b7de492efa8d6ff8aff98db157f16e27bb12e759f45c6a36e91ba7be70ada563

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11/07/2024, 04:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7de492efa8d6ff8aff98db157f16e27bb12e759f45c6a36e91ba7be70ada563.exe
Size

465KB
MD5

4cb8e637913dbf01188b2d8751f7f866
SHA1

d948994130e626aea47ca1f26b7e77a2dd5871cf
SHA256

b7de492efa8d6ff8aff98db157f16e27bb12e759f45c6a36e91ba7be70ada563
SHA512

de046d0e44cbab57c05de79ca63ce14a13f2d01b6a7fbd03e86de19e2aa56dc0139884a76d326c5c60a1a6b960bff83ba0e13dea1e272635c6628a6736ec4a0d
SSDEEP

12288:cNUhiHOR4LucvSFSrux88ndNtJXzLFzio:GUhiHOeE8rin3thLj

Score

9^/10

ransomware

Malware Config

Signatures

Renames multiple (3745) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 2 IoCs

pid	Process
2704	Zombie.exe
2816	_AdobeARMHelper.exe

Loads dropped DLL 3 IoCs

pid	Process
2252	b7de492efa8d6ff8aff98db157f16e27bb12e759f45c6a36e91ba7be70ada563.exe
2252	b7de492efa8d6ff8aff98db157f16e27bb12e759f45c6a36e91ba7be70ada563.exe
2252	b7de492efa8d6ff8aff98db157f16e27bb12e759f45c6a36e91ba7be70ada563.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Zombie.exe	b7de492efa8d6ff8aff98db157f16e27bb12e759f45c6a36e91ba7be70ada563.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	b7de492efa8d6ff8aff98db157f16e27bb12e759f45c6a36e91ba7be70ada563.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\MANIFEST.MF.tmp	Zombie.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\README.TXT.tmp	Zombie.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\huemainsubpicture2.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Macquarie.tmp	Zombie.exe
File created	C:\Program Files\Windows Journal\de-DE\Journal.exe.mui.tmp	Zombie.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AXSLE.dll.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libscte27_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libcanvas_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-image-inset.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Monterrey.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup.xml.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libvhs_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\yo.txt.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\rtscom.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\vlc.mo.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\calendar.html.tmp	Zombie.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Acrofx32.dll.tmp	Zombie.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\setup.swf.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.common_3.6.200.v20130402-1505.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Beulah.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Antigua.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Lisbon.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-cli.jar.tmp	Zombie.exe
File created	C:\Program Files\Mozilla Firefox\update-settings.ini.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\tipresx.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-charts.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-search_ja.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-coredump_zh_CN.jar.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Royale.dll.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\clock.html.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Reykjavik.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_zh_4.4.0.v20140623020002.jar.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\add_down.png.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\gadget.xml.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_hover.png.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mshwjpn.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker.nl_ja_4.4.0.v20140623020002.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Kathmandu.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libparam_eq_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Windows Journal\ja-JP\PDIALOG.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\ado\msado25.tlb.tmp	Zombie.exe
File created	C:\Program Files\Internet Explorer\ieinstal.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.nl_ja_4.4.0.v20140623020002.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-tabcontrol_ja.jar.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\ms.txt.tmp	Zombie.exe
File created	C:\Program Files\Internet Explorer\Timeline_is.dll.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_m.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\1047x576black.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-tabcontrol.jar.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-background.png.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ml.pak.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.ja_5.5.0.165303.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.nl_ja_4.4.0.v20140623020002.jar.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm.xml.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\et.txt.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsfin.xml.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-spi-quicksearch.jar.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.Design.dll.tmp	Zombie.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.api.tmp	Zombie.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdater.cer.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cambridge_Bay.tmp	Zombie.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2816	_AdobeARMHelper.exe
2816	_AdobeARMHelper.exe
2816	_AdobeARMHelper.exe
2816	_AdobeARMHelper.exe
2816	_AdobeARMHelper.exe
2816	_AdobeARMHelper.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2704	2252	b7de492efa8d6ff8aff98db157f16e27bb12e759f45c6a36e91ba7be70ada563.exe	30
PID 2252 wrote to memory of 2704	2252	b7de492efa8d6ff8aff98db157f16e27bb12e759f45c6a36e91ba7be70ada563.exe	30
PID 2252 wrote to memory of 2704	2252	b7de492efa8d6ff8aff98db157f16e27bb12e759f45c6a36e91ba7be70ada563.exe	30
PID 2252 wrote to memory of 2704	2252	b7de492efa8d6ff8aff98db157f16e27bb12e759f45c6a36e91ba7be70ada563.exe	30
PID 2252 wrote to memory of 2816	2252	b7de492efa8d6ff8aff98db157f16e27bb12e759f45c6a36e91ba7be70ada563.exe	31
PID 2252 wrote to memory of 2816	2252	b7de492efa8d6ff8aff98db157f16e27bb12e759f45c6a36e91ba7be70ada563.exe	31
PID 2252 wrote to memory of 2816	2252	b7de492efa8d6ff8aff98db157f16e27bb12e759f45c6a36e91ba7be70ada563.exe	31
PID 2252 wrote to memory of 2816	2252	b7de492efa8d6ff8aff98db157f16e27bb12e759f45c6a36e91ba7be70ada563.exe	31

C:\Users\Admin\AppData\Local\Temp\b7de492efa8d6ff8aff98db157f16e27bb12e759f45c6a36e91ba7be70ada563.exe
"C:\Users\Admin\AppData\Local\Temp\b7de492efa8d6ff8aff98db157f16e27bb12e759f45c6a36e91ba7be70ada563.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\SysWOW64\Zombie.exe
  "C:\Windows\system32\Zombie.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2704
- C:\Users\Admin\AppData\Local\Temp\_AdobeARMHelper.exe
  "_AdobeARMHelper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2816

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-940600906-3464502421-4240639183-1000\desktop.ini.tmp

Filesize
78KB

MD5
4aa3868e3659bb592ac3d3ba63298360

SHA1
6865bcc01d90aca065c9b698cd947cf8cd9bdf84

SHA256
47f1a3e0b94ec9d0d6a2be7d64b24a7442395632b384ba9042d76ae42abb14a7

SHA512
6babd4bb10474e132827951cfdfe11f6f52f4b5ce374896ff11ad4cb9c5f4b35c3e6ec82233723a4da53dc9032d8315d76240a0dfdccae3f1a1e3ce84cbcf2ff

Download Submit
\Users\Admin\AppData\Local\Temp\_AdobeARMHelper.exe

Filesize
387KB

MD5
c18baf4d858b36dbf1e679c79c659a70

SHA1
f5638a26a57a9ef9dbfb0b1a324c13f2b548f308

SHA256
843dd18df8fd40e9e8ab2cecc52c03f2e95b0c2933162ba860d83e23c207b82c

SHA512
a46d780398f5066a90de5e0772a0a0f55f802dca023e8c90db271507aacec8f73a6f3a8cbd086031235e2037eab83975b68e52c17519efc4c6148b48f2ad2ee2

Download Submit
\Windows\SysWOW64\Zombie.exe

Filesize
78KB

MD5
a2e9d76030ff69598f0066449d860df0

SHA1
076faa1130cc9ba2e33f3955351348b218a4716b

SHA256
d2a634e68db28eeef58a58c9918b5fb27281b53697d8b5e82fd7bad6c7487620

SHA512
6eb21a5327fef39bbb85329c968aeadb055397b3ada27f30a5f91cf0df93d29e0ba9e413ba4a817bdd4f95b96a506524942c98ad728a871860e5dd8da6c30b6b

Download Submit