Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
18/05/2025, 11:53
Static task
static1
Behavioral task
behavioral1
Sample
be2b8d4c2e8aa37b93a6c39d02b19daeed7f4c7674865bbb67129e11f8938e17.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
be2b8d4c2e8aa37b93a6c39d02b19daeed7f4c7674865bbb67129e11f8938e17.exe
Resource
win11-20250502-en
General
-
Target
be2b8d4c2e8aa37b93a6c39d02b19daeed7f4c7674865bbb67129e11f8938e17.exe
-
Size
136KB
-
MD5
c35bbdaacb825f9ff7398b374948b83e
-
SHA1
5184279419e4baa06ad61667fa7fc40255eaf67e
-
SHA256
be2b8d4c2e8aa37b93a6c39d02b19daeed7f4c7674865bbb67129e11f8938e17
-
SHA512
2fd04fa2299680101c29daf78a6142fb486058fb3f0d777dba609cc57b6e05d5369fe1f3b020947aed6788b53b54906c37cccd71e6e3b976508ba415ef85578d
-
SSDEEP
1536:uGIIZymvG4PDo2DhA3lr1fBY4iKos40wm0PW1IrqJfMtQlD8x89u7F8:VnzhQNv40j0PW1IrEfMtyhum
Malware Config
Signatures
-
Renames multiple (5253) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 2 IoCs
pid Process 3048 _AcroServicesUpdater2_x64.exe 1712 Zombie.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Zombie.exe be2b8d4c2e8aa37b93a6c39d02b19daeed7f4c7674865bbb67129e11f8938e17.exe File opened for modification C:\Windows\SysWOW64\Zombie.exe be2b8d4c2e8aa37b93a6c39d02b19daeed7f4c7674865bbb67129e11f8938e17.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.Serialization.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ko\UIAutomationClient.resources.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ul-oob.xrm-ms.tmp Zombie.exe File created C:\Program Files\Internet Explorer\uk-UA\iexplore.exe.mui.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightDemiBold.ttf.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-phn.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ul-oob.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-pl.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ppd.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ppd.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusDemoR_BypassTrial365-ul-oob.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\GKPowerPoint.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\ARROW.WAV.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Collections.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\WindowsBase.resources.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationFramework.resources.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Runtime.Serialization.Formatters.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\java.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-ul-oob.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ppd.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-pl.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\MSOHEVI.DLL.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\msvcp120.dll.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ink\tpcps.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\vcruntime140_cor3.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ul-oob.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\PresentationCore.resources.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\bin\java.exe.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-ppd.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\rsod\onenote.x-none.msi.16.x-none.boot.tree.dat.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TipRes.dll.mui.tmp Zombie.exe File created C:\Program Files\Common Files\System\ado\ja-JP\msader15.dll.mui.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.IsolatedStorage.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ul-oob.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_COL.HXC.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\Sybase.xsl.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-80.png.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\sbicudt58_64.dll.tmp Zombie.exe File created C:\Program Files\Common Files\System\Ole DB\msdasql.dll.tmp Zombie.exe File created C:\Program Files\ConnectEnter.M2T.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Formats.Tar.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\PresentationUI.resources.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationUI.resources.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Controls.Ribbon.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\McePerfCtr.man.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\cs\msipc.dll.mui.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationTypes.resources.dll.tmp Zombie.exe File created C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-phn.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-pl.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ppd.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\WPFEXTENSIONS.DLL.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ink\hwrdeulm.dat.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\cs\UIAutomationClient.resources.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\it\System.Windows.Forms.Primitives.resources.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentDemoR_BypassTrial180-ppd.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-phn.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\manifest.xml.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\SharePointTeamSite.ico.tmp Zombie.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language be2b8d4c2e8aa37b93a6c39d02b19daeed7f4c7674865bbb67129e11f8938e17.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Zombie.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 3048 _AcroServicesUpdater2_x64.exe 3048 _AcroServicesUpdater2_x64.exe 3048 _AcroServicesUpdater2_x64.exe 3048 _AcroServicesUpdater2_x64.exe 3048 _AcroServicesUpdater2_x64.exe 3048 _AcroServicesUpdater2_x64.exe 3048 _AcroServicesUpdater2_x64.exe 3048 _AcroServicesUpdater2_x64.exe 3048 _AcroServicesUpdater2_x64.exe 3048 _AcroServicesUpdater2_x64.exe 3048 _AcroServicesUpdater2_x64.exe 3048 _AcroServicesUpdater2_x64.exe 3048 _AcroServicesUpdater2_x64.exe 3048 _AcroServicesUpdater2_x64.exe 3048 _AcroServicesUpdater2_x64.exe 3048 _AcroServicesUpdater2_x64.exe 3048 _AcroServicesUpdater2_x64.exe 3048 _AcroServicesUpdater2_x64.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4820 wrote to memory of 1712 4820 be2b8d4c2e8aa37b93a6c39d02b19daeed7f4c7674865bbb67129e11f8938e17.exe 87 PID 4820 wrote to memory of 1712 4820 be2b8d4c2e8aa37b93a6c39d02b19daeed7f4c7674865bbb67129e11f8938e17.exe 87 PID 4820 wrote to memory of 1712 4820 be2b8d4c2e8aa37b93a6c39d02b19daeed7f4c7674865bbb67129e11f8938e17.exe 87 PID 4820 wrote to memory of 3048 4820 be2b8d4c2e8aa37b93a6c39d02b19daeed7f4c7674865bbb67129e11f8938e17.exe 88 PID 4820 wrote to memory of 3048 4820 be2b8d4c2e8aa37b93a6c39d02b19daeed7f4c7674865bbb67129e11f8938e17.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\be2b8d4c2e8aa37b93a6c39d02b19daeed7f4c7674865bbb67129e11f8938e17.exe"C:\Users\Admin\AppData\Local\Temp\be2b8d4c2e8aa37b93a6c39d02b19daeed7f4c7674865bbb67129e11f8938e17.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\Zombie.exe"C:\Windows\system32\Zombie.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1712
-
-
C:\Users\Admin\AppData\Local\Temp\_AcroServicesUpdater2_x64.exe"_AcroServicesUpdater2_x64.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3048
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD5c95eefa54fa249b5f74805d10b25d5b2
SHA17648a16482ee35b7cbb73773eeff822f88412e96
SHA256b78905bc0d9aab043a3d5285dcfeca4d8234a9955b951c28210adcbe9aad4389
SHA512244dcf1c6d89eae4446a5213ed3219f3ee9e6cdf7fa18f3da95cba05e374a7f570c4aca3b56ed0de8ac11c9f08004405da4e952feaa88fb1eded8238e60edfdb
-
Filesize
13B
MD5c83301425b2ad1d496473a5ff3d9ecca
SHA1941efb7368e46b27b937d34b07fc4d41da01b002
SHA256b633a587c652d02386c4f16f8c6f6aab7352d97f16367c3c40576214372dd628
SHA51283bafe4c888008afdd1b72c028c7f50dee651ca9e7d8e1b332e0bf3aa1315884155a1458a304f6e5c5627e714bf5a855a8b8d7db3f4eb2bb2789fe2f8f6a1d83
-
Filesize
119KB
MD5aba284c3712f8cdb2fdc70689933a909
SHA1e836d2554ff9043605d333eace443b95c5ceb55d
SHA25699727a25e431134f75c9342ca608d1007ea31733f7fd4dda32356e5e36c23f9b
SHA512217ab6bfff758b1137aadaa9878727493e3efe5a72412bd4eedcb538854c5e25dcad17c7446443174b0e2ab695a9dbf7c7b67c86c89fd48055c04c2e10dfecd4
-
Filesize
17KB
MD5229d7d6c64dffbdf649b205df66ed1fd
SHA153f7936d7dc02c59c08136bf29f60dc46e766d92
SHA2564f8fff1eade9ef26fef0881e27fae158da5a8fc2bc6ce0128ba10d6e34780cf8
SHA512fb04bb96a7918419fe0f47a5a93d825abbcbc4a597f3b7a302dcb169d5593343713429d75b356cc75bd80bc8ba91d63ffb1a5f180d9029acd4462bc799839f58