Analysis

  • max time kernel
    60s
  • max time network
    35s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/10/2024, 19:26

General

  • Target

    36c497ce1c187e8e5a5f659a428c2886768f3953d90fa7a518a68bda4b264728.exe

  • Size

    518KB

  • MD5

    5437d6a05afdc45c48dec6bfac4e60c2

  • SHA1

    3e5e57705553f6e015e200c22c6136a41119eac1

  • SHA256

    36c497ce1c187e8e5a5f659a428c2886768f3953d90fa7a518a68bda4b264728

  • SHA512

    c976b3be0b2229ce03b759db5ea47d11519637dbc45e11252f88d91875b184e28e992fd2815ba9444945ad31b4e67f29c6381263975735ded70800729b58df6b

  • SSDEEP

    6144:Reynlu0+eH9Bpox4I3ANJuBN0PDGxWSqqcfrj8XzL/3upuqs8j8IvwvWGEuTt3ny:Nnb9ZNJuzVrcX8GW8j5veWpuTtMMo

Score
9/10

Malware Config

Signatures

  • Renames multiple (1775) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\36c497ce1c187e8e5a5f659a428c2886768f3953d90fa7a518a68bda4b264728.exe
    "C:\Users\Admin\AppData\Local\Temp\36c497ce1c187e8e5a5f659a428c2886768f3953d90fa7a518a68bda4b264728.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2596
    • C:\Windows\SysWOW64\Zombie.exe
      "C:\Windows\system32\Zombie.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      PID:4600
    • C:\Users\Admin\AppData\Local\Temp\_MpCmdRun.exe
      "_MpCmdRun.exe"
      2⤵
      • Executes dropped EXE
      PID:4536

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini.exe

    Filesize

    62KB

    MD5

    054b44605fe2df08e0ffa428e1996006

    SHA1

    2bb3e24067a7085b110e6fa00cc4c0e1b699f608

    SHA256

    20da62b89d5be6ef172f2c680cb0f5bb34997b343a3c57bf92dcda0639549ead

    SHA512

    7d72f2ec0e7f0d85ac389db20af3a6212f57fe510338b9bb73aed3870b4a78d0323ec14db95fe7c5b13623313daf7e18017f867c35f2096684898015a51f38b5

  • C:\Users\Admin\AppData\Local\Temp\_MpCmdRun.exe

    Filesize

    456KB

    MD5

    dd8e8a4e0b8bae088dca303b78e12c77

    SHA1

    510a231c1ce12bcaee6f8d172c38ec06e524a795

    SHA256

    17ee13b7e86069505ca5b56099336a0980173c3892aee3d108f9497955e40c62

    SHA512

    9ccdbc4ff8ed0ef6aaa9120060028d8d45642d59344217d905134ea1ce416584bc4c86daa3720adc08b98c78e07cc295d16b77507a0fb56c96f464171756e0db

  • C:\Windows\SysWOW64\Zombie.exe

    Filesize

    62KB

    MD5

    5af944cf740d2192d144419d30762476

    SHA1

    363dd67cf6512196afed71bd203f28f14e10a69e

    SHA256

    d450ad7ccae673bd9f292caf4dc4b78d20b8a133036bb931cf5fa8d24e1163a5

    SHA512

    b29406b5c0125c408f600ef91079be3e0239397ba664227e139e44946f828c35485ea0af3a5423f84c0818e03bc698b4c9b0e3b5d303d86ad0e632d26264a148