5291489937f8112d867a7e9ce3cafccf43060530f6f5ba82d94adb1f011a7fd3

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
08/08/2024, 21:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5291489937f8112d867a7e9ce3cafccf43060530f6f5ba82d94adb1f011a7fd3.exe
Size

240KB
MD5

2a8c32c0fe6239a60a5cfc2961a8b432
SHA1

f72c83cc12451e72760f1d4bdbc6479fd68ee74a
SHA256

5291489937f8112d867a7e9ce3cafccf43060530f6f5ba82d94adb1f011a7fd3
SHA512

7732467cd3a649e9f2d36bfae5faab59cc188729e7a4fb26ae880b9e4d3cfbe096df77e6e70c93a10deb8ddc670f2c595e78b8dc7e3a1ec9ec0e955d73ed43af
SSDEEP

1536:W7ZhA7pApEJJMbu+r1uiq6JVlyEjpgL6Bc3mH20McbXYzGmQTLgaC/80EF4Cyv6Q:6e7WpiJMFrfq6Tl7j66sfmTk3WdK1f

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3452) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 1 IoCs

pid	Process
2096	Zombie.exe

Loads dropped DLL 2 IoCs

pid	Process
2268	5291489937f8112d867a7e9ce3cafccf43060530f6f5ba82d94adb1f011a7fd3.exe
2268	5291489937f8112d867a7e9ce3cafccf43060530f6f5ba82d94adb1f011a7fd3.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Zombie.exe	5291489937f8112d867a7e9ce3cafccf43060530f6f5ba82d94adb1f011a7fd3.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	5291489937f8112d867a7e9ce3cafccf43060530f6f5ba82d94adb1f011a7fd3.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\Internet Explorer\Timeline.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt_3.103.1.v20140903-1938.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Auckland.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Games\Hearts\en-US\Hearts.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\play-static.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Auckland.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_ja_4.4.0.v20140623020002.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\bin\dtplugin\npdeployJava1.dll.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\ReachFramework.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.DataSetExtensions.Resources.dll.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libskiptags_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.properties.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.zh_CN_5.5.0.165303.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-cli_ja.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiler_zh_CN.jar.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\reflect.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins_1.1.200.v20131119-0908.jar.tmp	Zombie.exe
File created	C:\Program Files\FindDisable.ppt.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Chuuk.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.oracle.jmc.executable.win32.win32.x86_64_5.5.0.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Cambridge_Bay.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\liblibbluray_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_ButtonGraphic.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_zh_4.4.0.v20140623020002.jar.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\tipresx.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ja_JP.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\epl-v10.html.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Novosibirsk.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\vk_swiftshader_icd.json.tmp	Zombie.exe
File created	C:\Program Files\Internet Explorer\msdbg2.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\jvmti.h.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerActions.exsd.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\fontconfig.bfc.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Guyana.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Belgrade.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Brisbane.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Saipan.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-dialogs.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Khandyga.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\mobile.css.tmp	Zombie.exe
File created	C:\Program Files\Windows Defender\MsMpRes.dll.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\calendar.html.tmp	Zombie.exe
File created	C:\Program Files\Internet Explorer\DiagnosticsHub_is.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Recife.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-nodes.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\security\trusted.libraries.tmp	Zombie.exe
File created	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe.tmp	Zombie.exe
File created	C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Windows Journal\ja-JP\JNTFiltr.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.views_3.7.0.v20140408-0703.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_ja.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Santiago.tmp	Zombie.exe
File created	C:\Program Files\Mozilla Firefox\IA2Marshal.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+6.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Creston.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.exe.sig.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_de_DE.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Simferopol.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_SelectionSubpicture.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.RSA.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Kabul.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Games\FreeCell\it-IT\FreeCell.exe.mui.tmp	Zombie.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zombie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5291489937f8112d867a7e9ce3cafccf43060530f6f5ba82d94adb1f011a7fd3.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2096	2268	5291489937f8112d867a7e9ce3cafccf43060530f6f5ba82d94adb1f011a7fd3.exe	31
PID 2268 wrote to memory of 2096	2268	5291489937f8112d867a7e9ce3cafccf43060530f6f5ba82d94adb1f011a7fd3.exe	31
PID 2268 wrote to memory of 2096	2268	5291489937f8112d867a7e9ce3cafccf43060530f6f5ba82d94adb1f011a7fd3.exe	31
PID 2268 wrote to memory of 2096	2268	5291489937f8112d867a7e9ce3cafccf43060530f6f5ba82d94adb1f011a7fd3.exe	31

C:\Users\Admin\AppData\Local\Temp\5291489937f8112d867a7e9ce3cafccf43060530f6f5ba82d94adb1f011a7fd3.exe
"C:\Users\Admin\AppData\Local\Temp\5291489937f8112d867a7e9ce3cafccf43060530f6f5ba82d94adb1f011a7fd3.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\SysWOW64\Zombie.exe
  "C:\Windows\system32\Zombie.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2172136094-3310281978-782691160-1000\desktop.ini.tmp

Filesize
134KB

MD5
8b6da92944dcd09fa9eb8a82e353ffca

SHA1
72d48f25d3fe98ea46aff7c9f3538a530e3d0d91

SHA256
5a7661a0f265a984761aa160a471677391f9df9931cc635f86f63d24c35df809

SHA512
53a20d4443039423a9443fb92a3de41433bacb5814f4b350dac8bfd897ed57df626649d74732b2927d7514d5e2c7291b3d5b649a72b874057930fd3cfb9cc2ba

Download Submit
C:\Windows\SysWOW64\Zombie.exe

Filesize
134KB

MD5
2f78c85982a8f54b6b58e308e793cfad

SHA1
868e01b920a33c584a056f82be0d78af44a0bc89

SHA256
15337d395932001913a3b7be7f0ee61745f4e3870b020c95b1c3d226508fd527

SHA512
6c902e930bbeb715327da09cb34c7fea6bc6d86c05901e1c0a6c0de25bd130b744e34adf7b47cb95c9dd91b45b11bf9ac1ab1eb8c0543c232dec27a4b5bfc960

Download Submit