0bf1d940939b25727bb46049820cc445c86f5a8380bf21d623f3d3e51cff6d8d

Analysis

max time kernel
60s
max time network
61s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/10/2024, 19:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0bf1d940939b25727bb46049820cc445c86f5a8380bf21d623f3d3e51cff6d8d.exe
Size

6.5MB
MD5

56736f3b4c5680cf110a8c0ae748ddf9
SHA1

7960a6aab2ac4af0a502566b2f4d7d55e85c4a59
SHA256

0bf1d940939b25727bb46049820cc445c86f5a8380bf21d623f3d3e51cff6d8d
SHA512

f366f77d4e724b09ef10c707096137ad20b4878d8295be8d65f92b7cd8f5817e9b255935fc1c3b2dbe446c73613053e1605ccf9171cae277b8bfcdf7a63d0883
SSDEEP

196608:YCzNA7rlvRz1rrFBV6tpjuj6gYPKHCKst:YjUtYj6gYPYU

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (1821) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 2 IoCs

pid	Process
4476	Zombie.exe
4252	_choco.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Zombie.exe	0bf1d940939b25727bb46049820cc445c86f5a8380bf21d623f3d3e51cff6d8d.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	0bf1d940939b25727bb46049820cc445c86f5a8380bf21d623f3d3e51cff6d8d.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.TraceSource.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.TraceSource.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationTypes.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\WindowsBase.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Xaml.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Pipes.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Presentation.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.Design.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\tabskb.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Xml.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationClient.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\hostpolicy.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\ReachFramework.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\et.pak.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationProvider.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Controls.Ribbon.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Http.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\ReachFramework.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\msinfo32.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig.companion.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Emit.Lightweight.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\WindowsFormsIntegration.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ko-KR\tipresx.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nb-NO\tipresx.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ca.pak.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.VisualBasic.Core.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\WindowsBase.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationUI.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.NonGeneric.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.Common.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\PresentationFramework.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\libGLESv2.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.AppContext.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Xaml.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\Microsoft.VisualBasic.Forms.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Dynamic.Runtime.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\WindowsBase.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Transactions.Local.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\WindowsFormsIntegration.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Forms.Primitives.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Forms.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Configuration.ConfigurationManager.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-process-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-locale-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.TypeExtensions.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationProvider.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Aero.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.CompilerServices.Unsafe.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.TypeConverter.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\wpfgfx_cor3.dll.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ko.pak.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RUI.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ucrtbase.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui.tmp	Zombie.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0bf1d940939b25727bb46049820cc445c86f5a8380bf21d623f3d3e51cff6d8d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zombie.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4252	_choco.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 4476	1900	0bf1d940939b25727bb46049820cc445c86f5a8380bf21d623f3d3e51cff6d8d.exe	82
PID 1900 wrote to memory of 4476	1900	0bf1d940939b25727bb46049820cc445c86f5a8380bf21d623f3d3e51cff6d8d.exe	82
PID 1900 wrote to memory of 4476	1900	0bf1d940939b25727bb46049820cc445c86f5a8380bf21d623f3d3e51cff6d8d.exe	82
PID 1900 wrote to memory of 4252	1900	0bf1d940939b25727bb46049820cc445c86f5a8380bf21d623f3d3e51cff6d8d.exe	83
PID 1900 wrote to memory of 4252	1900	0bf1d940939b25727bb46049820cc445c86f5a8380bf21d623f3d3e51cff6d8d.exe	83

C:\Users\Admin\AppData\Local\Temp\0bf1d940939b25727bb46049820cc445c86f5a8380bf21d623f3d3e51cff6d8d.exe
"C:\Users\Admin\AppData\Local\Temp\0bf1d940939b25727bb46049820cc445c86f5a8380bf21d623f3d3e51cff6d8d.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\SysWOW64\Zombie.exe
  "C:\Windows\system32\Zombie.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:4476
- C:\Users\Admin\AppData\Local\Temp\_choco.exe
  "_choco.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.exe

