0be1649f0bde0246c12eacb58518be98ece87a613367b9b43a5df15ac4e50909

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
03/07/2024, 21:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0be1649f0bde0246c12eacb58518be98ece87a613367b9b43a5df15ac4e50909.exe
Size

182KB
MD5

7642d3b428b14859113aace04c65bd00
SHA1

a346ed7311f1f97dee53aab021bf36c23a3e5043
SHA256

0be1649f0bde0246c12eacb58518be98ece87a613367b9b43a5df15ac4e50909
SHA512

b943434f67a6fa5ab202d999ee5cab3d7a23b2fa9ceb491d5fb0ea38c3fb4c82e4860d32d9f1b343e5639fc37600032c3d6bffca0627fa18d08e973099e09ebb
SSDEEP

3072:6pWpBwchcYw9mHpKZNGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2ZTxH:PM9UpK7ShcHUaZZ

Score

9^/10

ransomware

Malware Config

Signatures

Renames multiple (3768) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 2 IoCs

pid	Process
1800	_cinst.exe
2864	Zombie.exe

Loads dropped DLL 3 IoCs

pid	Process
492	0be1649f0bde0246c12eacb58518be98ece87a613367b9b43a5df15ac4e50909.exe
492	0be1649f0bde0246c12eacb58518be98ece87a613367b9b43a5df15ac4e50909.exe
492	0be1649f0bde0246c12eacb58518be98ece87a613367b9b43a5df15ac4e50909.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Zombie.exe	0be1649f0bde0246c12eacb58518be98ece87a613367b9b43a5df15ac4e50909.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	0be1649f0bde0246c12eacb58518be98ece87a613367b9b43a5df15ac4e50909.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\203x8subpicture.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Midway.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Games\Chess\desktop.ini.tmp	Zombie.exe
File created	C:\Program Files\Mozilla Firefox\install.log.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\libvmem_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_content-background.png.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_left_mousedown.png.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\logo.png.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\highDpiImageSwap.js.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tehran.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-views.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\bin\jp2iexp.dll.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_flac_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\calendar.js.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonDown_Off.png.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_rainy.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_ButtonGraphic.png.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\gadget.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Nairobi.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.IdentityModel.Selectors.Resources.dll.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\libfloat_mixer_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AXE8SharedExpat.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\core.jar.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureB.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh89.tmp	Zombie.exe
File created	C:\Program Files\Mozilla Firefox\xul.dll.sig.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_MATTE_PAL.wmv.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\it-IT\DVDMaker.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-fallback.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\EST5.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.ComponentModel.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InkObj.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Oslo.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libty_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\flyout.html.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_SelectionSubpicture.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-api_ja.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jmx_zh_CN.jar.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Games\Purble Place\PurblePlace2.dll.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libnuv_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\DataMatrix.pmp.tmp	Zombie.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\CGMIMP32.CFG.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\help.gif.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\new-trigger-wiz.gif.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Services.Design.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\gadget.xml.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\settings.html.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Montevideo.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.SF.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-execution_ja.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\bin\t2k.dll.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\203x8subpicture.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_ja.jar.tmp	Zombie.exe
File created	C:\Program Files\Mozilla Firefox\crashreporter.ini.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Entity.Design.dll.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\dodeca_and_7channel_3DSL_HRTF.sofa.tmp	Zombie.exe
File created	C:\Program Files\Windows Media Player\it-IT\wmpnscfg.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Monaco.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui_3.106.0.v20140812-1751.jar.tmp	Zombie.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_zh_4.4.0.v20140623020002.jar.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig.tmp	Zombie.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 492 wrote to memory of 1800	492	0be1649f0bde0246c12eacb58518be98ece87a613367b9b43a5df15ac4e50909.exe	30
PID 492 wrote to memory of 1800	492	0be1649f0bde0246c12eacb58518be98ece87a613367b9b43a5df15ac4e50909.exe	30
PID 492 wrote to memory of 1800	492	0be1649f0bde0246c12eacb58518be98ece87a613367b9b43a5df15ac4e50909.exe	30
PID 492 wrote to memory of 1800	492	0be1649f0bde0246c12eacb58518be98ece87a613367b9b43a5df15ac4e50909.exe	30
PID 492 wrote to memory of 2864	492	0be1649f0bde0246c12eacb58518be98ece87a613367b9b43a5df15ac4e50909.exe	29
PID 492 wrote to memory of 2864	492	0be1649f0bde0246c12eacb58518be98ece87a613367b9b43a5df15ac4e50909.exe	29
PID 492 wrote to memory of 2864	492	0be1649f0bde0246c12eacb58518be98ece87a613367b9b43a5df15ac4e50909.exe	29
PID 492 wrote to memory of 2864	492	0be1649f0bde0246c12eacb58518be98ece87a613367b9b43a5df15ac4e50909.exe	29

C:\Users\Admin\AppData\Local\Temp\0be1649f0bde0246c12eacb58518be98ece87a613367b9b43a5df15ac4e50909.exe
"C:\Users\Admin\AppData\Local\Temp\0be1649f0bde0246c12eacb58518be98ece87a613367b9b43a5df15ac4e50909.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:492
- C:\Windows\SysWOW64\Zombie.exe
  "C:\Windows\system32\Zombie.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2864
- C:\Users\Admin\AppData\Local\Temp\_cinst.exe
  "_cinst.exe"
  2⤵
  - Executes dropped EXE
  PID:1800

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2737914667-933161113-3798636211-1000\desktop.ini.tmp

Filesize
39KB

MD5
574c21b7655084e5a8e5862e3a6d5de3

SHA1
13be3623a6caa57702ef3dac2abc3637b63036e3

SHA256
68fcdce56caf6ef172e796d22a0a3ee6033d804c38141350cee9bc48597fe0e4

SHA512
c37162817f158fb4259cff71afd1b7ab6822ba934b72d332f0109ff742402f2ab49ec6a76cbd9ccac50ac9049b0acfab5e59b6c0ea8617d245a35abecf952018

Download Submit
\Users\Admin\AppData\Local\Temp\_cinst.exe

Filesize
143KB

MD5
2fdb371d45181dff59577110ba1064e2

SHA1
42a5833cb0ac90e38d734d1327bb3f7c7a6aa453

SHA256
80d7ec8ce3913d81ea5d4f304b8609e56f0e49778c52af9279e742ea54f4a155

SHA512
52982041ba9ca552b90b79b251501ec6c33c5251d09ca9969a1b179af2ec17aca6eb81db6e588e12751bcea04208e1da8d5a754a979dd98ceb3f50780aadea20

Download Submit
\Windows\SysWOW64\Zombie.exe

Filesize
39KB

MD5
52c4ca6c94fa29e1791d7f68f054bc1a

SHA1
79e3ac6e34a5b336bbd58e12f257eace7b2a4454

SHA256
57b9654597732d7caf9f9c285b25d8cbdf686025ff1c1f07c964e4cac45d9fdd

SHA512
61f9954dbf05d528bbfc26aa4ab289368eff62a734a5dd424abb6a22899926a860915ad73c639cb46d55a67f88ffb383edbc65a47ab22274af4c667b1dc2ca37

Download Submit
memory/1800-19-0x000007FEF50E3000-0x000007FEF50E4000-memory.dmp

Filesize
4KB

Download
memory/1800-20-0x0000000000AE0000-0x0000000000B08000-memory.dmp

Filesize
160KB

Download