Analysis
-
max time kernel
146s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08/06/2024, 01:40
Static task
static1
Behavioral task
behavioral1
Sample
1ad991195f58f58ffd11c3c22058a4f0.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1ad991195f58f58ffd11c3c22058a4f0.exe
Resource
win10v2004-20240508-en
General
-
Target
1ad991195f58f58ffd11c3c22058a4f0.exe
-
Size
174KB
-
MD5
1ad991195f58f58ffd11c3c22058a4f0
-
SHA1
6b15646dc4dd0c269709cb0898c0ecbbc3e9a24f
-
SHA256
1f69c53d51fc865280ceafb04faa303e77b8173333311f783724d46e971a7910
-
SHA512
eea4e6004748b456010963197eb7ae5f3094b460cdfcfbcb890507eabd15232b30952ff9d40eefc92e2ee52264e9664b43d8fba443d2c03e738dc531eafd2f37
-
SSDEEP
3072:6pWpgD98HpKI6GCLOwstyhZFChcssc56FUrgxvbSD4UQrO2Lxm:Pm9GpKbShcHUac
Malware Config
Signatures
-
Renames multiple (3837) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 2 IoCs
pid Process 2456 _choco.exe 2648 Zombie.exe -
Loads dropped DLL 3 IoCs
pid Process 1912 1ad991195f58f58ffd11c3c22058a4f0.exe 1912 1ad991195f58f58ffd11c3c22058a4f0.exe 1912 1ad991195f58f58ffd11c3c22058a4f0.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Zombie.exe 1ad991195f58f58ffd11c3c22058a4f0.exe File opened for modification C:\Windows\SysWOW64\Zombie.exe 1ad991195f58f58ffd11c3c22058a4f0.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\navSubpicture.png.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG_PAL.wmv.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Makassar.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\PreviousMenuButtonIcon.png.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Ojinaga.tmp Zombie.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_up.png.tmp Zombie.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_rest.png.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\play-static.png.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Lord_Howe.tmp Zombie.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Engine.resources.dll.tmp Zombie.exe File created C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw48.bmp.tmp Zombie.exe File created C:\Program Files\Common Files\Microsoft Shared\Stationery\To_Do_List.emf.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-previous-static.png.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\w2k_lsa_auth.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Tucuman.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.properties.tmp Zombie.exe File created C:\Program Files\Java\jre7\lib\zi\Asia\Seoul.tmp Zombie.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\PresentationFramework.resources.dll.tmp Zombie.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\weather.js.tmp Zombie.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-uihandler.xml_hidden.tmp Zombie.exe File created C:\Program Files\Java\jre7\bin\server\classes.jsa.tmp Zombie.exe File created C:\Program Files\Java\jre7\lib\zi\America\Montreal.tmp Zombie.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSO.DLL.tmp Zombie.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\dicjp.bin.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.nl_zh_4.4.0.v20140623020002.jar.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-masterfs.jar.tmp Zombie.exe File created C:\Program Files\Java\jre7\lib\management\snmp.acl.template.tmp Zombie.exe File created C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml.tmp Zombie.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\drag.png.tmp Zombie.exe File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\bg_sidebar.png.tmp Zombie.exe File created C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\TipBand.dll.mui.tmp Zombie.exe File created C:\Program Files\DVD Maker\es-ES\WMM2CLIP.dll.mui.tmp Zombie.exe File created C:\Program Files\Microsoft Office\Office14\NAMEEXT.DLL.tmp Zombie.exe File created C:\Program Files\7-Zip\Lang\be.txt.tmp Zombie.exe File created C:\Program Files\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+7.tmp Zombie.exe File created C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\InkObj.dll.mui.tmp Zombie.exe File created C:\Program Files\Internet Explorer\IEShims.