3c4faf1677a5c278ed6b34263b59f51124cd3d1195788067970c5bb955e34f6d

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
10/06/2024, 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c4faf1677a5c278ed6b34263b59f51124cd3d1195788067970c5bb955e34f6d.exe
Size

517KB
MD5

8914324d93a4f9cb2da1e664f88eb812
SHA1

6f38728cf4f08ff9caa35955ffc2aed73844a969
SHA256

3c4faf1677a5c278ed6b34263b59f51124cd3d1195788067970c5bb955e34f6d
SHA512

b545ffe63dcf5f2c8299778d67219672c67b3f72381f253407f645d8e40070d1b51b19f98c757dfdd7cab3d47bba59393187e1d9597390ab692c62d790c8dd71
SSDEEP

12288:iFF2Z0md3/94A2p8GnqZycIr+VtKzvFWOC3aEX90:iFF2Zx/WnSyhbzv8O0C

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3696) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 3 IoCs

pid	Process
1964	Zombie.exe
3000	_vcredist_x86.exe
2068	_vcredist_x86.exe

Loads dropped DLL 5 IoCs

pid	Process
2424	3c4faf1677a5c278ed6b34263b59f51124cd3d1195788067970c5bb955e34f6d.exe
2424	3c4faf1677a5c278ed6b34263b59f51124cd3d1195788067970c5bb955e34f6d.exe
2424	3c4faf1677a5c278ed6b34263b59f51124cd3d1195788067970c5bb955e34f6d.exe
3000	_vcredist_x86.exe
2068	_vcredist_x86.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Zombie.exe	3c4faf1677a5c278ed6b34263b59f51124cd3d1195788067970c5bb955e34f6d.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	3c4faf1677a5c278ed6b34263b59f51124cd3d1195788067970c5bb955e34f6d.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre7\lib\jfxrt.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Brunei.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+11.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Wake.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\weather.js.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\images\Other-48.png.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\mshwLatin.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\libxslt.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fontconfig.bfc.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\ZoneInfoMappings.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-execution.xml_hidden.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Asuncion.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\cue.luac.tmp	Zombie.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\weblink.api.tmp	Zombie.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SecStoreFile.ico.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\mix.gif.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-search.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-uihandler_ja.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\fonts\LucidaBrightRegular.ttf.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\bckgzm.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\Mozilla Firefox\osclientcerts.dll.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\weather.html.tmp	Zombie.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ACE.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\TipRes.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\msinfo32.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tashkent.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Cocos.tmp	Zombie.exe
File created	C:\Program Files\Windows Mail\it-IT\msoeres.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\rings-dock.png.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\rtscom.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\El_Aaiun.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-io-ui.jar.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Utilities.v3.5.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.xml.tmp	Zombie.exe
File created	C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\RSSFeeds.css.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240811.profile.gz.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-common.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\bin\klist.exe.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Games\Mahjong\desktop.ini.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Linq.dll.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_livehttp_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\WindowsAccessBridge-64.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_partstyle.css.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkWatson.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\ado\msado21.tlb.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\GRAY.pf.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Thule.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Antarctica\Mawson.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\art\01_googleimage.luac.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\daisies.png.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\ado\de-DE\msader15.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-6.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Samara.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_right_mouseover.png.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\slideShow.css.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\io.txt.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Eurosti.TTF.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench_3.106.1.v20140827-1737.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-editor-mimelookup.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\about.html.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Rio_Gallegos.tmp	Zombie.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 1964	2424	3c4faf1677a5c278ed6b34263b59f51124cd3d1195788067970c5bb955e34f6d.exe	28
PID 2424 wrote to memory of 1964	2424	3c4faf1677a5c278ed6b34263b59f51124cd3d1195788067970c5bb955e34f6d.exe	28
PID 2424 wrote to memory of 1964	2424	3c4faf1677a5c278ed6b34263b59f51124cd3d1195788067970c5bb955e34f6d.exe	28
PID 2424 wrote to memory of 1964	2424	3c4faf1677a5c278ed6b34263b59f51124cd3d1195788067970c5bb955e34f6d.exe	28
PID 2424 wrote to memory of 3000	2424	3c4faf1677a5c278ed6b34263b59f51124cd3d1195788067970c5bb955e34f6d.exe	29
PID 2424 wrote to memory of 3000	2424	3c4faf1677a5c278ed6b34263b59f51124cd3d1195788067970c5bb955e34f6d.exe	29
PID 2424 wrote to memory of 3000	2424	3c4faf1677a5c278ed6b34263b59f51124cd3d1195788067970c5bb955e34f6d.exe	29
PID 2424 wrote to memory of 3000	2424	3c4faf1677a5c278ed6b34263b59f51124cd3d1195788067970c5bb955e34f6d.exe	29
PID 2424 wrote to memory of 3000	2424	3c4faf1677a5c278ed6b34263b59f51124cd3d1195788067970c5bb955e34f6d.exe	29
PID 2424 wrote to memory of 3000	2424	3c4faf1677a5c278ed6b34263b59f51124cd3d1195788067970c5bb955e34f6d.exe	29
PID 2424 wrote to memory of 3000	2424	3c4faf1677a5c278ed6b34263b59f51124cd3d1195788067970c5bb955e34f6d.exe	29
PID 3000 wrote to memory of 2068	3000	_vcredist_x86.exe	30
PID 3000 wrote to memory of 2068	3000	_vcredist_x86.exe	30
PID 3000 wrote to memory of 2068	3000	_vcredist_x86.exe	30
PID 3000 wrote to memory of 2068	3000	_vcredist_x86.exe	30
PID 3000 wrote to memory of 2068	3000	_vcredist_x86.exe	30
PID 3000 wrote to memory of 2068	3000	_vcredist_x86.exe	30
PID 3000 wrote to memory of 2068	3000	_vcredist_x86.exe	30

