71d8447a46847625802b96a825484b54409f27be94c0984c23230e3293cb1d8c

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21/09/2024, 10:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71d8447a46847625802b96a825484b54409f27be94c0984c23230e3293cb1d8cN.exe
Size

503KB
MD5

6c7c4c7c9ccc6e64174f676a0af63650
SHA1

6d7645f0fc3c18feca5abe7394ca5d5a7e4f8d02
SHA256

71d8447a46847625802b96a825484b54409f27be94c0984c23230e3293cb1d8c
SHA512

47e151c6db1bbc98e3fd38379749ea21a1462a3bb7983b918b7ec84053ae89a4d6d3c32f9d40047e25438a297d2d0e0e4b608badcfb0bde92a91a4dc61a6e478
SSDEEP

12288:vJ9vGAD+k3HVJ5BDfp4D7/SAOZi+5v4+rcxftn:PJVJ/t4D7/SAOZi+5v48cxfl

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3066) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 1 IoCs

pid	Process
1440	Zombie.exe

Loads dropped DLL 2 IoCs

pid	Process
1988	71d8447a46847625802b96a825484b54409f27be94c0984c23230e3293cb1d8cN.exe
1988	71d8447a46847625802b96a825484b54409f27be94c0984c23230e3293cb1d8cN.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Zombie.exe	71d8447a46847625802b96a825484b54409f27be94c0984c23230e3293cb1d8cN.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	71d8447a46847625802b96a825484b54409f27be94c0984c23230e3293cb1d8cN.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Port-au-Prince.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-queries.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.RSA.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_zh_4.4.0.v20140623020002.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-spi-quicksearch_ja.jar.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Microsoft.Build.Engine.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\vlc.mo.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\ja-JP\WMM2CLIP.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets.nl_zh_4.4.0.v20140623020002.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-ui.xml.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\ado\ja-JP\msader15.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ru.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyrun.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-uihandler.xml.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.Printing.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\nl.txt.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\es-ES\wab32res.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\blacklist.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\smtp.jar.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwresmlm.dat.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\photograph.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\management.properties.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nome.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui_5.5.0.165303.jar.tmp	Zombie.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l1-2-0.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-core.xml.tmp	Zombie.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\fur.txt.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\new-trigger-wiz.gif.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-javahelp_zh_CN.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-io.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-common.xml.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Engine.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Entity.Design.Resources.dll.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Uninstall.exe.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Internet Explorer\F12Resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Vladivostok.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\AST4ADT.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Management.Instrumentation.Resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwritalm.dat.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Honolulu.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Windows.Presentation.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Jerusalem.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\about.html.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicTSFrame.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_MATTE2_PAL.wmv.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-options.jar.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationProvider.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\mshwLatin.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dhaka.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Pontianak.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.properties.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiling_ja.jar.tmp	Zombie.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	71d8447a46847625802b96a825484b54409f27be94c0984c23230e3293cb1d8cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zombie.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 1440	1988	71d8447a46847625802b96a825484b54409f27be94c0984c23230e3293cb1d8cN.exe	31
PID 1988 wrote to memory of 1440	1988	71d8447a46847625802b96a825484b54409f27be94c0984c23230e3293cb1d8cN.exe	31
PID 1988 wrote to memory of 1440	1988	71d8447a46847625802b96a825484b54409f27be94c0984c23230e3293cb1d8cN.exe	31
PID 1988 wrote to memory of 1440	1988	71d8447a46847625802b96a825484b54409f27be94c0984c23230e3293cb1d8cN.exe	31

C:\Users\Admin\AppData\Local\Temp\71d8447a46847625802b96a825484b54409f27be94c0984c23230e3293cb1d8cN.exe
"C:\Users\Admin\AppData\Local\Temp\71d8447a46847625802b96a825484b54409f27be94c0984c23230e3293cb1d8cN.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Windows\SysWOW64\Zombie.exe
  "C:\Windows\system32\Zombie.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3434294380-2554721341-1919518612-1000\desktop.ini.tmp

Filesize
72KB

MD5
73a8e28142a4fd77ad2348c4a4aa5f82

SHA1
218859487e38f961aa190701415f811fd7d48329

SHA256
6cac78190b7af38a95de39fa7884488dcd477635c9e883a44d97f3caaadbb49f

SHA512
40ce3860c2c9948d50d9b1397a8d1dfbd6230cb871a16fecffaa3c8d876486b7ab59707a62019f88404d52b488871778d1d0269bc34a20385336703200c9d1b0

Download Submit
C:\Windows\SysWOW64\Zombie.exe

Filesize
72KB

MD5
da84294e8c379e37e22f9a5892e50b35

SHA1
dd938056f1e3e6172ea9cc63b5d9e1c4110bf646

SHA256
8bfd1e3ef6b7e0bf6125bd328c4049df77de859faf9d5b4342f7e28b2f956594

SHA512
3fc36bb34635fcf8177990faaee275694d90d4aeed1062c3a4faf0d6fa594482e64b8084c7432e67a19c888eb72b1bd2a663ad68ecf3afaebccda1851fa70844

Download Submit