4779e6ebc64484bd3b39356b7ef8f825a417129107822eed5049cb2848ba7e96

Analysis

max time kernel
150s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
27-07-2024 21:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4779e6ebc64484bd3b39356b7ef8f825a417129107822eed5049cb2848ba7e96.exe
Size

220KB
MD5

c081629b0b8f89a3af3f84c9fe1d9de8
SHA1

bdb1701ac91ca314c70805d5714b7edc24d226d7
SHA256

4779e6ebc64484bd3b39356b7ef8f825a417129107822eed5049cb2848ba7e96
SHA512

9d38e82b7d1c9f282451b45eeb7f629067a4954684434d1b53466854b1a78c3e747fc0c7c69c578adf64543e5ca31c39e295a3817493b6cd13c2d09e6dd0688b
SSDEEP

3072:6+WpDfmRfmhz7RjnI52UhCMD98HpKI6GCLOwstyhZFChcssc56FUrgxvbSD4UQr0:wl7+EUhCw9GpKbShcHUak

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (374) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 2 IoCs

pid	Process
3068	_choco.exe
2888	Zombie.exe

Loads dropped DLL 3 IoCs

pid	Process
2776	4779e6ebc64484bd3b39356b7ef8f825a417129107822eed5049cb2848ba7e96.exe
2776	4779e6ebc64484bd3b39356b7ef8f825a417129107822eed5049cb2848ba7e96.exe
2776	4779e6ebc64484bd3b39356b7ef8f825a417129107822eed5049cb2848ba7e96.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Zombie.exe	4779e6ebc64484bd3b39356b7ef8f825a417129107822eed5049cb2848ba7e96.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	4779e6ebc64484bd3b39356b7ef8f825a417129107822eed5049cb2848ba7e96.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\sr-spl.txt.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\mshwLatin.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\colorcycle.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_ButtonGraphic.png.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\vi.pak.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\uz.txt.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.jpg.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\ado\msado26.tlb.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationLeft_ButtonGraphic.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-background.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_SelectionSubpicture.png.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tipresx.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop.wmv.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG_PAL.wmv.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\ar.txt.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\15x15dot.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_specialocc_Thumbnail.bmp.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_SelectionSubpicture.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NextMenuButtonIcon.png.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\tipresx.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_SelectionSubpicture.png.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\nl.pak.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pt-PT.pak.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\tr.pak.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\IPSEventLogMsg.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_SelectionSubpicture.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\kaa.txt.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\tr.txt.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\203x8subpicture.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_ButtonGraphic.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\chapters-static.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BlackRectangle.bmp.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrenclm.dat.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrlatinlm.dat.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\HandPrints.jpg.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledb32.dll.tmp	Zombie.exe
File created	C:\Program Files\ConvertUnpublish.wpl.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkWatson.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\msadc\msadds.dll.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG.wmv.tmp	Zombie.exe
File created	C:\Program Files\Internet Explorer\MemoryAnalyzer.dll.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\highlight.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\15x15dot.png.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\mr.txt.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\sv.txt.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\zh-cn.txt.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\ado\msado25.tlb.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\Ole DB\msxactps.dll.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-imageMask.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_buttongraphic.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_ButtonGraphic.png.tmp	Zombie.exe
File created	C:\Program Files\Internet Explorer\jsdebuggeride.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\tipresx.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml.tmp	Zombie.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4779e6ebc64484bd3b39356b7ef8f825a417129107822eed5049cb2848ba7e96.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zombie.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 3068	2776	4779e6ebc64484bd3b39356b7ef8f825a417129107822eed5049cb2848ba7e96.exe	31
PID 2776 wrote to memory of 3068	2776	4779e6ebc64484bd3b39356b7ef8f825a417129107822eed5049cb2848ba7e96.exe	31
PID 2776 wrote to memory of 3068	2776	4779e6ebc64484bd3b39356b7ef8f825a417129107822eed5049cb2848ba7e96.exe	31
PID 2776 wrote to memory of 3068	2776	4779e6ebc64484bd3b39356b7ef8f825a417129107822eed5049cb2848ba7e96.exe	31
PID 2776 wrote to memory of 2888	2776	4779e6ebc64484bd3b39356b7ef8f825a417129107822eed5049cb2848ba7e96.exe	30
PID 2776 wrote to memory of 2888	2776	4779e6ebc64484bd3b39356b7ef8f825a417129107822eed5049cb2848ba7e96.exe	30
PID 2776 wrote to memory of 2888	2776	4779e6ebc64484bd3b39356b7ef8f825a417129107822eed5049cb2848ba7e96.exe	30
PID 2776 wrote to memory of 2888	2776	4779e6ebc64484bd3b39356b7ef8f825a417129107822eed5049cb2848ba7e96.exe	30

C:\Users\Admin\AppData\Local\Temp\4779e6ebc64484bd3b39356b7ef8f825a417129107822eed5049cb2848ba7e96.exe
"C:\Users\Admin\AppData\Local\Temp\4779e6ebc64484bd3b39356b7ef8f825a417129107822eed5049cb2848ba7e96.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Windows\SysWOW64\Zombie.exe
  "C:\Windows\system32\Zombie.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:2888
- C:\Users\Admin\AppData\Local\Temp\_choco.exe
  "_choco.exe"
  2⤵
  - Executes dropped EXE
  PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini.tmp

Filesize
78KB

MD5
afea53be6d7962c93f49246e85c65700

SHA1
f6ae6b0e007afd182653d9429ec076c4bf7b57eb

SHA256
90beb2cea97ac7db800398a81f13fbf66a9794d0673ce953f00a878350db83bc

SHA512
b4526cd451dc167c2e502cab6b1646c25d9f7113112b4a2fbe1568910b3db522252085329947440288961dfade3393ca883bead21e35dfaf182ca0733fa3e7f1

Download Submit
C:\Windows\SysWOW64\Zombie.exe

Filesize
78KB

MD5
45f9aea3ddc41820597c24315bb0dd3d

SHA1
b07a48f75b7e648ec62696f2ab68e5efb40e47e9

SHA256
3c002fe87bdfcf60dd59b69023cbd3ccd4de1ea41144cc37fcb51955d7b5ac1f

SHA512
f6199a5c8fb6a3d304518df3cf73e03d2ed8cb34b8b4798e7262c38cdd44e4c90b5c2e91d96bb4966df3806bac2536b94be262d8a3113ec725ce8991ad5222c7

Download Submit
\Users\Admin\AppData\Local\Temp\_choco.exe

Filesize
142KB

MD5
81a7c181639679983efb07c2dea2ebd0

SHA1
93370e8e5cb0d89bf6786445f94dd02dbb84b574

SHA256
8320c7f90f65b48e4031b680506a9579751789ded4d90fa2fbfc2fb7db7e3ec8

SHA512
599cca13e527c92cdf88df06ed8a01eee1bc602c565ab69e251f7414e19833ce42f0453771bfdf27d16f9f70112835b599d26a6ed92901fdf86bbdf8adf4d2f7

Download Submit
memory/3068-19-0x000007FEF59B3000-0x000007FEF59B4000-memory.dmp

Filesize
4KB

Download
memory/3068-20-0x0000000000FB0000-0x0000000000FD8000-memory.dmp

Filesize
160KB

Download