584f59f339694e4423ef8ab1cff4d993a59f6ebdcdbb0548bc02eb8fee503e65

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
02/08/2024, 03:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4758ecb9c5aac5de1be72f3a0cf87bf0N.exe
Size

193KB
MD5

4758ecb9c5aac5de1be72f3a0cf87bf0
SHA1

3451c2dc6cb9bc9233f021461b409824cb2d6976
SHA256

584f59f339694e4423ef8ab1cff4d993a59f6ebdcdbb0548bc02eb8fee503e65
SHA512

2b93ed304134281e2d33902d1a32a52c207c93802b0719c15499e43ec021c384a5809ea603c1a00454dadaac0b15c5ae84cab57cf47a32f0ca448442c6566c92
SSDEEP

3072:6e7WpvR9vHpKmEGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2ixMl:RqH9/pKvShcHUax

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3247) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 2 IoCs

pid	Process
1952	Zombie.exe
1676	_cup.exe

Loads dropped DLL 3 IoCs

pid	Process
2500	4758ecb9c5aac5de1be72f3a0cf87bf0N.exe
2500	4758ecb9c5aac5de1be72f3a0cf87bf0N.exe
2500	4758ecb9c5aac5de1be72f3a0cf87bf0N.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Zombie.exe	4758ecb9c5aac5de1be72f3a0cf87bf0N.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	4758ecb9c5aac5de1be72f3a0cf87bf0N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitemask1047.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\highlight.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Chagos.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\asl-v20.txt.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\deploy\splash.gif.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\IpsPlugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Campo_Grande.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Phoenix.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_zh_4.4.0.v20140623020002.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.http_8.1.14.v20131031.jar.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\IpsMigrationPlugin.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\kn.pak.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EST5EDT.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-progress_zh_CN.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Tarawa.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Caracas.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\WET.tmp	Zombie.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationClient.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\trusted.libraries.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\about.html.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.http.servlet_1.1.500.v20140318-1755.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Denver.tmp	Zombie.exe
File created	C:\Program Files\Mozilla Firefox\mozglue.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-print.xml_hidden.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Toronto.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\vlc.mo.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\OmdBase.dll.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Dot.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_win7.css.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Monrovia.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Nipigon.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdatl3.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_zh_4.4.0.v20140623020002.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Merida.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\ado\ja-JP\msader15.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-next-static.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\ZoneInfoMappings.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.zh_CN_5.5.0.165303.jar.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.Design.dll.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_postage_Thumbnail.bmp.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Fiji.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-print.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-outline.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_ja.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\El_Aaiun.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyclient.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\sunec.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ulaanbaatar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\feedback.gif.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\alert_obj.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-remote.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\deploy\messages_it.properties.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\ShvlRes.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IPSEventLogMsg.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Vladivostok.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-10.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_olv.css.tmp	Zombie.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4758ecb9c5aac5de1be72f3a0cf87bf0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zombie.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 1952	2500	4758ecb9c5aac5de1be72f3a0cf87bf0N.exe	30
PID 2500 wrote to memory of 1952	2500	4758ecb9c5aac5de1be72f3a0cf87bf0N.exe	30
PID 2500 wrote to memory of 1952	2500	4758ecb9c5aac5de1be72f3a0cf87bf0N.exe	30
PID 2500 wrote to memory of 1952	2500	4758ecb9c5aac5de1be72f3a0cf87bf0N.exe	30
PID 2500 wrote to memory of 1676	2500	4758ecb9c5aac5de1be72f3a0cf87bf0N.exe	31
PID 2500 wrote to memory of 1676	2500	4758ecb9c5aac5de1be72f3a0cf87bf0N.exe	31
PID 2500 wrote to memory of 1676	2500	4758ecb9c5aac5de1be72f3a0cf87bf0N.exe	31
PID 2500 wrote to memory of 1676	2500	4758ecb9c5aac5de1be72f3a0cf87bf0N.exe	31

C:\Users\Admin\AppData\Local\Temp\4758ecb9c5aac5de1be72f3a0cf87bf0N.exe
"C:\Users\Admin\AppData\Local\Temp\4758ecb9c5aac5de1be72f3a0cf87bf0N.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Windows\SysWOW64\Zombie.exe
  "C:\Windows\system32\Zombie.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:1952
- C:\Users\Admin\AppData\Local\Temp\_cup.exe
  "_cup.exe"
  2⤵
  - Executes dropped EXE
  PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1385883288-3042840365-2734249351-1000\desktop.ini.tmp

Filesize
50KB

MD5
2401c40fcbd78ef420c3314d05136343

SHA1
926b175efda38561f01e008680e25ee805e64300

SHA256
a06d5f6da17e21503c0b9ada0c400fbfabac91ee10244ed6f6a3ce4f424b8b93

SHA512
36ec03705192a88f9fcf7efea365bc13fdd44e3d010d6775a4d4f837af1c4feaf358d0500584ffe975e2c586825d1a26b1b63d702a7b2c5c50d2e589282a023f

Download Submit
\Users\Admin\AppData\Local\Temp\_cup.exe

Filesize
143KB

MD5
38f108cddb6619fba80f8382d5227ece

SHA1
12fd277bf756f22cfae3043900e4aff8b9f05ed9

SHA256
8296fe257b8c34398e3f291764454ec3cd9cbe06d60989b632ef4ba6c73ae5dc

SHA512
3db732c23f10122c78cffc6b6a5b11836ade1a23f5c6f9a192f2be2fa99c5bd7afb7a9e29c5d518a888cdd2091f9ac41b244214be226152830e96f5ec2cca424

Download Submit
\Windows\SysWOW64\Zombie.exe

Filesize
49KB

MD5
57878399cc044912af7231f7cc2375cb

SHA1
e146c9fedad527380d2fbe15b605dad66a611a9e

SHA256
44ca47ec630156ed781298c2c0129ce3dc987a08fc633aaa2097a7dfc325151d

SHA512
1c27bcadfbc7259acae1e5d5affb46fb48bd12391cb7c11ad6d4a104d5375ace55440a0c2ff31de7130b18babf76834d917a1bce48332d3e86612ec81ba17be6

Download Submit
memory/1676-19-0x000007FEF5C33000-0x000007FEF5C34000-memory.dmp

Filesize
4KB

Download
memory/1676-20-0x0000000000800000-0x0000000000828000-memory.dmp

Filesize
160KB

Download