918c4401e1348bffca7ef5df0c9f5ebd185dde6edcfd64d75ed3af8b67f4992b

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 05:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Trojan.Win32.Zombie.exe
Size

79KB
MD5

8f5ff271993998e0388d498274572510
SHA1

b68368b7ba9009c545bb3864b7f59cfee5a65080
SHA256

918c4401e1348bffca7ef5df0c9f5ebd185dde6edcfd64d75ed3af8b67f4992b
SHA512

ed135ba4aad4cf569726a9e4349c58385c6f63fcf1a9c6cba238a90c5ba2d93e9525bb7a4ddaa592d9279f44d3497abdb7b82ee38febe574684fffa5c6a1c6bf
SSDEEP

1536:W7ZhA7dAZ1++PJHJXA/OsIZfzc3/Q8zx0Cq/8S/8dY6:6e76mQSop8i8/

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3487) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Maceio.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Baku.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\MST.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.nl_zh_4.4.0.v20140623020002.jar.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libwave_plugin.dll.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_thunderstorm.png.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_m.png.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.nl_ja_4.4.0.v20140623020002.jar.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-output2.xml.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jre7\lib\jfr\default.jfc.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Microsoft Office\Office14\AUTHZAX.DLL.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\liveleak.luac.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color32.jpg.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\calendar.js.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Dotted_Lines.emf.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\cursors.properties.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Iqaluit.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_blu.css.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_thunderstorm.png.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Windows Mail\it-IT\msoeres.dll.mui.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\3RDPARTY.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\EST5EDT.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_udp_plugin.dll.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_a52_plugin.dll.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dial_sml.png.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\currency.css.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-modules-appui.jar.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Anadyr.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Windows Media Player\fr-FR\WMPMediaSharing.dll.mui.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\it-IT\gadget.xml.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonUp_Off.png.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msaddsr.dll.mui.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_ja_4.4.0.v20140623020002.jar.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_zh_CN.jar.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.Speech.resources.dll.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.lnk.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Windows Media Player\es-ES\wmplayer.exe.mui.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\7-Zip\Lang\it.txt.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\tipresx.dll.mui.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\com-sun-tools-visualvm-modules-startup_zh_CN.jar.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jre7\lib\tzmappings.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-1.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\navBack.png.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\7-Zip\7-zip.dll.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\7-Zip\Lang\hr.txt.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\w2k_lsa_auth.dll.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_ja.jar.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\1047x576black.png.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Windows NT\Accessories\WordpadFilter.dll.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\picturePuzzle.html.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\lua\modules\sandbox.luac.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpeg4audio_plugin.dll.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbynet.jar.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Palmer.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.xml.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Zaporozhye.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jre7\bin\gstreamer-lite.dll.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libmod_plugin.dll.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application_5.5.0.165303.jar.tmp	Trojan.Win32.Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util_zh_CN.jar.tmp	Trojan.Win32.Zombie.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan.Win32.Zombie.exe

C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Zombie.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Zombie.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4177215427-74451935-3209572229-1000\desktop.ini.tmp

Filesize
79KB

MD5
9ac203d8d09ac61cdc90dc507cfff104

SHA1
3b62ca0d1f9d41f1e8be89584ffed4a00d4fb114

SHA256
29d27dbdb844a35e77ca6562ed5f599b61d5fa30b0391402bf11bbc0bfb96586

SHA512
061e420fbf50c6895a575467401bec52809cca428e7e92ab4153ba11f59bc0576cfc4ace5ad604010f4c31f7fe949700120152356e5f5e20ddbdd30b5ac4ac57

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
88KB

MD5
f372a102e93ed6f6b89c1e000efffd79

SHA1
0939941bc54cabf1e861ed62791ecabe574548de

SHA256
1e205d6a71d2aee164d2015ad61468399e1b540ae6aa279082e8a33b7219bd22

SHA512
760c4b9851e531e5d0e53e2b3329e8deb5558fb14a5631c7612243ed9b6eafb8c56d61cd53eba1551ddf4a1b8a31704ad2b2849e5de7a0b78f7f71922d10f4fb

Download Submit