Analysis
-
max time kernel
60s -
max time network
35s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05/10/2024, 19:26
Static task
static1
Behavioral task
behavioral1
Sample
36c497ce1c187e8e5a5f659a428c2886768f3953d90fa7a518a68bda4b264728.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
36c497ce1c187e8e5a5f659a428c2886768f3953d90fa7a518a68bda4b264728.exe
Resource
win10v2004-20240802-en
General
-
Target
36c497ce1c187e8e5a5f659a428c2886768f3953d90fa7a518a68bda4b264728.exe
-
Size
518KB
-
MD5
5437d6a05afdc45c48dec6bfac4e60c2
-
SHA1
3e5e57705553f6e015e200c22c6136a41119eac1
-
SHA256
36c497ce1c187e8e5a5f659a428c2886768f3953d90fa7a518a68bda4b264728
-
SHA512
c976b3be0b2229ce03b759db5ea47d11519637dbc45e11252f88d91875b184e28e992fd2815ba9444945ad31b4e67f29c6381263975735ded70800729b58df6b
-
SSDEEP
6144:Reynlu0+eH9Bpox4I3ANJuBN0PDGxWSqqcfrj8XzL/3upuqs8j8IvwvWGEuTt3ny:Nnb9ZNJuzVrcX8GW8j5veWpuTtMMo
Malware Config
Signatures
-
Renames multiple (1775) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 2 IoCs
pid Process 4600 Zombie.exe 4536 _MpCmdRun.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Zombie.exe 36c497ce1c187e8e5a5f659a428c2886768f3953d90fa7a518a68bda4b264728.exe File opened for modification C:\Windows\SysWOW64\Zombie.exe 36c497ce1c187e8e5a5f659a428c2886768f3953d90fa7a518a68bda4b264728.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.Primitives.resources.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationCore.resources.dll.tmp Zombie.exe File created C:\Program Files\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Parallel.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XDocument.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationUI.resources.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Primitives.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.Primitives.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\ReachFramework.resources.dll.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ink\da-DK\tipresx.dll.mui.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\rtscom.dll.mui.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.DataSetExtensions.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Metadata.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Data.Common.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationClientSideProviders.resources.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Extensions.dll.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\ShapeCollector.exe.mui.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.NonGeneric.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Input.Manipulations.resources.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Controls.Ribbon.resources.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.Design.resources.dll.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.cs-cz.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\Microsoft.VisualBasic.Forms.resources.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Forms.Design.resources.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\Microsoft.VisualBasic.Forms.resources.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Diagnostics.EventLog.Messages.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XDocument.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\WindowsBase.resources.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationProvider.resources.dll.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TipRes.dll.mui.tmp Zombie.exe File created C:\Program Files\Common Files\System\msadc\es-ES\msadcer.dll.mui.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.TypeConverter.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\WindowsFormsIntegration.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemDrawing.dll.tmp Zombie.exe File created C:\Program Files\7-Zip\Lang\de.txt.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-errorhandling-l1-1-0.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-processthreads-l1-1-0.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.VisualBasic.Core.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationClientSideProviders.resources.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Csp.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\WindowsFormsIntegration.resources.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Permissions.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationCore.resources.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationProvider.resources.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Configuration.ConfigurationManager.dll.tmp Zombie.exe File created C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui.tmp Zombie.exe File created C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Core.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.ResourceManager.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encoding.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\PresentationUI.resources.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ReachFramework.dll.tmp Zombie.exe File created C:\Program Files\7-Zip\License.txt.tmp Zombie.exe File created C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Mail.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XDocument.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationProvider.resources.dll.tmp Zombie.exe File created C:\Program Files\7-Zip\Lang\da.txt.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Threading.AccessControl.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ValueTuple.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.Design.resources.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationTypes.resources.dll.tmp Zombie.exe File created C:\Program Files\7-Zip\Lang\ba.txt.tmp Zombie.exe File created C:\Program Files\7-Zip\Lang\be.txt.tmp Zombie.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 36c497ce1c187e8e5a5f659a428c2886768f3953d90fa7a518a68bda4b264728.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Zombie.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2596 wrote to memory of 4600 2596 36c497ce1c187e8e5a5f659a428c2886768f3953d90fa7a518a68bda4b264728.exe 82 PID 2596 wrote to memory of 4600 2596 36c497ce1c187e8e5a5f659a428c2886768f3953d90fa7a518a68bda4b264728.exe 82 PID 2596 wrote to memory of 4600 2596 36c497ce1c187e8e5a5f659a428c2886768f3953d90fa7a518a68bda4b264728.exe 82 PID 2596 wrote to memory of 4536 2596 36c497ce1c187e8e5a5f659a428c2886768f3953d90fa7a518a68bda4b264728.exe 83 PID 2596 wrote to memory of 4536 2596 36c497ce1c187e8e5a5f659a428c2886768f3953d90fa7a518a68bda4b264728.exe 83 PID 2596 wrote to memory of 4536 2596 36c497ce1c187e8e5a5f659a428c2886768f3953d90fa7a518a68bda4b264728.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\36c497ce1c187e8e5a5f659a428c2886768f3953d90fa7a518a68bda4b264728.exe"C:\Users\Admin\AppData\Local\Temp\36c497ce1c187e8e5a5f659a428c2886768f3953d90fa7a518a68bda4b264728.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Zombie.exe"C:\Windows\system32\Zombie.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4600
-
-
C:\Users\Admin\AppData\Local\Temp\_MpCmdRun.exe"_MpCmdRun.exe"2⤵
- Executes dropped EXE
PID:4536
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
62KB
MD5054b44605fe2df08e0ffa428e1996006
SHA12bb3e24067a7085b110e6fa00cc4c0e1b699f608
SHA25620da62b89d5be6ef172f2c680cb0f5bb34997b343a3c57bf92dcda0639549ead
SHA5127d72f2ec0e7f0d85ac389db20af3a6212f57fe510338b9bb73aed3870b4a78d0323ec14db95fe7c5b13623313daf7e18017f867c35f2096684898015a51f38b5
-
Filesize
456KB
MD5dd8e8a4e0b8bae088dca303b78e12c77
SHA1510a231c1ce12bcaee6f8d172c38ec06e524a795
SHA25617ee13b7e86069505ca5b56099336a0980173c3892aee3d108f9497955e40c62
SHA5129ccdbc4ff8ed0ef6aaa9120060028d8d45642d59344217d905134ea1ce416584bc4c86daa3720adc08b98c78e07cc295d16b77507a0fb56c96f464171756e0db
-
Filesize
62KB
MD55af944cf740d2192d144419d30762476
SHA1363dd67cf6512196afed71bd203f28f14e10a69e
SHA256d450ad7ccae673bd9f292caf4dc4b78d20b8a133036bb931cf5fa8d24e1163a5
SHA512b29406b5c0125c408f600ef91079be3e0239397ba664227e139e44946f828c35485ea0af3a5423f84c0818e03bc698b4c9b0e3b5d303d86ad0e632d26264a148