9cb372edffe9ea9a883ebba1038d569b8aa1dd528cdc707ac05f862544c446c2

Analysis

max time kernel
120s
max time network
92s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2024, 01:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aace612c922f451c1dee7d54b60485f0N.exe
Size

625KB
MD5

aace612c922f451c1dee7d54b60485f0
SHA1

1fe239d69ca03128e6ac37a2135b298e0c436a09
SHA256

9cb372edffe9ea9a883ebba1038d569b8aa1dd528cdc707ac05f862544c446c2
SHA512

1932bfb6a651723bde6964fe30e3142e8b3f147d58de6b964937e1fd4814957bd5812bf28eed4dac20ce097b4999e069347a0c2cf232d378e02098e977d07153
SSDEEP

6144:SeWQSoOf5uKhbSnHXBMV5jdCBjtsD52dmdLqff86+jVvaYMLOen9Bp1xf2ODuYMY:yQtOUVRMstsD5pAfujVvaYML59RIgR

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4229) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 2 IoCs

pid	Process
2912	Zombie.exe
1740	_MpCmdRun.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Zombie.exe	aace612c922f451c1dee7d54b60485f0N.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	aace612c922f451c1dee7d54b60485f0N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationProvider.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Classic.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Printing.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\ado\msadox28.tlb.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Primitives.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Primitives.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\bin\npt.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql90.xsl.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.NameResolution.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\WindowsBase.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationProvider.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\MEIPreload\manifest.json.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jsdt.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\xalan.md.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Grace-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Primitives.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Overlapped.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationProvider.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_wer.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\sound.properties.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\bin\keytool.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunpkcs11.jar.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\bin\server\jvm.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\7zCon.sfx.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.TraceSource.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.Win32.SystemEvents.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Controls.Ribbon.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationTypes.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-sysinfo-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\net.properties.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ul-phn.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.ThreadPool.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-console-l1-2-0.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Grace-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Overlapped.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationProvider.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\j2pcsc.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\w2k_lsa_auth.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ul-phn.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\trdtv2r41.xsl.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\PresentationCore.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Forms.Primitives.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Forms.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Debug.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemXmlLinq.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\prism_sw.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\cacerts.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Forms.Primitives.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\WindowsFormsIntegration.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationClient.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\asm.md.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\Microsoft.VisualBasic.Forms.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2ssv.dll.tmp	Zombie.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aace612c922f451c1dee7d54b60485f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zombie.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2912	2700	aace612c922f451c1dee7d54b60485f0N.exe	85
PID 2700 wrote to memory of 2912	2700	aace612c922f451c1dee7d54b60485f0N.exe	85
PID 2700 wrote to memory of 2912	2700	aace612c922f451c1dee7d54b60485f0N.exe	85
PID 2700 wrote to memory of 1740	2700	aace612c922f451c1dee7d54b60485f0N.exe	86
PID 2700 wrote to memory of 1740	2700	aace612c922f451c1dee7d54b60485f0N.exe	86

C:\Users\Admin\AppData\Local\Temp\aace612c922f451c1dee7d54b60485f0N.exe
"C:\Users\Admin\AppData\Local\Temp\aace612c922f451c1dee7d54b60485f0N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\SysWOW64\Zombie.exe
  "C:\Windows\system32\Zombie.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:2912
- C:\Users\Admin\AppData\Local\Temp\_MpCmdRun.exe
  "_MpCmdRun.exe"
  2⤵
  - Executes dropped EXE
  PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
72KB

MD5
ff5142588624f4f9bbd1da704759c677

SHA1
bb56cd9b91562dc5689cadba103f2e5138850c10

SHA256
4754812a6441c9a4b5ae9cd2f6f5ede6ce31fc96876468d053598d9eb55ed1e5

SHA512
0c1f9dcf98621204342f17b3a7ede9388b837a000025d1478dc2b04cea419280365f9c52af37923fc7e0d8bd011857faa94967c8e223f3283e65be176fb8e560

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MpCmdRun.exe

Filesize
553KB

MD5
d20b034be63c99803fb9b659d5e08c4f

SHA1
cc6846f52e59a0c84a16fcadca34a8996630a0d2

SHA256
ac9142ef4843eed75a010d6d31386f288757e9bffab9072eeb20c4a16ab5a26b

SHA512
fdf53323a320e39b98c0a0b327437e96dd1d405025b93d8909cd3821dbdec0ef9bc1bec09a6471d31b3f7af07ce587aa450c7bc2da56ce7abfaa6a607bc2b168

Download Submit
C:\Windows\SysWOW64\Zombie.exe

Filesize
72KB

MD5
164dcc263625567891f12dbf65133712

SHA1
7dcf919defe5c4b27b4cb6b2503f68801f593fee

SHA256
00fa6029f24c18aebc7ad3afe77fad5aa6d10f8fbbc4a17ebfcf9aaaaa2c944a

SHA512
22dbefd046ae5f49d7e0ee576e15bbef30f8b32c3b6bf3e60acedab558c0b827512a5a96fc4c95e162dd78e906141924f6d9fe6ae27f34a768d48729c45711ab

Download Submit