36c497ce1c187e8e5a5f659a428c2886768f3953d90fa7a518a68bda4b264728

Analysis

max time kernel
60s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/10/2024, 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36c497ce1c187e8e5a5f659a428c2886768f3953d90fa7a518a68bda4b264728.exe
Size

518KB
MD5

5437d6a05afdc45c48dec6bfac4e60c2
SHA1

3e5e57705553f6e015e200c22c6136a41119eac1
SHA256

36c497ce1c187e8e5a5f659a428c2886768f3953d90fa7a518a68bda4b264728
SHA512

c976b3be0b2229ce03b759db5ea47d11519637dbc45e11252f88d91875b184e28e992fd2815ba9444945ad31b4e67f29c6381263975735ded70800729b58df6b
SSDEEP

6144:Reynlu0+eH9Bpox4I3ANJuBN0PDGxWSqqcfrj8XzL/3upuqs8j8IvwvWGEuTt3ny:Nnb9ZNJuzVrcX8GW8j5veWpuTtMMo

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (576) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 2 IoCs

pid	Process
1840	Zombie.exe
1872	_MpCmdRun.exe

Loads dropped DLL 3 IoCs

pid	Process
1764	36c497ce1c187e8e5a5f659a428c2886768f3953d90fa7a518a68bda4b264728.exe
1764	36c497ce1c187e8e5a5f659a428c2886768f3953d90fa7a518a68bda4b264728.exe
1764	36c497ce1c187e8e5a5f659a428c2886768f3953d90fa7a518a68bda4b264728.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Zombie.exe	36c497ce1c187e8e5a5f659a428c2886768f3953d90fa7a518a68bda4b264728.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	36c497ce1c187e8e5a5f659a428c2886768f3953d90fa7a518a68bda4b264728.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\zh-CN.pak.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\CsiSoap.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Dotted_Lines.emf.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop.wmv.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\203x8subpicture.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\msvcr100.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipRes.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\FlickLearningWizard.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\msinfo32.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee90.tlb.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_SelectionSubpicture.png.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sk.pak.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jli.dll.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\he.txt.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask.wmv.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo.bat.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_ButtonGraphic.png.tmp	Zombie.exe
File created	C:\Program Files\Internet Explorer\en-US\F12Tools.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkClientCP.bat.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\7-zip.chm.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\travel.png.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.jpg.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Memo.emf.tmp	Zombie.exe
File created	C:\Program Files\CompressConvertFrom.m4v.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-image-mask.png.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\msadc\adcvbs.inc.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msadcfr.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_ButtonGraphic.png.tmp	Zombie.exe
File created	C:\Program Files\ExitApprove.raw.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sv.pak.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\mojo_core.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\kab.txt.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Uninstall.exe.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\tipresx.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_RGB_PAL.wmv.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_ButtonGraphic.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_videoinset.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_es.jar.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\es.txt.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\kaa.txt.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\tipresx.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msadcor.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground_PAL.wmv.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\mk.txt.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VC\msdia90.dll.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\v8_context_snapshot.bin.tmp	Zombie.exe
File created	C:\Program Files\Internet Explorer\en-US\F12.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\hu.txt.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\DirectDB.dll.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_ButtonGraphic.png.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\mr.txt.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\FlickLearningWizard.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsfin.xml.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground_PAL.wmv.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-previous-static.png.tmp	Zombie.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36c497ce1c187e8e5a5f659a428c2886768f3953d90fa7a518a68bda4b264728.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zombie.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 1840	1764	36c497ce1c187e8e5a5f659a428c2886768f3953d90fa7a518a68bda4b264728.exe	30
PID 1764 wrote to memory of 1840	1764	36c497ce1c187e8e5a5f659a428c2886768f3953d90fa7a518a68bda4b264728.exe	30
PID 1764 wrote to memory of 1840	1764	36c497ce1c187e8e5a5f659a428c2886768f3953d90fa7a518a68bda4b264728.exe	30
PID 1764 wrote to memory of 1840	1764	36c497ce1c187e8e5a5f659a428c2886768f3953d90fa7a518a68bda4b264728.exe	30
PID 1764 wrote to memory of 1872	1764	36c497ce1c187e8e5a5f659a428c2886768f3953d90fa7a518a68bda4b264728.exe	31
PID 1764 wrote to memory of 1872	1764	36c497ce1c187e8e5a5f659a428c2886768f3953d90fa7a518a68bda4b264728.exe	31
PID 1764 wrote to memory of 1872	1764	36c497ce1c187e8e5a5f659a428c2886768f3953d90fa7a518a68bda4b264728.exe	31
PID 1764 wrote to memory of 1872	1764	36c497ce1c187e8e5a5f659a428c2886768f3953d90fa7a518a68bda4b264728.exe	31

C:\Users\Admin\AppData\Local\Temp\36c497ce1c187e8e5a5f659a428c2886768f3953d90fa7a518a68bda4b264728.exe
"C:\Users\Admin\AppData\Local\Temp\36c497ce1c187e8e5a5f659a428c2886768f3953d90fa7a518a68bda4b264728.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Windows\SysWOW64\Zombie.exe
  "C:\Windows\system32\Zombie.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:1840
- C:\Users\Admin\AppData\Local\Temp\_MpCmdRun.exe
  "_MpCmdRun.exe"
  2⤵
  - Executes dropped EXE
  PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3290804112-2823094203-3137964600-1000\desktop.ini.tmp

Filesize
62KB

MD5
ae88f212c710583cb0b8b57c596f1286

SHA1
105af363b90054a037539f37ef9408edab0c2066

SHA256
f66de566e82ccd65252e417cac1345e6c96ba46e0c06e1028384c75a9b4a2602

SHA512
34fadd54ff43550c5cfa13bf9d58d7585692462993e8f2fecb3b2f55d2f9ceff9c56051e043a791d8a856cf8a78b58753347b1600a3567541a6dbca8e1b191ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MpCmdRun.exe

Filesize
456KB

MD5
dd8e8a4e0b8bae088dca303b78e12c77

SHA1
510a231c1ce12bcaee6f8d172c38ec06e524a795

SHA256
17ee13b7e86069505ca5b56099336a0980173c3892aee3d108f9497955e40c62

SHA512
9ccdbc4ff8ed0ef6aaa9120060028d8d45642d59344217d905134ea1ce416584bc4c86daa3720adc08b98c78e07cc295d16b77507a0fb56c96f464171756e0db

Download Submit
C:\Windows\SysWOW64\Zombie.exe

Filesize
62KB

MD5
5af944cf740d2192d144419d30762476

SHA1
363dd67cf6512196afed71bd203f28f14e10a69e

SHA256
d450ad7ccae673bd9f292caf4dc4b78d20b8a133036bb931cf5fa8d24e1163a5

SHA512
b29406b5c0125c408f600ef91079be3e0239397ba664227e139e44946f828c35485ea0af3a5423f84c0818e03bc698b4c9b0e3b5d303d86ad0e632d26264a148

Download Submit