Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/10/2024, 11:09
Static task
static1
Behavioral task
behavioral1
Sample
3b672e22ae482beb9b219f992a8f78202c1b3f8c688a04783e2a2555e330bbc8N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
3b672e22ae482beb9b219f992a8f78202c1b3f8c688a04783e2a2555e330bbc8N.exe
Resource
win10v2004-20241007-en
General
-
Target
3b672e22ae482beb9b219f992a8f78202c1b3f8c688a04783e2a2555e330bbc8N.exe
-
Size
2.4MB
-
MD5
396cf3b47c6bab1f66b34794ac38e130
-
SHA1
350c33f41d187056ecaca8a81f21f7b14b9139ff
-
SHA256
3b672e22ae482beb9b219f992a8f78202c1b3f8c688a04783e2a2555e330bbc8
-
SHA512
4ff32765f9a658899e53281ba55cc3be0a6075b886bc862a4b8eb70bee4a58cd341a18056bea90a6d9fb72a34abbd0392a9a0924dbd80c9413bdc215a02ccecc
-
SSDEEP
49152:KGlWC3YlQt8CWVQ7VFGogWAcF8jH7VaOtXcZ:8Q3YI+W
Malware Config
Signatures
-
Renames multiple (5127) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 2 IoCs
pid Process 4224 Zombie.exe 1852 _NisSrv.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Zombie.exe 3b672e22ae482beb9b219f992a8f78202c1b3f8c688a04783e2a2555e330bbc8N.exe File opened for modification C:\Windows\SysWOW64\Zombie.exe 3b672e22ae482beb9b219f992a8f78202c1b3f8c688a04783e2a2555e330bbc8N.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\+Connect to New Data Source.odc.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-140.png.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\rsod\proofing.msi.16.en-us.tree.dat.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT.xml.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ppd.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\msix.dll.tmp Zombie.exe File created C:\Program Files\Java\jre-1.8\lib\deploy\messages_it.properties.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr3jp.dll.tmp Zombie.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\nl.pak.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationClient.resources.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-140.png.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ThirdPartyNotices.txt.tmp Zombie.exe File created C:\Program Files\Common Files\System\ado\msader15.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\Microsoft.VisualBasic.Forms.resources.dll.tmp Zombie.exe File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-runtime-l1-1-0.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN095.XML.tmp Zombie.exe File created C:\Program Files\Common Files\Services\verisign.bmp.tmp Zombie.exe File created C:\Program Files\Internet Explorer\fr-FR\ieinstal.exe.mui.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_fr.properties.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\cryptix.md.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-pl.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-pl.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\it\msipc.dll.mui.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN120.XML.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\WindowsBase.resources.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8en.dub.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\WindowsFormsIntegration.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationClientSideProviders.resources.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationClient.resources.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationUI.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\fre\StartMenu_Win7.wmv.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-pl.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\DBGCORE.DLL.tmp Zombie.exe File created C:\Program Files\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui.tmp Zombie.exe File created C:\Program Files\Common Files\System\Ole DB\sqloledb.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\WindowsBase.resources.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\icu.md.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7FR.LEX.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ink\hwritash.dat.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN086.XML.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-oob.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Grace-ppd.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-file-l2-1-0.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ObjectModel.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Memory.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Controls.Ribbon.resources.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\PresentationCore.resources.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ul-oob.xrm-ms.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.DiagnosticSource.dll.tmp Zombie.exe File created C:\Program Files\Common Files\System\msadc\ja-JP\msdaremr.dll.mui.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationClientSideProviders.resources.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\net.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_MoveDrop32x32.gif.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql90.xsl.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-180.png.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Metadata.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\WindowsFormsIntegration.resources.dll.tmp Zombie.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3b672e22ae482beb9b219f992a8f78202c1b3f8c688a04783e2a2555e330bbc8N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Zombie.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4884 wrote to memory of 4224 4884 3b672e22ae482beb9b219f992a8f78202c1b3f8c688a04783e2a2555e330bbc8N.exe 84 PID 4884 wrote to memory of 4224 4884 3b672e22ae482beb9b219f992a8f78202c1b3f8c688a04783e2a2555e330bbc8N.exe 84 PID 4884 wrote to memory of 4224 4884 3b672e22ae482beb9b219f992a8f78202c1b3f8c688a04783e2a2555e330bbc8N.exe 84 PID 4884 wrote to memory of 1852 4884 3b672e22ae482beb9b219f992a8f78202c1b3f8c688a04783e2a2555e330bbc8N.exe 86 PID 4884 wrote to memory of 1852 4884 3b672e22ae482beb9b219f992a8f78202c1b3f8c688a04783e2a2555e330bbc8N.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b672e22ae482beb9b219f992a8f78202c1b3f8c688a04783e2a2555e330bbc8N.exe"C:\Users\Admin\AppData\Local\Temp\3b672e22ae482beb9b219f992a8f78202c1b3f8c688a04783e2a2555e330bbc8N.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\Zombie.exe"C:\Windows\system32\Zombie.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4224
-
-
C:\Users\Admin\AppData\Local\Temp\_NisSrv.exe"_NisSrv.exe"2⤵
- Executes dropped EXE
PID:1852
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39KB
MD54446355b8de071b18b9cf310b38d8bd5
SHA1988fd6a2732876c878cdb4bc3dc753f36d08195b
SHA256dd4e113f5d47b931402ab3560ff588b149818595c370b63b6aa6b5bc6391239f
SHA512a1275622bbd1e9d56efee4960efc4e863e8cb2fa4745c76cbc889e2a6ebb082e3c7f9c766caa46d5a857b282dd0f0b8d1e30fc12498bec81fee2cc811bc67e00
-
Filesize
2.4MB
MD5826bf13d3fefe2369ceec3e679d96b7c
SHA1c5fc719289ae948df373302bde739a0ac28ad573
SHA2563aabfccd7697584ef580225d8a78f4b1043f319215c3cbc3c461b398ada6e0b3
SHA51247d463df0b646960ae89288c95322f1e998bc479c71b2ad167ce9d194c629080628a2384c6003574aab1894a7d178b0eec3457f0d0425cc7c4ca2d67837e7e14
-
Filesize
38KB
MD54db2c8e796fe82f4abbfc6a5d87012a9
SHA1777a5b53458f823eec836727169cdfb33e38f78e
SHA256dbbc521378d4e38f9d3648a5e86df05e9ee0d34af3a59d743d227330efe970ab
SHA512f41bf6bed7a03ff0f11680512cafe4398f407b0776ba607c24b1df18f17ccd2c1537ece6e43b9964efe3116f5d20b09866a49dc6cec19cec4de1eda1dd6b3de7