3744cb011250990a59073fc745966720db7b83b89b8a928e35103b4bec97baff

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/04/2024, 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3744cb011250990a59073fc745966720db7b83b89b8a928e35103b4bec97baff.exe
Size

376KB
MD5

118d0a16367955747f6d1eaa1fd4f45d
SHA1

2bc99be89d764dabc073107f3b78f23bdc3cecc7
SHA256

3744cb011250990a59073fc745966720db7b83b89b8a928e35103b4bec97baff
SHA512

28f29cf794a0528259ab8d002142c7b936dc5932cb53006dc1645390361dbb32716ab72bd2015f7e0067416b8795dd82e84d3d990c5859a60f4af3238ba94aa7
SSDEEP

6144:dNuMc5T/4DO/B5fpRr3TmiTVVmVVV8VVNVVVcVVVxVVVPVVlVVVRVVVtVVWV60jK:yMc5j4DO/B5fn5cz

Score

9^/10

ransomware

Malware Config

Signatures

Renames multiple (709) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 2 IoCs

pid	Process
2896	_MpDlpCmd.exe
2840	Zombie.exe

Loads dropped DLL 5 IoCs

pid	Process
1772	3744cb011250990a59073fc745966720db7b83b89b8a928e35103b4bec97baff.exe
1772	3744cb011250990a59073fc745966720db7b83b89b8a928e35103b4bec97baff.exe
1772	3744cb011250990a59073fc745966720db7b83b89b8a928e35103b4bec97baff.exe
1772	3744cb011250990a59073fc745966720db7b83b89b8a928e35103b4bec97baff.exe
2684	Process not Found

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Zombie.exe	3744cb011250990a59073fc745966720db7b83b89b8a928e35103b4bec97baff.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	3744cb011250990a59073fc745966720db7b83b89b8a928e35103b4bec97baff.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\kab.txt.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\ta.txt.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\IpsPlugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Music.emf.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport.png.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.jpg.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\cursors.properties.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\tipresx.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\1047x576black.png.tmp	Zombie.exe
File created	C:\Program Files\Internet Explorer\Timeline.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.MOF.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Monet.jpg.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stucco.gif.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\203x8subpicture.png.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_elf.dll.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\sl.txt.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-next-static.png.tmp	Zombie.exe
File created	C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\sunec.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Winamac.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ar.pak.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsound.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkWatson.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\bod_r.TTF.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-overlay.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\720x480icongraphic.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground.wmv.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.ini.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkDrop32x32.gif.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pl.pak.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_zh_CN.jar.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\ba.txt.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\ps.txt.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\TipRes.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\tipresx.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\msadc\msdaremr.dll.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047_576black.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\splash.gif.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG.wmv.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\local_policy.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_CopyDrop32x32.gif.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Windhoek.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\rtstreamsink.ax.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\title_stripe.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIcon.png.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\lt.pak.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_pl.jar.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_ButtonGraphic.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\pushplaysubpicture.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_widescreen_Thumbnail.bmp.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground.wmv.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jce.jar.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\th.txt.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\tipresx.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\babyblue.png.tmp	Zombie.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 2896	1772	3744cb011250990a59073fc745966720db7b83b89b8a928e35103b4bec97baff.exe	29
PID 1772 wrote to memory of 2896	1772	3744cb011250990a59073fc745966720db7b83b89b8a928e35103b4bec97baff.exe	29
PID 1772 wrote to memory of 2896	1772	3744cb011250990a59073fc745966720db7b83b89b8a928e35103b4bec97baff.exe	29
PID 1772 wrote to memory of 2896	1772	3744cb011250990a59073fc745966720db7b83b89b8a928e35103b4bec97baff.exe	29
PID 1772 wrote to memory of 2840	1772	3744cb011250990a59073fc745966720db7b83b89b8a928e35103b4bec97baff.exe	28
PID 1772 wrote to memory of 2840	1772	3744cb011250990a59073fc745966720db7b83b89b8a928e35103b4bec97baff.exe	28
PID 1772 wrote to memory of 2840	1772	3744cb011250990a59073fc745966720db7b83b89b8a928e35103b4bec97baff.exe	28
PID 1772 wrote to memory of 2840	1772	3744cb011250990a59073fc745966720db7b83b89b8a928e35103b4bec97baff.exe	28

C:\Users\Admin\AppData\Local\Temp\3744cb011250990a59073fc745966720db7b83b89b8a928e35103b4bec97baff.exe
"C:\Users\Admin\AppData\Local\Temp\3744cb011250990a59073fc745966720db7b83b89b8a928e35103b4bec97baff.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Windows\SysWOW64\Zombie.exe
  "C:\Windows\system32\Zombie.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2840
- C:\Users\Admin\AppData\Local\Temp\_MpDlpCmd.exe
  "_MpDlpCmd.exe"
  2⤵
  - Executes dropped EXE
  PID:2896

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini.tmp

Filesize
65KB

MD5
bf9f11c218e9a22eaece2d9d8d9a222a

SHA1
3d9d187b4953321dc0257324b81273f2a528299e

SHA256
e4073e893840370009724d0dd113ca46bf0b11041462d3059671e063c2a2f4e7

SHA512
ba3ffd03fa05bef763e473356de3a9573d9b0a7ec7e5f337be770a4b63e5eb987e564dc6526858062a00329d6f9a7a25ae217cba6b20e67c36c587b1d5e48beb

Download Submit
\Users\Admin\AppData\Local\Temp\_MpDlpCmd.exe

Filesize
310KB

MD5
aaef344fe1fbd85cdaec2ece7fdf873e

SHA1
cc9b145e5583afa05b702719a106e6631c960e73

SHA256
7dfb66ef0f85b8d86a462386d28bcfec4ce07faed9c0a836b770d11cd36e0ec6

SHA512
cf61c40caf6bc9257b27d4c54462632ca18048c9343f09746ef4de7d5c28b9c41b9e245f3ab6624e26156d0a214408fe146ea51c957b5b8aff0bf4e5d5576fcc

Download Submit
\Windows\SysWOW64\Zombie.exe

Filesize
65KB

MD5
461961acf2570567021a0279d537462e

SHA1
ca23dfac84d1cba4690aa017cdd6e7cfc0b9f9d4

SHA256
b132d5169f1f44a4e587a8e7fef08f0f5f026a0739d2852ba3f277e34cbd5e96

SHA512
5c2fd7738c0d2099f62181222363c9192edf152d66b0eb02ea8af8a44d5fdfa23d53d756abace6f4b9d1504bcabdcc3fa381e7a67b73243e17271e4cc368ceb1

Download Submit