memory of 444	4428	04a71f4429bed8d039e6ef7b8f500e00N.exe	84
PID 4428 wrote to memory of 444	4428	04a71f4429bed8d039e6ef7b8f500e00N.exe	84
PID 4428 wrote to memory of 444	4428	04a71f4429bed8d039e6ef7b8f500e00N.exe	84

C:\Users\Admin\AppData\Local\Temp\04a71f4429bed8d039e6ef7b8f500e00N.exe
"C:\Users\Admin\AppData\Local\Temp\04a71f4429bed8d039e6ef7b8f500e00N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4428
- C:\Windows\SysWOW64\Zombie.exe
  "C:\Windows\system32\Zombie.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-786284298-625481688-3210388970-1000\desktop.ini.exe

Filesize
49KB

MD5
5c95e6d8354935de61cf5ef84841419d

SHA1
89bd1e8c7b72411c1f49f9881b0c8aca44858622

SHA256
2a1ef29147986d489f6538520d8dde78a84155c8b0148ac004aacc44d50dee23

SHA512
18ea50e8078f0bfa172dc8fefcb0755b82a769095c2f33aa7e253f1ea3c9d592977c1a58e17ed408dfd34485b2d465f12b45efd5c0444d46f6f02592cbf59575

Download Submit
C:\Windows\SysWOW64\Zombie.exe

Filesize
48KB

MD5
4662244910ed9ea2b13cb1a907c444b0

SHA1
393c2d5ed6ef905226974384be33da056ed469ba

SHA256
312aeb6d2e836a6bdbb4a9bdad1b31691e8dc5516aad98b36d4d3f14c5711b85

SHA512
87ba46c1ad1c81aa172a5878c7830a2fb68a602863cc3010ac5bb010e670d86e31aaea8064acef96ed6d103d467f6ac5652be9608d40f84390f22f5488bb34e7

Download Submit