0ec2034abaaccd450bf7aaead5f63c896a323fb9241afbfbb143b2acfa6a816d

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02/08/2024, 21:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

09acccd0e668607fe54edf642b207470N.exe
Size

179KB
MD5

09acccd0e668607fe54edf642b207470
SHA1

97895dd07080a39bfeb0a17ddba44a3db65a91ac
SHA256

0ec2034abaaccd450bf7aaead5f63c896a323fb9241afbfbb143b2acfa6a816d
SHA512

3cd57721fc67df537237fa09d4ba79596e79f3b0b216f282c1d8983757cb9faeef6420833910f0fd87770c139b623268a220cc04f73ac83ed33ce6bbc0c8dd26
SSDEEP

3072:9QWp+S791HpKIqGCLOwstyhZFChcssc56FUrgxvbSD4UQrO23xe:LkO9xpKbShcHUa4

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3290) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 2 IoCs

pid	Process
3068	_cuninst.exe
1140	Zombie.exe

Loads dropped DLL 3 IoCs

pid	Process
2628	09acccd0e668607fe54edf642b207470N.exe
2628	09acccd0e668607fe54edf642b207470N.exe
2628	09acccd0e668607fe54edf642b207470N.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	09acccd0e668607fe54edf642b207470N.exe
File created	C:\Windows\SysWOW64\Zombie.exe	09acccd0e668607fe54edf642b207470N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Jamaica.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-templates.xml.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_window.html.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libnormvol_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\fr-FR\OmdProject.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi_3.10.1.v20140909-1633.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sampler_ja.jar.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\MANIFEST.MF.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.ini.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\bin\sunec.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Thule.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\PST8PDT.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\PresentationFramework.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libtrivial_channel_mixer_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\meta_engine\libtaglib_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Zaporozhye.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pago_Pago.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\jawt_md.h.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-attach.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Santa_Isabel.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_INTRO_BG.wmv.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-favorites_zh_CN.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_ja.jar.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\vocaroo.luac.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3.nl_ja_4.4.0.v20140623020002.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-oql.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Metlakatla.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-explorer_ja.jar.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-snaptracer.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-threaddump_ja.jar.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libpva_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jli.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychartplugin_5.5.0.165303.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\jfr\default.jfc.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Danmarkshavn.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\vk_swiftshader.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets_1.0.0.v20140514-1823.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_ja_4.4.0.v20140623020002.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-queries.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Indian\Maldives.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Guam.tmp	Zombie.exe
File created	C:\Program Files\Mozilla Firefox\osclientcerts.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols.xml.tmp	Zombie.exe
File created	C:\Program Files\Internet Explorer\jsprofilerui.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-templates.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application-views.xml.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_content-background.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\bin\jp2ssv.dll.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationTypes.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.ComponentModel.DataAnnotations.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ko_KR.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Buenos_Aires.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\vlc.mo.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_winxp.css.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkDrop32x32.gif.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup_zh_CN.jar.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\Common.fxh.tmp	Zombie.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	09acccd0e668607fe54edf642b207470N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zombie.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 3068	2628	09acccd0e668607fe54edf642b207470N.exe	31
PID 2628 wrote to memory of 3068	2628	09acccd0e668607fe54edf642b207470N.exe	31
PID 2628 wrote to memory of 3068	2628	09acccd0e668607fe54edf642b207470N.exe	31
PID 2628 wrote to memory of 3068	2628	09acccd0e668607fe54edf642b207470N.exe	31
PID 2628 wrote to memory of 1140	2628	09acccd0e668607fe54edf642b207470N.exe	33
PID 2628 wrote to memory of 1140	2628	09acccd0e668607fe54edf642b207470N.exe	33
PID 2628 wrote to memory of 1140	2628	09acccd0e668607fe54edf642b207470N.exe	33
PID 2628 wrote to memory of 1140	2628	09acccd0e668607fe54edf642b207470N.exe	33

C:\Users\Admin\AppData\Local\Temp\09acccd0e668607fe54edf642b207470N.exe
"C:\Users\Admin\AppData\Local\Temp\09acccd0e668607fe54edf642b207470N.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Users\Admin\AppData\Local\Temp\_cuninst.exe
  "_cuninst.exe"
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\SysWOW64\Zombie.exe
  "C:\Windows\system32\Zombie.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:1140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2958949473-3205530200-1453100116-1000\desktop.ini.tmp

Filesize
36KB

MD5
420021bed8caa24bdde00862af0d7bf5

SHA1
ab7acb68f23ab8c920461e2d51dbe6dbb3237080

SHA256
fa7ca35998d4024383a3cadb8aff747e8643c3a7804d833acdddd8db91d5bfcc

SHA512
6872f734d35864f1a6cc1346d42a3f0f09ff25a3388125b58be2b0353ff3d74af04d086a29b346e12a9da3f00b694bb41aefc0fdfafd2184651ce4ffb37e65fa

Download Submit
\Users\Admin\AppData\Local\Temp\_cuninst.exe

Filesize
143KB

MD5
7f9f981d970cbccece6ff126ab309045

SHA1
950a14dc6b636237c2f158cce02076b1a1b371e0

SHA256
82596d7d86d685087965457c297973c2aa1fbff0f6a0a3b8d8760f1cc65105cf

SHA512
ac59a2c6bc3b6fad47bac83d84336387b03b45d186c5d021f3c57c7fb160491e8344923d4978e50fb37f6c37e45bbb9c0f9b7cd4b93506ff571c82b795c6fb47

Download Submit
\Windows\SysWOW64\Zombie.exe

Filesize
35KB

MD5
bf01a06b55bc8063c8b63bb718faef72

SHA1
c4d5a4e311215dba95712d882f5292b46012e493

SHA256
df90b3b121988367f5d793d7fa1a75c0e1624e7eaf9a8806f7a7c5ae40712a85

SHA512
a0a93fdde4f61e32812a428dd6c02f41d44428d02736c382656d504bdf644c7dae7022ccb0cde403d7eb7424579797495780c2b5e487f7a3c01c2d7ed39ef7f2

Download Submit
memory/1140-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2628-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2628-10-0x0000000000360000-0x0000000000368000-memory.dmp

Filesize
32KB

Download
memory/2628-15-0x0000000000360000-0x0000000000368000-memory.dmp

Filesize
32KB

Download
memory/3068-23-0x000007FEF5923000-0x000007FEF5924000-memory.dmp

Filesize
4KB

Download
memory/3068-24-0x0000000000E60000-0x0000000000E88000-memory.dmp

Filesize
160KB

Download