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.oracle.jmc.executable.win32.win32.x86_64_5.5.0.tmp Zombie.exe File created C:\Program Files\VideoLAN\VLC\lua\http\css\main.css.tmp Zombie.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\weather.css.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_SelectionSubpicture.png.tmp Zombie.exe File created C:\Program Files\VideoLAN\VLC\plugins\d3d9\libdirect3d9_filters_plugin.dll.tmp Zombie.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_divider_left.png.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Prague.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-charts_zh_CN.jar.tmp Zombie.exe File created C:\Program Files\Java\jre7\lib\zi\America\Indiana\Indianapolis.tmp Zombie.exe File created C:\Program Files\Java\jre7\lib\zi\America\Port_of_Spain.tmp Zombie.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkWatson.exe.mui.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-applemenu_ja.jar.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-settings_zh_CN.jar.tmp Zombie.exe File created C:\Program Files\Windows Media Player\es-ES\wmpnscfg.exe.mui.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\vistabg.png.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Porto_Velho.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA.tmp Zombie.exe File created C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll.tmp Zombie.exe File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\flyout.html.tmp Zombie.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\localizedSettings.css.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Denver.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-6.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui_5.5.0.165303.jar.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground_PAL.wmv.tmp Zombie.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.IO.Log.dll.tmp Zombie.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1912 wrote to memory of 2456 1912 1ad991195f58f58ffd11c3c22058a4f0.exe 29 PID 1912 wrote to memory of 2456 1912 1ad991195f58f58ffd11c3c22058a4f0.exe 29 PID 1912 wrote to memory of 2456 1912 1ad991195f58f58ffd11c3c22058a4f0.exe 29 PID 1912 wrote to memory of 2456 1912 1ad991195f58f58ffd11c3c22058a4f0.exe 29 PID 1912 wrote to memory of 2648 1912 1ad991195f58f58ffd11c3c22058a4f0.exe 28 PID 1912 wrote to memory of 2648 1912 1ad991195f58f58ffd11c3c22058a4f0.exe 28 PID 1912 wrote to memory of 2648 1912 1ad991195f58f58ffd11c3c22058a4f0.exe 28 PID 1912 wrote to memory of 2648 1912 1ad991195f58f58ffd11c3c22058a4f0.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ad991195f58f58ffd11c3c22058a4f0.exe"C:\Users\Admin\AppData\Local\Temp\1ad991195f58f58ffd11c3c22058a4f0.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Zombie.exe"C:\Windows\system32\Zombie.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2648
-
-
C:\Users\Admin\AppData\Local\Temp\_choco.exe"_choco.exe"2⤵
- Executes dropped EXE
PID:2456
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32KB
MD5ad2d85bbfb84791b60393b7d6f44ff9a
SHA183f165f4b5cc6b932e1db9925c3290826b5aee2e
SHA2566d9609af833c33a981c81700d9e4b18e29a1fc51887f615fa9b601662f23db51
SHA51272eb7081a3b53cc8aa36cc1f1d386cf3e976af065b03112e04dc1a5848956df828698841a0746f70ca59a775f3287268290606078e1877e1839eb1be7b412042
-
Filesize
142KB
MD581a7c181639679983efb07c2dea2ebd0
SHA193370e8e5cb0d89bf6786445f94dd02dbb84b574
SHA2568320c7f90f65b48e4031b680506a9579751789ded4d90fa2fbfc2fb7db7e3ec8
SHA512599cca13e527c92cdf88df06ed8a01eee1bc602c565ab69e251f7414e19833ce42f0453771bfdf27d16f9f70112835b599d26a6ed92901fdf86bbdf8adf4d2f7
-
Filesize
32KB
MD5b64ca93f2326a0b98eb9780532ad0ab2
SHA139b09561546903d686762ed54b139f000e199a51
SHA25684085bfca161be4362c667c4352d92220d1f41f7c4bb35eb0431a0b53a8389d1
SHA5125afadbaf061826a8e14b1636e979d780b2fe6ee616f2e2a627d2a338dbcc018dd3e8e2436f6cd5dec139ce795fae9f4e42e6735684849cd46f8297b2f4bdc82d