c8e9d09ad447ee95b879b7a55829d94a1aac2ecc6546942b9e08f7e3e5709088

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 17:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[DemonArchives]54b9e4e56454226484e80fd01ca03131.exe
Size

398KB
MD5

54b9e4e56454226484e80fd01ca03131
SHA1

4fe51686f1184796896952a837006d6a71973c59
SHA256

2f04032d41572a957bab7fcb8f2162af3497e6433d1f3ee196aee53e5ef1b85f
SHA512

4b401335e5e3e6ee409e44b6cef18023a2c70459fdab52f877e4b60793f9fc2a47551fa9ffc93f754fd4d0a1642fb8cfcc60ef8e79a7a71c0fc29b2c21324c66
SSDEEP

6144:AonzSJT/4DO/B52pRr3zmiTVVmVVV8VVNVVVcVVVxVVVPVVlVVVRVVVtVVWV60jJ:XnOJj4DO/B52nZP5

Score

9^/10

ransomware

Malware Config

Signatures

Renames multiple (3435) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Executes dropped EXE 2 IoCs

Processes:

_MpDlpCmd.exeZombie.exe

pid process

2184 _MpDlpCmd.exe
2204 Zombie.exe

pid	process
2184	_MpDlpCmd.exe
2204	Zombie.exe

Loads dropped DLL 5 IoCs

Processes:

[DemonArchives]54b9e4e56454226484e80fd01ca03131.exe

pid	process
3008	[DemonArchives]54b9e4e56454226484e80fd01ca03131.exe
3008	[DemonArchives]54b9e4e56454226484e80fd01ca03131.exe
3008	[DemonArchives]54b9e4e56454226484e80fd01ca03131.exe
3008	[DemonArchives]54b9e4e56454226484e80fd01ca03131.exe
2176

Drops file in System32 directory 2 IoCs

Processes:

[DemonArchives]54b9e4e56454226484e80fd01ca03131.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Zombie.exe	[DemonArchives]54b9e4e56454226484e80fd01ca03131.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	[DemonArchives]54b9e4e56454226484e80fd01ca03131.exe

Drops file in Program Files directory 64 IoCs

Processes:

Zombie.exe

description	ioc	process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-tools_zh_CN.jar.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeush.dat.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application-views_zh_CN.jar.tmp	Zombie.exe
File created	C:\Program Files\Windows Media Player\Media Renderer\DMR_120.jpg.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\tipresx.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-uihandler_zh_CN.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-spi-quicksearch_zh_CN.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler_zh_CN.jar.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Shorthand.emf.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Enderbury.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Costa_Rica.tmp	Zombie.exe
File created	C:\Program Files\Windows Defender\es-ES\MsMpRes.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libavcodec_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jdwp.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\date-span-16.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiler_ja.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\bin\net.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TipRes.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\bin\fontmanager.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Games\Purble Place\ja-JP\PurblePlace.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\Windows Media Player\de-DE\wmlaunch.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_h.png.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\ChkrRes.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_ButtonGraphic.png.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_wer.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-annotations-common.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Galapagos.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\spu\libmarq_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Windows Photo Viewer\PhotoBase.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_SelectionSubpicture.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher_1.3.0.v20140911-0143.jar.tmp	Zombie.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler.xml.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\ku.txt.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref.wmv.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Yakutat.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Magadan.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Chagos.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Runtime.dll.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libsdp_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw48.bmp.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\deployJava1.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\mailapi.jar.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\month.png.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\skins\skin.catalog.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.properties.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\management\jmxremote.password.template.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.DataSetExtensions.Resources.dll.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libsamplerate_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoBeta.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs-nio2_ja.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\ext\sunmscapi.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\jvm.hprof.txt.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Urumqi.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\micaut.dll.tmp	Zombie.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

[DemonArchives]54b9e4e56454226484e80fd01ca03131.exe

description	pid	process	target process
PID 3008 wrote to memory of 2184	3008	[DemonArchives]54b9e4e56454226484e80fd01ca03131.exe	_MpDlpCmd.exe
PID 3008 wrote to memory of 2184	3008	[DemonArchives]54b9e4e56454226484e80fd01ca03131.exe	_MpDlpCmd.exe
PID 3008 wrote to memory of 2184	3008	[DemonArchives]54b9e4e56454226484e80fd01ca03131.exe	_MpDlpCmd.exe
PID 3008 wrote to memory of 2184	3008	[DemonArchives]54b9e4e56454226484e80fd01ca03131.exe	_MpDlpCmd.exe
PID 3008 wrote to memory of 2204	3008	[DemonArchives]54b9e4e56454226484e80fd01ca03131.exe	Zombie.exe
PID 3008 wrote to memory of 2204	3008	[DemonArchives]54b9e4e56454226484e80fd01ca03131.exe	Zombie.exe
PID 3008 wrote to memory of 2204	3008	[DemonArchives]54b9e4e56454226484e80fd01ca03131.exe	Zombie.exe
PID 3008 wrote to memory of 2204	3008	[DemonArchives]54b9e4e56454226484e80fd01ca03131.exe	Zombie.exe

C:\Users\Admin\AppData\Local\Temp\[DemonArchives]54b9e4e56454226484e80fd01ca03131.exe
"C:\Users\Admin\AppData\Local\Temp\[DemonArchives]54b9e4e56454226484e80fd01ca03131.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\SysWOW64\Zombie.exe
"C:\Windows\system32\Zombie.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2204

C:\Users\Admin\AppData\Local\Temp\_MpDlpCmd.exe
"_MpDlpCmd.exe"
2⤵
- Executes dropped EXE
PID:2184

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini.tmp
Filesize
87KB

MD5
70fead1a6de5c432ae1ec5116c5039f4

SHA1
91c99d3f6bdd891907962f2387f1d549685de8e2

SHA256
a02adad7b67ea35d143c3a6d732d40c4fbc87209a4def83a2d3931f7f143965d

SHA512
2dbcaf92dafba0f1adb5ffc2441542a8c7e12a15027709e91a5be75ac604aa69689440aa494101ccc2fa045b4411a1450a2e1147d443896e7da42d690a064390

Download Submit
\Users\Admin\AppData\Local\Temp\_MpDlpCmd.exe
Filesize
310KB

MD5
c7c81e2467fa619d5b4a03b0fa51519c

SHA1
39c7ec92e51d72626d4f5d29d80bdf3eb46e8f7c

SHA256
e3f1eca768f304512804a54489e8a658e9906e7e0911bb869d03eff140cff5d0

SHA512
2438e68ff4cf4bc7d1b8ec9b722e882fa8863cd8690b8c6a03f17d88de1b6eb5697934413ebe4bf1221f1182db841df2ceff4b22a928f577c80968a13b81f8cd

Download Submit
\Windows\SysWOW64\Zombie.exe
Filesize
87KB

MD5
4eaf4b911f13079dcc3d9209b736ab00

SHA1
bf954a36842a61c5679ecd41fbf12a6017de2323

SHA256
da689ddfc0d20c2b3cbbb3e2cb29ec5a401ab257f894913ea3deb680e54084f9

SHA512
55721fff26e2bf8dc7a4ffd1f5b46ba308a60b66e2cec7779766e962a2fe6bb641b1c0abd2fea21a51612f2642a7b3596e642ce6484939ac6a530abbb817c234

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads