149898073b601778d3705edc74f9f52d7bea6cb9e7b3c0e1af73dde7269ca65b

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
14-05-2024 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

149898073b601778d3705edc74f9f52d7bea6cb9e7b3c0e1af73dde7269ca65b.exe
Size

276KB
MD5

23b96f2b67d6bdd189ecb6831553880b
SHA1

8f83e81e547d74eb78f768e47b9d895754f983f8
SHA256

149898073b601778d3705edc74f9f52d7bea6cb9e7b3c0e1af73dde7269ca65b
SHA512

11ddb6430c183d6a05412f407fbb2defb4cbaf83678b71b00313e3fe29ec51e3e8b454e216f2de888c056335c25ca0fdd7e07e7adb9b490a71106898abdcee82
SSDEEP

3072:9QWp0w9mHpKZNGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2ZTxW:LZ9UpK7ShcHUaZA

Score

9^/10

ransomware

Malware Config

Signatures

Renames multiple (3439) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 2 IoCs

pid	Process
2864	_cinst.exe
2192	Zombie.exe

Loads dropped DLL 3 IoCs

pid	Process
1068	149898073b601778d3705edc74f9f52d7bea6cb9e7b3c0e1af73dde7269ca65b.exe
1068	149898073b601778d3705edc74f9f52d7bea6cb9e7b3c0e1af73dde7269ca65b.exe
1068	149898073b601778d3705edc74f9f52d7bea6cb9e7b3c0e1af73dde7269ca65b.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Zombie.exe	149898073b601778d3705edc74f9f52d7bea6cb9e7b3c0e1af73dde7269ca65b.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	149898073b601778d3705edc74f9f52d7bea6cb9e7b3c0e1af73dde7269ca65b.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Media Player\it-IT\wmplayer.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\Windows Media Player\wmplayer.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\cmm\sRGB.pf.tmp	Zombie.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-private-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libextract_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_SelectionSubpicture.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Denver.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk_1.0.300.v20140407-1803.jar.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-image-mask.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_content-background.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_ja.jar.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\PresentationBuildTasks.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\gui\libskins2_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-snaptracer.xml.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\vlc.mo.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_ButtonGraphic.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\decorative_rule.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3_0.12.0.v20140227-2118.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-api_zh_CN.jar.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Qatar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property.nl_zh_4.4.0.v20140623020002.jar.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libwave_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\vlc.mo.tmp	Zombie.exe
File created	C:\Program Files\Windows Media Player\it-IT\wmpnssci.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2native.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\blafdoc.css.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Athens.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\sound.properties.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Australia\Lord_Howe.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Aero.dll.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_ButtonGraphic.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Macquarie.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Gaza.tmp	Zombie.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\calendar.html.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\vlc.mo.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libstl_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libvobsub_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuy2_i422_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\San_Luis.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Chihuahua.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\control\libwin_hotkeys_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-down.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Martinique.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.contexts_1.3.100.v20140407-1019.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvmstat.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\bin\jfr.dll.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Web.Entity.Design.Resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Conversion.v3.5.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\librawdv_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp_5.5.0.165303.jar.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_fdf5ce_1x400.png.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_nv12_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\en-US\DVDMaker.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\j2pcsc.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Casablanca.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.properties.tmp	Zombie.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1068 wrote to memory of 2864	1068	149898073b601778d3705edc74f9f52d7bea6cb9e7b3c0e1af73dde7269ca65b.exe	28
PID 1068 wrote to memory of 2864	1068	149898073b601778d3705edc74f9f52d7bea6cb9e7b3c0e1af73dde7269ca65b.exe	28
PID 1068 wrote to memory of 2864	1068	149898073b601778d3705edc74f9f52d7bea6cb9e7b3c0e1af73dde7269ca65b.exe	28
PID 1068 wrote to memory of 2864	1068	149898073b601778d3705edc74f9f52d7bea6cb9e7b3c0e1af73dde7269ca65b.exe	28
PID 1068 wrote to memory of 2192	1068	149898073b601778d3705edc74f9f52d7bea6cb9e7b3c0e1af73dde7269ca65b.exe	29
PID 1068 wrote to memory of 2192	1068	149898073b601778d3705edc74f9f52d7bea6cb9e7b3c0e1af73dde7269ca65b.exe	29
PID 1068 wrote to memory of 2192	1068	149898073b601778d3705edc74f9f52d7bea6cb9e7b3c0e1af73dde7269ca65b.exe	29
PID 1068 wrote to memory of 2192	1068	149898073b601778d3705edc74f9f52d7bea6cb9e7b3c0e1af73dde7269ca65b.exe	29

C:\Users\Admin\AppData\Local\Temp\149898073b601778d3705edc74f9f52d7bea6cb9e7b3c0e1af73dde7269ca65b.exe
"C:\Users\Admin\AppData\Local\Temp\149898073b601778d3705edc74f9f52d7bea6cb9e7b3c0e1af73dde7269ca65b.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Users\Admin\AppData\Local\Temp\_cinst.exe
  "_cinst.exe"
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Windows\SysWOW64\Zombie.exe
  "C:\Windows\system32\Zombie.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2192

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini.tmp

Filesize
133KB

MD5
2293bf587382945cc7e8ee02b7da2922

SHA1
08f38fecddcd8ff43e9ae147472f3ed929084fa7

SHA256
7b9d525e1350258496865cb20a125124f07d9413b29c65eb4a5a290213bdce24

SHA512
b0ca5a7deab048663828883a4d2b9e9f9fd1b26785713ae288513c10275ef7e271466b240ed724a51d5a75864edd2b8c036fd41b8d7a91e2c3fe806d1337d651

Download Submit
\Users\Admin\AppData\Local\Temp\_cinst.exe

Filesize
143KB

MD5
2fdb371d45181dff59577110ba1064e2

SHA1
42a5833cb0ac90e38d734d1327bb3f7c7a6aa453

SHA256
80d7ec8ce3913d81ea5d4f304b8609e56f0e49778c52af9279e742ea54f4a155

SHA512
52982041ba9ca552b90b79b251501ec6c33c5251d09ca9969a1b179af2ec17aca6eb81db6e588e12751bcea04208e1da8d5a754a979dd98ceb3f50780aadea20

Download Submit
\Windows\SysWOW64\Zombie.exe

Filesize
133KB

MD5
cc684f17c746d59b516934aa3ebba9ba

SHA1
4f0eaefcffbcf0fc346ee3b91fb18fe619ea43b2

SHA256
b6483b57347f6f3d4640d028c7a0e0e599d5cab0fc643c95cc8709635470f88f

SHA512
c565818f131c54769e948ef13964ee74456cf2148a0723dea14494f57d9fbd17edd5cf5b3167450e31af089f4ffdd4ea4e42d88d8f1ac7ed9daffec871ed74c4

Download Submit
memory/1068-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1068-16-0x00000000002E0000-0x00000000002E8000-memory.dmp

Filesize
32KB

Download
memory/1068-23-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2864-21-0x000007FEF50F3000-0x000007FEF50F4000-memory.dmp

Filesize
4KB

Download
memory/2864-22-0x00000000008A0000-0x00000000008C8000-memory.dmp

Filesize
160KB

Download