ac6e3d73ba05c9b31aeff8ad1ab28d4ce22cd9664f282af3b7684e5bcdfc0ae3

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/07/2024, 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac6e3d73ba05c9b31aeff8ad1ab28d4ce22cd9664f282af3b7684e5bcdfc0ae3.exe
Size

467KB
MD5

8cf20207163b6c4ac6cf6dddf4ec0335
SHA1

ed9d1422fc9ec20d54a16ec4cac55af7bac225bc
SHA256

ac6e3d73ba05c9b31aeff8ad1ab28d4ce22cd9664f282af3b7684e5bcdfc0ae3
SHA512

b3337078bcf3d27ba67d4f4c9498afa672a2424fe65ad70ae64657515ba918fcdf9de4ec5053d57fd489e703dd5b88b7c29faabe140fc596ba78df651fc2869b
SSDEEP

12288:iFF2uqNUhiHOR4LucvSFSrux88ndNtJXzLFziB:iFF2PUhiHOeE8rin3thLa

Score

9^/10

ransomware

Malware Config

Signatures

Renames multiple (3436) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 2 IoCs

pid	Process
1744	Zombie.exe
2796	_AdobeARMHelper.exe

Loads dropped DLL 3 IoCs

pid	Process
856	ac6e3d73ba05c9b31aeff8ad1ab28d4ce22cd9664f282af3b7684e5bcdfc0ae3.exe
856	ac6e3d73ba05c9b31aeff8ad1ab28d4ce22cd9664f282af3b7684e5bcdfc0ae3.exe
856	ac6e3d73ba05c9b31aeff8ad1ab28d4ce22cd9664f282af3b7684e5bcdfc0ae3.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Zombie.exe	ac6e3d73ba05c9b31aeff8ad1ab28d4ce22cd9664f282af3b7684e5bcdfc0ae3.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	ac6e3d73ba05c9b31aeff8ad1ab28d4ce22cd9664f282af3b7684e5bcdfc0ae3.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\ShvlRes.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\ado\msadomd28.tlb.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\currency.data.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.update.configurator_3.3.300.v20140518-1928.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-javahelp_ja.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\management-agent.jar.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\icon.png.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\settings.css.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\settings.js.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_precomp_matte.wmv.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\jawt_md.h.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui.ja_5.5.0.165303.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvm.xml.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\ReachFramework.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fontconfig.bfc.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.rcp_4.3.100.v20141007-2301.jar.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_MCELogo_mousedown.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-api-caching_ja.jar.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Services.Client.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Blanc-Sablon.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.properties.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf_3.4.0.v20140827-1444.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_zh_4.4.0.v20140623020002.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_zh_CN.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-heapwalker.jar.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\js\settings.js.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-keymap_ja.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Cayman.tmp	Zombie.exe
File created	C:\Program Files\Mozilla Firefox\update-settings.ini.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\settings.css.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\es.txt.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\jmxremote.password.template.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Petersburg.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Taipei.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Cancun.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mac.css.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\boot_ja.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler.xml.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Filters\msgfilt.dll.tmp	Zombie.exe
File created	C:\Program Files\Internet Explorer\F12Tools.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Zurich.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.jobs_3.6.0.v20140424-0053.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi_3.10.1.v20140909-1633.jar.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\flyout.css.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nassau.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\new-trigger-wiz.gif.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.servlet_8.1.14.v20131031.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security_1.2.0.v20130424-1801.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-options-keymap.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application-views_zh_CN.jar.tmp	Zombie.exe
File created	C:\Program Files\Windows Journal\de-DE\JNTFiltr.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Windows NT\TableTextService\ja-JP\TableTextService.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_SelectionSubpicture.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-charts_zh_CN.jar.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\vlc.mo.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\vlc.mo.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Guyana.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\libarchive_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\cloud_Thumbnail.bmp.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\15x15dot.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Havana.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\epl-v10.html.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\bin\w2k_lsa_auth.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Belgrade.tmp	Zombie.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2796	_AdobeARMHelper.exe
2796	_AdobeARMHelper.exe
2796	_AdobeARMHelper.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 856 wrote to memory of 1744	856	ac6e3d73ba05c9b31aeff8ad1ab28d4ce22cd9664f282af3b7684e5bcdfc0ae3.exe	28
PID 856 wrote to memory of 1744	856	ac6e3d73ba05c9b31aeff8ad1ab28d4ce22cd9664f282af3b7684e5bcdfc0ae3.exe	28
PID 856 wrote to memory of 1744	856	ac6e3d73ba05c9b31aeff8ad1ab28d4ce22cd9664f282af3b7684e5bcdfc0ae3.exe	28
PID 856 wrote to memory of 1744	856	ac6e3d73ba05c9b31aeff8ad1ab28d4ce22cd9664f282af3b7684e5bcdfc0ae3.exe	28
PID 856 wrote to memory of 2796	856	ac6e3d73ba05c9b31aeff8ad1ab28d4ce22cd9664f282af3b7684e5bcdfc0ae3.exe	29
PID 856 wrote to memory of 2796	856	ac6e3d73ba05c9b31aeff8ad1ab28d4ce22cd9664f282af3b7684e5bcdfc0ae3.exe	29
PID 856 wrote to memory of 2796	856	ac6e3d73ba05c9b31aeff8ad1ab28d4ce22cd9664f282af3b7684e5bcdfc0ae3.exe	29
PID 856 wrote to memory of 2796	856	ac6e3d73ba05c9b31aeff8ad1ab28d4ce22cd9664f282af3b7684e5bcdfc0ae3.exe	29

C:\Users\Admin\AppData\Local\Temp\ac6e3d73ba05c9b31aeff8ad1ab28d4ce22cd9664f282af3b7684e5bcdfc0ae3.exe
"C:\Users\Admin\AppData\Local\Temp\ac6e3d73ba05c9b31aeff8ad1ab28d4ce22cd9664f282af3b7684e5bcdfc0ae3.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:856
- C:\Windows\SysWOW64\Zombie.exe
  "C:\Windows\system32\Zombie.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1744
- C:\Users\Admin\AppData\Local\Temp\_AdobeARMHelper.exe
  "_AdobeARMHelper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2796

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini.tmp

Filesize
80KB

MD5
3df76d9f37a5def0504e494951701d4c

SHA1
9ffcba4ed0bd95aec25019f8bf23b408e275fd46

SHA256
35895fce63d2a31aa9cf93b570b6165e279b4b49e83222ab5b897fbed690188a

SHA512
c94ea85e8184569f8fd6992241145eada8646e6408192cf8ba70e11a256dff35596cbe5acb87f159ccbe4d586027a72fcf1129cdb875c67ceb46285e0c813812

Download Submit
\Users\Admin\AppData\Local\Temp\_AdobeARMHelper.exe

Filesize
387KB

MD5
c18baf4d858b36dbf1e679c79c659a70

SHA1
f5638a26a57a9ef9dbfb0b1a324c13f2b548f308

SHA256
843dd18df8fd40e9e8ab2cecc52c03f2e95b0c2933162ba860d83e23c207b82c

SHA512
a46d780398f5066a90de5e0772a0a0f55f802dca023e8c90db271507aacec8f73a6f3a8cbd086031235e2037eab83975b68e52c17519efc4c6148b48f2ad2ee2

Download Submit
\Windows\SysWOW64\Zombie.exe

Filesize
80KB

MD5
cee3d3936b76117281699bcef8345216

SHA1
8bb1aaf10c93a02b0340c9b57487635ff4a5a623

SHA256
51a4f37d183ef2d73f15442c5d6ad4e607b438ac970264470a7c8fd85c455962

SHA512
cb3f9b21d7e588c3edc37423f1a93b4e9ed43d859ac1cef3a62e4b9833438dc1694ae44532f235e328dedfa6a089f2c9829ab966da823790d574e22c3132bf9c

Download Submit