a26149f580261edb68dd48e312955937827fbc90d9619932a580cb9045aaa80b

Analysis

max time kernel
119s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 15:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Trojan.Win32.Zombie.RHA.exe
Size

42KB
MD5

59e28a243676daaf68aa1afcba4ab740
SHA1

2b29f9f157007bfc0e6bb391738dc4b3296ac2f2
SHA256

a26149f580261edb68dd48e312955937827fbc90d9619932a580cb9045aaa80b
SHA512

cb603ca63d2b925554cc5b3483722273b030c932f50078f961d6767b909480fc6c88f78e3fcf8142518a673c040a904e42697197b8b68014ca51c67d47500544
SSDEEP

384:yBs7Br5xjL8AgA71Fbhv/FzzwzdbZNbZY1Dxp1Dxc:/7BlpQpARFbhNIFZVZORc

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4676) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\coreclr.dll.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationClientSideProviders.resources.dll.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\Internet Explorer\sqmapi.dll.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\lcms.md.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-ul-oob.xrm-ms.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Http.Json.dll.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Mail.dll.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ar.pak.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ul-phn.xrm-ms.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-pl.xrm-ms.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ppd.xrm-ms.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-180.png.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\ShapeCollector.exe.mui.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationProvider.resources.dll.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.TransformDataByExample.dll.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\Microsoft Office\root\Office16\cpprestsdk.dll.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-140.png.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Aero.dll.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-pl.xrm-ms.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-140.png.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msproof7.dll.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Cambria.xml.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunpkcs11.jar.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-pl.xrm-ms.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaSansRegular.ttf.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\PresentationCore.resources.dll.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\WindowsFormsIntegration.resources.dll.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.dll.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\Java\jre-1.8\bin\fxplugins.dll.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ul-oob.xrm-ms.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.FuzzyMatching.dll.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\glib-lite.dll.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Extensions.dll.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\colorimaging.md.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\management.properties.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-phn.xrm-ms.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ul.xrm-ms.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Security.dll.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-100.png.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\Microsoft.VisualBasic.Forms.resources.dll.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Formatters.dll.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-oob.xrm-ms.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-ul-oob.xrm-ms.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-pl.xrm-ms.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\7-Zip\Lang\zh-cn.txt.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Primitives.dll.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationTypes.resources.dll.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationTypes.resources.dll.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\fi.pak.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\Java\jre-1.8\bin\ucrtbase.dll.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\CASHREG.WAV.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\7-Zip\Lang\ga.txt.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.Xml.Linq.dll.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\PresentationFramework.resources.dll.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationFramework.resources.dll.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\WindowsFormsIntegration.resources.dll.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaTypewriterBold.ttf.tmp	Trojan.Win32.Zombie.RHA.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ppd.xrm-ms.tmp	Trojan.Win32.Zombie.RHA.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan.Win32.Zombie.RHA.exe

C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Zombie.RHA.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Zombie.RHA.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-786284298-625481688-3210388970-1000\desktop.ini.tmp

Filesize
42KB

MD5
a3d75970ec189a3238648ea98bc6ab92

SHA1
9f827389c4ef369720a54229b8502456399127e9

SHA256
81194a5b7debbb0d61847ef5f208ae7d60f5924496dc98f7f686e5271a2f8ec0

SHA512
9d5e89eddcca456457bd60f784a23cdbcfaff57fc2ffb63433d6457fc1fbd4ee80178ba1065cf6912cd9184cd125de56210c395ef5d5acff4201c471be371c8b

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
141KB

MD5
28a4597b9e99ac2ee9457c50de2b77f2

SHA1
de65ccc314ed2c4457939f2267bd7b80cc4ba018

SHA256
147ecd49196a7fee1a9d112cbd8a0fcfec7d0fec53687058f8252ef3a1c9fc47

SHA512
a3836cd35069bb52c9c09e291ed9172224eb36fc25df9ef07bff31c069913107a12eedbb89061f7006c785413aeede12fa47d1edb9be543c763e12a989aaca52

Download Submit
memory/3052-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3052-1028-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download