Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/05/2025, 11:53

General

  • Target

    be2b8d4c2e8aa37b93a6c39d02b19daeed7f4c7674865bbb67129e11f8938e17.exe

  • Size

    136KB

  • MD5

    c35bbdaacb825f9ff7398b374948b83e

  • SHA1

    5184279419e4baa06ad61667fa7fc40255eaf67e

  • SHA256

    be2b8d4c2e8aa37b93a6c39d02b19daeed7f4c7674865bbb67129e11f8938e17

  • SHA512

    2fd04fa2299680101c29daf78a6142fb486058fb3f0d777dba609cc57b6e05d5369fe1f3b020947aed6788b53b54906c37cccd71e6e3b976508ba415ef85578d

  • SSDEEP

    1536:uGIIZymvG4PDo2DhA3lr1fBY4iKos40wm0PW1IrqJfMtQlD8x89u7F8:VnzhQNv40j0PW1IrEfMtyhum

Malware Config

Signatures

  • Renames multiple (5253) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\be2b8d4c2e8aa37b93a6c39d02b19daeed7f4c7674865bbb67129e11f8938e17.exe
    "C:\Users\Admin\AppData\Local\Temp\be2b8d4c2e8aa37b93a6c39d02b19daeed7f4c7674865bbb67129e11f8938e17.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4820
    • C:\Windows\SysWOW64\Zombie.exe
      "C:\Windows\system32\Zombie.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      PID:1712
    • C:\Users\Admin\AppData\Local\Temp\_AcroServicesUpdater2_x64.exe
      "_AcroServicesUpdater2_x64.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3048

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-343936533-1262634978-1863872812-1000\desktop.ini.exe

          Filesize

          17KB

          MD5

          c95eefa54fa249b5f74805d10b25d5b2

          SHA1

          7648a16482ee35b7cbb73773eeff822f88412e96

          SHA256

          b78905bc0d9aab043a3d5285dcfeca4d8234a9955b951c28210adcbe9aad4389

          SHA512

          244dcf1c6d89eae4446a5213ed3219f3ee9e6cdf7fa18f3da95cba05e374a7f570c4aca3b56ed0de8ac11c9f08004405da4e952feaa88fb1eded8238e60edfdb

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QE0KJEE1\S3[1].htm

          Filesize

          13B

          MD5

          c83301425b2ad1d496473a5ff3d9ecca

          SHA1

          941efb7368e46b27b937d34b07fc4d41da01b002

          SHA256

          b633a587c652d02386c4f16f8c6f6aab7352d97f16367c3c40576214372dd628

          SHA512

          83bafe4c888008afdd1b72c028c7f50dee651ca9e7d8e1b332e0bf3aa1315884155a1458a304f6e5c5627e714bf5a855a8b8d7db3f4eb2bb2789fe2f8f6a1d83

        • C:\Users\Admin\AppData\Local\Temp\_AcroServicesUpdater2_x64.exe

          Filesize

          119KB

          MD5

          aba284c3712f8cdb2fdc70689933a909

          SHA1

          e836d2554ff9043605d333eace443b95c5ceb55d

          SHA256

          99727a25e431134f75c9342ca608d1007ea31733f7fd4dda32356e5e36c23f9b

          SHA512

          217ab6bfff758b1137aadaa9878727493e3efe5a72412bd4eedcb538854c5e25dcad17c7446443174b0e2ab695a9dbf7c7b67c86c89fd48055c04c2e10dfecd4

        • C:\Windows\SysWOW64\Zombie.exe

          Filesize

          17KB

          MD5

          229d7d6c64dffbdf649b205df66ed1fd

          SHA1

          53f7936d7dc02c59c08136bf29f60dc46e766d92

          SHA256

          4f8fff1eade9ef26fef0881e27fae158da5a8fc2bc6ce0128ba10d6e34780cf8

          SHA512

          fb04bb96a7918419fe0f47a5a93d825abbcbc4a597f3b7a302dcb169d5593343713429d75b356cc75bd80bc8ba91d63ffb1a5f180d9029acd4462bc799839f58

        • memory/4820-323-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB