Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20250610-en -
resource tags
arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system -
submitted
01/07/2025, 06:58
Static task
static1
General
-
Target
a036531f169d10e473e89306c21fba364a8e50b209abb4388e3395cc6aa33be8.exe
-
Size
203KB
-
MD5
66273e6fcbf0b03ec9f86b432f2acbdd
-
SHA1
07f7878a112f50839ab4ad6b73763e240e5ddd86
-
SHA256
a036531f169d10e473e89306c21fba364a8e50b209abb4388e3395cc6aa33be8
-
SHA512
635c38106bfc61e92556f9190b9b4d76553ab0ed41c5be974a641419ed7d60491789755266734c20e890ec5e88b740d2507a69f313aab9ef8476da89c4d64710
-
SSDEEP
3072:cEKEL2pcbOaM4ujkwlcnzhQNv40j0PW1IrEfMtyhud:92pWQNjlYn00rZy4
Malware Config
Signatures
-
Cosmu family
-
Detects Cosmu payload 1 IoCs
Cosmu is a worm written in C++.
resource yara_rule behavioral1/memory/5284-313-0x0000000000400000-0x0000000000407000-memory.dmp family_cosmu -
Renames multiple (5050) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 2 IoCs
pid Process 1096 Zombie.exe 620 _AcroServicesUpdater2_x64.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Zombie.exe a036531f169d10e473e89306c21fba364a8e50b209abb4388e3395cc6aa33be8.exe File opened for modification C:\Windows\SysWOW64\Zombie.exe a036531f169d10e473e89306c21fba364a8e50b209abb4388e3395cc6aa33be8.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationProvider.resources.dll.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ink\en-US\micaut.dll.mui.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.SecureString.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.IO.UnmanagedMemoryStream.dll.tmp Zombie.exe File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\VisualElements\SmallLogoDev.png.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\invalid32x32.gif.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-pl.xrm-ms.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ink\dicjp.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeServiceBypassR_PrepidBypass-ul-oob.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-timezone-l1-1-0.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\it\ReachFramework.resources.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\PresentationCore.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\System.Windows.Forms.Primitives.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\security\cacerts.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ppd.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ppd.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ul-oob.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\es\msipc.dll.mui.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.Design.Editors.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ul-phn.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OleDbInterop.dll.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOLoaderUI.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\es\WindowsBase.resources.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ul-oob.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\InstallerMainShell.tlb.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote.ini.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sk-sk.dll.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Controls.Ribbon.resources.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\vcruntime140.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-100.png.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-140.png.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationFramework.resources.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ul-oob.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GostTitle.XSL.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\WindowsBase.resources.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\zh-Hant\UIAutomationProvider.resources.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Configuration.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\zh-Hans\System.Windows.Input.Manipulations.resources.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-libraryloader-l1-1-0.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\jre\README.txt.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\lib\ir.idl.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ppd.xrm-ms.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ink\mshwjpn.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Json.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ServiceProcess.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationClientSideProviders.resources.dll.tmp Zombie.exe File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-pl.xrm-ms.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.cpl.tmp Zombie.exe File created C:\Program Files\Java\jre-1.8\lib\security\java.security.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremDemoR_BypassTrial365-ul-oob.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHPHN.DAT.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPackEula.txt.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationClient.resources.dll.tmp Zombie.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a036531f169d10e473e89306c21fba364a8e50b209abb4388e3395cc6aa33be8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Zombie.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 620 _AcroServicesUpdater2_x64.exe 620 _AcroServicesUpdater2_x64.exe 620 _AcroServicesUpdater2_x64.exe 620 _AcroServicesUpdater2_x64.exe 620 _AcroServicesUpdater2_x64.exe 620 _AcroServicesUpdater2_x64.exe 620 _AcroServicesUpdater2_x64.exe 620 _AcroServicesUpdater2_x64.exe 620 _AcroServicesUpdater2_x64.exe 620 _AcroServicesUpdater2_x64.exe 620 _AcroServicesUpdater2_x64.exe 620 _AcroServicesUpdater2_x64.exe 620 _AcroServicesUpdater2_x64.exe 620 _AcroServicesUpdater2_x64.exe 620 _AcroServicesUpdater2_x64.exe 620 _AcroServicesUpdater2_x64.exe 620 _AcroServicesUpdater2_x64.exe 620 _AcroServicesUpdater2_x64.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 5284 wrote to memory of 1096 5284 a036531f169d10e473e89306c21fba364a8e50b209abb4388e3395cc6aa33be8.exe 90 PID 5284 wrote to memory of 1096 5284 a036531f169d10e473e89306c21fba364a8e50b209abb4388e3395cc6aa33be8.exe 90 PID 5284 wrote to memory of 1096 5284 a036531f169d10e473e89306c21fba364a8e50b209abb4388e3395cc6aa33be8.exe 90 PID 5284 wrote to memory of 620 5284 a036531f169d10e473e89306c21fba364a8e50b209abb4388e3395cc6aa33be8.exe 89 PID 5284 wrote to memory of 620 5284 a036531f169d10e473e89306c21fba364a8e50b209abb4388e3395cc6aa33be8.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\a036531f169d10e473e89306c21fba364a8e50b209abb4388e3395cc6aa33be8.exe"C:\Users\Admin\AppData\Local\Temp\a036531f169d10e473e89306c21fba364a8e50b209abb4388e3395cc6aa33be8.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5284 -
C:\Users\Admin\AppData\Local\Temp\_AcroServicesUpdater2_x64.exe"_AcroServicesUpdater2_x64.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:620
-
-
C:\Windows\SysWOW64\Zombie.exe"C:\Windows\system32\Zombie.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1096
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
84KB
MD58fd9e66a936f71ebbe2ee28d4cc5f8c8
SHA1fe4d9f2482ea0b2d5dcd0d82751759f3036adcee
SHA2561cbf09115c52d6376a3ad8ef3a3a0425a4bf71b58a5f0aec8e5aba545fa118a9
SHA512c13ad69b28480ae699a23c167c3315d74a54132670c85070c3acf05c840e3c44637a5781babb694cd4b6fb35baaf33942c98a209428227c82002b96804c163c5
-
Filesize
13B
MD5c83301425b2ad1d496473a5ff3d9ecca
SHA1941efb7368e46b27b937d34b07fc4d41da01b002
SHA256b633a587c652d02386c4f16f8c6f6aab7352d97f16367c3c40576214372dd628
SHA51283bafe4c888008afdd1b72c028c7f50dee651ca9e7d8e1b332e0bf3aa1315884155a1458a304f6e5c5627e714bf5a855a8b8d7db3f4eb2bb2789fe2f8f6a1d83
-
Filesize
119KB
MD5aba284c3712f8cdb2fdc70689933a909
SHA1e836d2554ff9043605d333eace443b95c5ceb55d
SHA25699727a25e431134f75c9342ca608d1007ea31733f7fd4dda32356e5e36c23f9b
SHA512217ab6bfff758b1137aadaa9878727493e3efe5a72412bd4eedcb538854c5e25dcad17c7446443174b0e2ab695a9dbf7c7b67c86c89fd48055c04c2e10dfecd4
-
Filesize
84KB
MD5571e4f97273e546b32b4ef5bbfe6e89e
SHA13186d27db5e8412e9f20ec3def0720f779a41f09
SHA256112476057a328b07cc8758f2869a348c7bd6e8aba8bd5b44585322dd8381f089
SHA512112af1cc986dd2a8aa0c0ec5fc7408b2b112e7282b5a3773badd4c69d409c590189dccc3904c43a910239dad18a60cca646a24d1baf2e9b383f7f734f6f4c272