cff8ab1dfa13e7bef413d2578502cf466d75f05c5a73bab7bfb634470dba57ea

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
12-08-2024 02:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cff8ab1dfa13e7bef413d2578502cf466d75f05c5a73bab7bfb634470dba57ea.exe
Size

83KB
MD5

1319481afa3f52271810a1ace6fc7e2d
SHA1

93a31ba7fe4668bdd248d5d9c2deedf72958fdd0
SHA256

cff8ab1dfa13e7bef413d2578502cf466d75f05c5a73bab7bfb634470dba57ea
SHA512

9d052f2c64aa1efe07763ecfa055c8d8eec9641d0938fce95a79f2bf53e33a6f8bcb23365a4f59cfbd11e3a7a45ae305a08515e180565d74bc70d7db1c31ad80
SSDEEP

1536:W7ZhA7pApM21LOA1LO2c6b25gc6b25uCrbpSvr5xpYr0ARZF6NFVogjQlRv/L6:6e7WpMgLOiLO2c6b25gc6b25uwUhQ7X+

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3753) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 2 IoCs

pid	Process
2384	_checksum.exe
1896	Zombie.exe

Loads dropped DLL 3 IoCs

pid	Process
2084	cff8ab1dfa13e7bef413d2578502cf466d75f05c5a73bab7bfb634470dba57ea.exe
2084	cff8ab1dfa13e7bef413d2578502cf466d75f05c5a73bab7bfb634470dba57ea.exe
2084	cff8ab1dfa13e7bef413d2578502cf466d75f05c5a73bab7bfb634470dba57ea.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Zombie.exe	cff8ab1dfa13e7bef413d2578502cf466d75f05c5a73bab7bfb634470dba57ea.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	cff8ab1dfa13e7bef413d2578502cf466d75f05c5a73bab7bfb634470dba57ea.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\kn.pak.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Tegucigalpa.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dubai.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Jakarta.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UCT.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\offset.ax.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+6.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Urumqi.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\currency.css.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\msdasqlr.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_ja_4.4.0.v20140623020002.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host-views.jar.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File B.txt.tmp	Zombie.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libdtv_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\Beulah.tmp	Zombie.exe
File created	C:\Program Files\Internet Explorer\perfcore.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\local_policy.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+3.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.IdentityModel.Selectors.Resources.dll.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\images\vlc-48.png.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libhttps_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\tipresx.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\contbig.gif.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-uihandler.xml.tmp	Zombie.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdater.cer.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\tr.txt.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\accessibility.properties.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-outline.xml.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Conversion.v3.5.dll.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\vlc.mo.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\fr-FR\Sidebar.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\settings.css.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-full.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BlackRectangle.bmp.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs.zh_CN_5.5.0.165303.jar.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\NEWS.txt.tmp	Zombie.exe
File created	C:\Program Files\Windows NT\TableTextService\ja-JP\TableTextService.dll.mui.tmp	Zombie.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\icucnv36.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.jpg.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring.xml.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libmpc_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libwav_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground.wmv.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-ui.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\bin\JAWTAccessBridge-64.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\El_Salvador.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\anevia_xml.luac.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\weather.css.tmp	Zombie.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRdIF.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Puerto_Rico.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.ibm.icu_52.1.0.v201404241930.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\mailapi.jar.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationClient.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Speech.dll.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libremap_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Porto_Velho.tmp	Zombie.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cff8ab1dfa13e7bef413d2578502cf466d75f05c5a73bab7bfb634470dba57ea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zombie.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2384	2084	cff8ab1dfa13e7bef413d2578502cf466d75f05c5a73bab7bfb634470dba57ea.exe	30
PID 2084 wrote to memory of 2384	2084	cff8ab1dfa13e7bef413d2578502cf466d75f05c5a73bab7bfb634470dba57ea.exe	30
PID 2084 wrote to memory of 2384	2084	cff8ab1dfa13e7bef413d2578502cf466d75f05c5a73bab7bfb634470dba57ea.exe	30
PID 2084 wrote to memory of 2384	2084	cff8ab1dfa13e7bef413d2578502cf466d75f05c5a73bab7bfb634470dba57ea.exe	30
PID 2084 wrote to memory of 1896	2084	cff8ab1dfa13e7bef413d2578502cf466d75f05c5a73bab7bfb634470dba57ea.exe	32
PID 2084 wrote to memory of 1896	2084	cff8ab1dfa13e7bef413d2578502cf466d75f05c5a73bab7bfb634470dba57ea.exe	32
PID 2084 wrote to memory of 1896	2084	cff8ab1dfa13e7bef413d2578502cf466d75f05c5a73bab7bfb634470dba57ea.exe	32
PID 2084 wrote to memory of 1896	2084	cff8ab1dfa13e7bef413d2578502cf466d75f05c5a73bab7bfb634470dba57ea.exe	32

C:\Users\Admin\AppData\Local\Temp\cff8ab1dfa13e7bef413d2578502cf466d75f05c5a73bab7bfb634470dba57ea.exe
"C:\Users\Admin\AppData\Local\Temp\cff8ab1dfa13e7bef413d2578502cf466d75f05c5a73bab7bfb634470dba57ea.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Local\Temp\_checksum.exe
  "_checksum.exe"
  2⤵
  - Executes dropped EXE
  PID:2384
- C:\Windows\SysWOW64\Zombie.exe
  "C:\Windows\system32\Zombie.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:1896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1385883288-3042840365-2734249351-1000\desktop.ini.tmp

Filesize
48KB

MD5
5dbd31eea364bbd1226a16fc3a9d768b

SHA1
4e1e5e44f3651365e60ba8817cb577e8b66fb453

SHA256
b01e030be7fdc72a5ae0bf7e0f1c3d77cef4682f90408ed584d228b766bfa9f0

SHA512
9b0dcb2cb17f87143c0595c8f415b16f2e1a58fb98dfd50ef64e4772930bc2783bc351040319a054142f4674384c9fde18e152cf72a808a169643acff3fd0ca7

Download Submit
\Users\Admin\AppData\Local\Temp\_checksum.exe

Filesize
35KB

MD5
23f049f14ca0e68af4b9883514791dfe

SHA1
1224ecfda221e54d4536a4ac102a56235320ee25

SHA256
9562aabe1f71d7ff5ec879fd2fb5cfe4be2c8f62a7fa5a1aa49660c3a495f1fb

SHA512
ce91cd089a299ba88f047cf15fd06673389942dabbf8be5bf2e2666e1048bc6da261ce30cae1e2ecb3b50392441a335bf97cc4ed51540554bedabe65590be677

Download Submit
\Windows\SysWOW64\Zombie.exe

Filesize
47KB

MD5
07eb1d1f5a0529b62a8d20202adf1fa6

SHA1
5cd62b14600234c4d3b2b9e182684a9512b1dcca

SHA256
af173d1a09b37de8f1d3fe3976c30d8f26cbf58cc20dae6a14f7b5b77f8fd212

SHA512
5402a62896f7971faa59ccc4d9e13cbdf64e58d67e1774318c676de661e65c1dd44ff5e123ee89098899122d501c42f9b9b11ff2eae37adb0015da296507ac37

Download Submit
memory/2384-19-0x000007FEF5953000-0x000007FEF5954000-memory.dmp

Filesize
4KB

Download
memory/2384-20-0x0000000000B40000-0x0000000000B4E000-memory.dmp

Filesize
56KB

Download
memory/2384-23-0x000007FEF5950000-0x000007FEF633C000-memory.dmp

Filesize
9.9MB

Download