0c7c7ac6ede0c86216ff5313140c4efdd273bfed688a79ffe1a5f408be392102

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
20/07/2024, 08:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6acf84255607a52dfdda206985bb3690N.exe
Size

175KB
MD5

6acf84255607a52dfdda206985bb3690
SHA1

d09166644c61496e1135f7c77dcf15a54c6424a7
SHA256

0c7c7ac6ede0c86216ff5313140c4efdd273bfed688a79ffe1a5f408be392102
SHA512

a49c120a82025072befd7d7587aa5777baa8d4fec24860914309d97d10d08afbf1d88304d7929d4bb0e66cc6ba1f96a8921547c860acb8c5f10bc9696de31dd9
SSDEEP

3072:6pWpdE9tHpKrvGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2ExV:PM95pK7ShcHUay

Score

9^/10

ransomware

Malware Config

Signatures

Renames multiple (3276) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 2 IoCs

pid	Process
2056	_clist.exe
1656	Zombie.exe

Loads dropped DLL 3 IoCs

pid	Process
3024	6acf84255607a52dfdda206985bb3690N.exe
3024	6acf84255607a52dfdda206985bb3690N.exe
3024	6acf84255607a52dfdda206985bb3690N.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Zombie.exe	6acf84255607a52dfdda206985bb3690N.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	6acf84255607a52dfdda206985bb3690N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground_PAL.wmv.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Bissau.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macTSFrame.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations_2.4.0.v20131119-0908.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-execution.xml_hidden.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Enderbury.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.RunTime.Serialization.Resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground_PAL.wmv.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jli.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Vostok.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\bin\jp2iexp.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\bckgRes.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\pa-in.txt.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\prism-d3d.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-loaders_zh_CN.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-bootstrap.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Tripoli.tmp	Zombie.exe
File created	C:\Program Files\Mozilla Firefox\firefox.exe.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_SelectionSubpicture.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyrun.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fontconfig.properties.src.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Adelaide.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\DVDMaker.exe.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_SelectionSubpicture.png.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoBeta.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Galapagos.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-services.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Metlakatla.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Games\Solitaire\ja-JP\Solitaire.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_zh_4.4.0.v20140623020002.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\bin\ssvagent.exe.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Games\Purble Place\it-IT\PurblePlace.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Guam.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrenalm.dat.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Araguaina.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Jakarta.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Jerusalem.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse.nl_ja_4.4.0.v20140623020002.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Andorra.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\tabskb.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\accessibility.properties.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-compat_ja.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.annotation_1.2.0.v201401042248.jar.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libheadphone_channel_mixer_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.jrockit.mc.rcp.product_root_5.5.0.165303.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\msinfo32.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.attach_5.5.0.165303.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Sao_Paulo.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InputPersonalization.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\TipRes.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_postage_Thumbnail.bmp.tmp	Zombie.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 2056	3024	6acf84255607a52dfdda206985bb3690N.exe	30
PID 3024 wrote to memory of 2056	3024	6acf84255607a52dfdda206985bb3690N.exe	30
PID 3024 wrote to memory of 2056	3024	6acf84255607a52dfdda206985bb3690N.exe	30
PID 3024 wrote to memory of 2056	3024	6acf84255607a52dfdda206985bb3690N.exe	30
PID 3024 wrote to memory of 1656	3024	6acf84255607a52dfdda206985bb3690N.exe	32
PID 3024 wrote to memory of 1656	3024	6acf84255607a52dfdda206985bb3690N.exe	32
PID 3024 wrote to memory of 1656	3024	6acf84255607a52dfdda206985bb3690N.exe	32
PID 3024 wrote to memory of 1656	3024	6acf84255607a52dfdda206985bb3690N.exe	32

C:\Users\Admin\AppData\Local\Temp\6acf84255607a52dfdda206985bb3690N.exe
"C:\Users\Admin\AppData\Local\Temp\6acf84255607a52dfdda206985bb3690N.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Users\Admin\AppData\Local\Temp\_clist.exe
  "_clist.exe"
  2⤵
  - Executes dropped EXE
  PID:2056
- C:\Windows\SysWOW64\Zombie.exe
  "C:\Windows\system32\Zombie.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1656

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1385883288-3042840365-2734249351-1000\desktop.ini.tmp

Filesize
33KB

MD5
99195126317f5f970a1e14b5305e5e6e

SHA1
d2ffc57d8798c9a22122852802d8534c144d5aac

SHA256
abaf99cf02814420752067855bde522b378eb0cbe25d7f8b175617da8e3f6491

SHA512
7d3d26dd9a7a8ffa91e1b22499a2ebaf941776235e9eac1af02104209ee7b3ed3deb2f1f9dfd7c23779af81f05eb492c1b7429993f8dba538d7c0cbf848542d0

Download Submit
\Users\Admin\AppData\Local\Temp\_clist.exe

Filesize
143KB

MD5
b27ea830fb39bc056e65f9a2260ae216

SHA1
b69e40ee5cabe0721d2d1e9fbdd4088fd87592d6

SHA256
fb7fab836f744d669451dcd38aa7d2a9c74c6af893c258d079439b58abce70d8

SHA512
22cad79d90a949174828ee5e3ce621113591c7c991c55c1a6a44a4555002adeb3bcbd9bab6cfbbfdefd663b76ac2dae96d70a01c527b312c7e8d223334a30219

Download Submit
\Windows\SysWOW64\Zombie.exe

Filesize
32KB

MD5
530b19281eae850f73c5f0c495a31fd9

SHA1
7561048e943180db635aa80a4bcd14419f3b6a0e

SHA256
bc224f37c3d874019d385f08a2a25c462effecdd6f891de4bafc966ba56c9d3e

SHA512
fb539e5a525b85c96849e57a4ce61d491649e4922aa10addcacbc72621d9b3c2740a19532056538fed59a63174f94b6939a7502801aafd80e270bc9cd2311cc2

Download Submit
memory/2056-19-0x000007FEF59C3000-0x000007FEF59C4000-memory.dmp

Filesize
4KB

Download
memory/2056-20-0x0000000000280000-0x00000000002A8000-memory.dmp

Filesize
160KB

Download