6a119d6591d9c632e0022ef3de7c3014166538571e430f7a575d7d838f9a667d

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 05:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Trojan.Win32.Zombie.exe
Size

80KB
MD5

5d04ce418d3d50aa2b9fad6e4ecaa520
SHA1

8570c4c26a33ca5db08f75ef149b89af9e38779e
SHA256

6a119d6591d9c632e0022ef3de7c3014166538571e430f7a575d7d838f9a667d
SHA512

572b9d23fd1572c058a8245f47a7c6551efea14bed0a5d002ea8cfd27cb92e042b3bebbe57f7a7d9c0ea92ae362344c03e5eb7aacbe4e1925f901d9b9e61c56c
SSDEEP

1536:W7ZNLpApCZrt8PWGoPWGANdN+hEwHwDvZvGrVQb+:6NLWpCZIzjwHwIreC

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3517) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Norfolk.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.IdentityModel.Resources.dll.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\vlc.mo.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720x480icongraphic.png.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-1.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Kosrae.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.Printing.resources.dll.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_left.png.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\settings.css.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\28.png.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\currency.data.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_zh_CN.jar.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Casablanca.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Cancun.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\vlc.mo.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libpostproc_plugin.dll.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)alertIcon.png.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.httpcomponents.httpcore_4.2.5.v201311072007.jar.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.zh_CN_5.5.0.165303.jar.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.attributeTransformation.exsd.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository.nl_ja_4.4.0.v20140623020002.jar.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\lua\extensions\VLSub.luac.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\ShapeCollector.exe.mui.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ur.pak.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\javafx.policy.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Microsoft Games\More Games\en-US\MoreGames.dll.mui.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_SelectionSubpicture.png.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationUp_SelectionSubpicture.png.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Services.Client.resources.dll.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\RSSFeeds.css.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.annotation_1.2.0.v201401042248.jar.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator.nl_ja_4.4.0.v20140623020002.jar.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\liblibbluray_plugin.dll.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_h.png.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\weather.css.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureA.png.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\AST4ADT.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground.wmv.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Rarotonga.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IPSEventLogMsg.dll.mui.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSEngine.dll.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh88.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\doclib.gif.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\boot.jar.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-loaders.jar.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-core-timezone-l1-1-0.dll.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\Common.fxh.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kolkata.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\prism-d3d.dll.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guatemala.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_ja_4.4.0.v20140623020002.jar.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jre7\lib\fonts\LucidaBrightDemiBold.ttf.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Linq.Resources.dll.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libcompressor_plugin.dll.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-previous-static.png.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-image-mask.png.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libwav_plugin.dll.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT.tmp	Trojan.Win32.Zombie.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan.Win32.Zombie.exe

C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Zombie.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Zombie.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3434294380-2554721341-1919518612-1000\desktop.ini.tmp

Filesize
80KB

MD5
193c33a126d5ac2c52542cb87ff3e98e

SHA1
e2e249ad9218914fe1cea9364f62479994736787

SHA256
11d0544732efb212c64377849ef2b9d158e3395b2f1a587010a39c5e489b379f

SHA512
d5a67226a575284a7dbddb4e730c32045f9f65112dc5d154a74902f71203784cc8805c76a38e4de231bb6118c9fce1066b8f69120db8fb01898c63015ebaeade

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
89KB

MD5
2c6e18063c2b06f5b95fcd519595290b

SHA1
eccb2f57451dcd97a4ec7a6e6adba158a1ec1641

SHA256
1218e61f2d47d01b14449a94f4e564b753ff958ddcefa8a5bf0d6b9d46683df8

SHA512
f7bbf2c564dda63c56c58a02f05afd6d92681eb72f789973211d62d6ade28021778e7f3b8f4b7f4f30547fd71ef72eb584eaaf39a0e0b82457eb085697d1c84f

Download Submit