33c4a2ea8aa54e144b647750d211c9b58c57d459be298dcb8eb7cfd5f92c4418

Analysis

max time kernel
119s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 23:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbd9622274814e7c111d3ffb3f1d74e0N.exe
Size

91KB
MD5

bbd9622274814e7c111d3ffb3f1d74e0
SHA1

a9105de161ec5af55848d75b839e61461103ab6c
SHA256

33c4a2ea8aa54e144b647750d211c9b58c57d459be298dcb8eb7cfd5f92c4418
SHA512

f195b5bcc509ad8853d4a1bbc7362a82452194dbaf57211e8a9d7199cefd02d93144cab7704db0e5741dd89051bdf460e63b2e957b1d7441d3d832a8a7308cc4
SSDEEP

768:W7Blp9pARFbhjJQWJQuvGjDE+BqKFkszYUzf2JdmwdAsCeHvJ5YFvqix3DZzmg0i:W7Z9pApjJQWJQVFUgCEHixUPig1juYow

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4642) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 2 IoCs

pid	Process
4632	Zombie.exe
4664	_createdump.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Zombie.exe	bbd9622274814e7c111d3ffb3f1d74e0N.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	bbd9622274814e7c111d3ffb3f1d74e0N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\Microsoft.VisualBasic.Forms.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-errorhandling-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\bin\java_crw_demo.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.Win32.Registry.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AugLoop\bundle.js.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ReachFramework.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Controls.Ribbon.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WWINTL.DLL.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar\msipc.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordaccore_amd64_amd64_7.0.1624.6629.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.EventSource.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\ANALYS32.XLL.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Process.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-phn.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.DataExtensions.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Data.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ul-phn.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ul-phn.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.Common.dll.tmp	Zombie.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\install.ins.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2native.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelFloatieXLEditTextModel.bin.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\WHOOSH.WAV.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AdeModule.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Controls.Ribbon.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\cldrdata.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\nashorn.jar.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-phn.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Grace-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Tools.dll.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\MEIPreload\manifest.json.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javafx_font.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmmui.msi.16.en-us.xml.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\th\msipc.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\Microsoft.VisualBasic.Forms.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Controls.Ribbon.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\sv.pak.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\de-DE\wab32res.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\lib\dt.jar.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mip_upe_sdk.dll.tmp	Zombie.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bbd9622274814e7c111d3ffb3f1d74e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zombie.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4628 wrote to memory of 4632	4628	bbd9622274814e7c111d3ffb3f1d74e0N.exe	83
PID 4628 wrote to memory of 4632	4628	bbd9622274814e7c111d3ffb3f1d74e0N.exe	83
PID 4628 wrote to memory of 4632	4628	bbd9622274814e7c111d3ffb3f1d74e0N.exe	83
PID 4628 wrote to memory of 4664	4628	bbd9622274814e7c111d3ffb3f1d74e0N.exe	84
PID 4628 wrote to memory of 4664	4628	bbd9622274814e7c111d3ffb3f1d74e0N.exe	84

C:\Users\Admin\AppData\Local\Temp\bbd9622274814e7c111d3ffb3f1d74e0N.exe
"C:\Users\Admin\AppData\Local\Temp\bbd9622274814e7c111d3ffb3f1d74e0N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4628
- C:\Windows\SysWOW64\Zombie.exe
  "C:\Windows\system32\Zombie.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:4632
- C:\Users\Admin\AppData\Local\Temp\_createdump.exe
  "_createdump.exe"
  2⤵
  - Executes dropped EXE
  PID:4664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.exe

Filesize
36KB

MD5
9cb209647630dc142ea9cec946aa304e

SHA1
f85fe22ef005110f7ff2b311b0012224d6fc4ada

SHA256
2e024fd79fe34140fc6e7e5325aafb9c8ccbd8cbca039c69b57bab594c019f81

SHA512
3d63f85af2d14eccce80c0ef018c7ccc6df1b0ae7891c63846b0473f8ddccd3dc394f819ac2e449525a498952575ce3428c86af3985e00bed2926030ff524c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\_createdump.exe

Filesize
54KB

MD5
9ca726be24244f2cf7e2dec95b714c46

SHA1
db976e979ec442e03799a26e861dc21847afe79a

SHA256
a6324117d0f5b16d0ecaccd1497f471495e4b3d315f1df0da66758d0bbab18af

SHA512
8e44e93e4cafba0cb6d3ad2d5f5935f5961cef0c841e534865f9f74f15f5d9007c6d304a597b97641d7cc001a1ef4675b4d19775ea7f4b9a778a882f3deeb449

Download Submit
C:\Windows\SysWOW64\Zombie.exe

Filesize
36KB

MD5
5a7b2ba8007b8c5600f2ab0afbf52e96

SHA1
32775e957f3f981e4889607de5f532430930d147

SHA256
503b61a50e34cc18ed1b758350c5d5f7810d52819c35ab8bc83bdf2d0e58cea6

SHA512
56e7ad7bdbcaae2d0645feac683d456c99dfb9590e1d4c98f70b42e220111a8c393ae2e09c97cdc130c05fc2a9b24c7e144e2f666d6944c51a3c6d156e59cd5d

Download Submit