Filesize
62KB

MD5
20a094c896218f406435817e78859cd8

SHA1
f002d78f8bafc2faa79247bf9928ef4d8f565714

SHA256
c1c7675202125891fc58e944931f413c21077e1c71014c6b427cb0b5f200d82f

SHA512
cf3fe851c9da9790524514e86431829c0fc5356b7752e724986a3225e1885774cecba7f54a44715d1f3f12fc14a0fc36a7c6097cf8dffd63896f70426432970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_choco.exe

Filesize
6.4MB

MD5
f24affc10132405930282aaeb206b7b7

SHA1
462d7a447a7d6f06bf3083c2af2f00b615c6a1a0

SHA256
abcca6f158b94303d92197bf8e6db545fe4929161e3767619176c4574ccb70fc

SHA512
c7729e3a050797b7d2c6ee07cc432c6dca56ffdb6b7e2662b1a70c90e287bbb2480a3752f262a896110f60f9ce18f884452f3cae3a06c80bef5eec476fba8cfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\chocolatey.config.4252.update

Filesize
9KB

MD5
78e591860832608ebc49dddd9fc0e1db

SHA1
d927f135f15190f95805dd8bfe6df0de20dfff53

SHA256
ccb5f71ce184e151412a8f04144011ba4da50371c20ef12778d276577f691f9a

SHA512
57f334f57f0aaba4238e7ce834784dece8e81cceae248999f1a45aa8fed0b86fe20f3d6ac6fb3649cf653e9f65f3b35695e203f1d6ed1e54e073df10fe008fc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\logs\chocolatey.log

Filesize
1KB

MD5
55d84b7469e8b382e5f55f718c6b3144

SHA1
17209112a326303e4fec2a182d68a94fc7d95405

SHA256
fa5b5d355fc4e1cbf92c0a2741bc96745a9eddf1f0c0cff3b4099b3cd18affcb

SHA512
3f9bd4364cbef5062d492ffd6dd58aaa6f0646fd0f4d5121f0433ef14fbbc237c977f745de1b166ac2dfd69416b361e0c4278e6e4405e1a29ff038b599894eed

Download Submit
C:\Users\Admin\AppData\Local\Temp\logs\chocolatey.log

Filesize
2KB

MD5
795a9ae0e60a1630a56f364fab108975

SHA1
cdcf90c65d99c014780827b1b7b17f374b093b6c

SHA256
b75a8b2462735817f9a5b1aff343227a358ae129ddd8be5b55f6a6c52798d852

SHA512
35ba6a798b98dbc6602fa2431056c4d917fefce4f9eac2cd1bd9a954c99b9bff4f82bced577e631433acfb35541d34fd2ee0db2dd0451f25e2b6a8835b04a057

Download Submit
C:\Windows\SysWOW64\Zombie.exe

Filesize
62KB

MD5
5af944cf740d2192d144419d30762476

SHA1
363dd67cf6512196afed71bd203f28f14e10a69e

SHA256
d450ad7ccae673bd9f292caf4dc4b78d20b8a133036bb931cf5fa8d24e1163a5

SHA512
b29406b5c0125c408f600ef91079be3e0239397ba664227e139e44946f828c35485ea0af3a5423f84c0818e03bc698b4c9b0e3b5d303d86ad0e632d26264a148

Download Submit
memory/4252-55-0x00007FFBD0EF3000-0x00007FFBD0EF5000-memory.dmp

Filesize
8KB

Download
memory/4252-274-0x000000001BEF0000-0x000000001BF66000-memory.dmp

Filesize
472KB

Download
memory/4252-281-0x0000000003500000-0x000000000351E000-memory.dmp

Filesize
120KB

Download
memory/4252-253-0x000000001BE20000-0x000000001BE70000-memory.dmp

Filesize
320KB

Download
memory/4252-95-0x00007FFBD0EF0000-0x00007FFBD19B1000-memory.dmp

Filesize
10.8MB

Download
memory/4252-60-0x0000000000B50000-0x00000000011C4000-memory.dmp

Filesize
6.5MB

Download
memory/4252-406-0x00007FFBD0EF0000-0x00007FFBD19B1000-memory.dmp

Filesize
10.8MB

Download