C:\Users\Admin\AppData\Local\Temp\3c4faf1677a5c278ed6b34263b59f51124cd3d1195788067970c5bb955e34f6d.exe
"C:\Users\Admin\AppData\Local\Temp\3c4faf1677a5c278ed6b34263b59f51124cd3d1195788067970c5bb955e34f6d.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\SysWOW64\Zombie.exe
  "C:\Windows\system32\Zombie.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1964
- C:\Users\Admin\AppData\Local\Temp\_vcredist_x86.exe
  "_vcredist_x86.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Users\Admin\AppData\Local\Temp\_vcredist_x86.exe
    "C:\Users\Admin\AppData\Local\Temp\_vcredist_x86.exe" -burn.unelevated BurnPipe.{9AC9BE92-2EFE-4CF3-843C-E2BD7997AE2A} {1CD21D3C-C5A1-4A79-A7BB-E749E5C0940E} 3000
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2737914667-933161113-3798636211-1000\desktop.ini.tmp

Filesize
73KB

MD5
646e09f904e46895b011478b35e8f60f

SHA1
41583121dfd7f0fe7a70f6408fceceffeeb770e5

SHA256
0c8a81747de88d564ba91f38ad893482fcde7d89be4a265c92670655214a7465

SHA512
880afc9d5bdfae11b14df19137f370b1af3bfca16a847bf535f7571f5ef1cb263de5dae409f1e86c51e08757c027ac74bd7f79e38493d6d4b5d0549781adf767

Download Submit
C:\Users\Admin\AppData\Local\Temp\{95716cce-fc71-413f-8ad5-56c2892d4b3a}\.ba1\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
\Users\Admin\AppData\Local\Temp\_vcredist_x86.exe

Filesize
443KB

MD5
39e2f79a5becdc5ffdf17003402c2f82

SHA1
7d2c053093cedf3e4b556628b3d8192275b983a8

SHA256
76583dd73769247f3ee4b1a74dfca1dd9792c74aaa246c324f97201c34ed1a5a

SHA512
2f4fba7ec629275f0cc64587d885ca9c1d8b5fb6e968b98b7307be93d6cf02a56871b8cc04990a3939ccb5b5840cf55b6a2f5093b3ee0c4d4cc72a996e6d343b

Download Submit
\Users\Admin\AppData\Local\Temp\{95716cce-fc71-413f-8ad5-56c2892d4b3a}\.ba1\wixstdba.dll

Filesize
126KB

MD5
d7bf29763354eda154aad637017b5483

SHA1
dfa7d296bfeecde738ef4708aaabfebec6bc1e48

SHA256
7f5f8fcfd84132579f07e395e65b44e1b031fe01a299bce0e3dd590131c5cb93

SHA512
1c76175732fe68b9b12cb46077daa21e086041adbd65401717a9a1b5f3c516e03c35a90897c22c7281647d6af4a1a5ffb3fbd5706ea376d8f6e574d27396019c

Download Submit
\Windows\SysWOW64\Zombie.exe

Filesize
73KB

MD5
31c8aafbfc4ecfe736869213bb61fe6e

SHA1
47e6d67b7d76ed67e2c069ae52bfb5b859dcd941

SHA256
52120cc0a65d259ebd547040eced5956e037e7b660dd42cd43809b68d2070507

SHA512
6ea49660e908315354cc9dc2fe32798254d78da0bfa98595c9d389acf88de2c596667e49b30b9ef6faba41a51ea9cd50f1aaa0c29dc96d029491aeea5a7c1b9e

Download Submit