0eb588fba24a6681351c62f74d9b38aaf2f343d3ebdd39b5d2fcec8e036c231c

Analysis

max time kernel
150s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 18:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0eb588fba24a6681351c62f74d9b38aaf2f343d3ebdd39b5d2fcec8e036c231c.exe
Size

357KB
MD5

4bfe331724d7ec26047909572c404eff
SHA1

fbaee39172c0b517fd3c0b62a60e3dd550ced0ac
SHA256

0eb588fba24a6681351c62f74d9b38aaf2f343d3ebdd39b5d2fcec8e036c231c
SHA512

57d1afadfed476644ab76d40befc2b2f00dc5da90f6f021fb397c6290fd36f66569cb105f151e2a232cae1a031aebd2703010b1595a2ecca09a2efec9fda06c5
SSDEEP

6144:wHm3AIuZAIuDMVtM/02ZKS7N9QpKjShcHUad:XAIuZAIuOLQ7nvUad

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4589) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral2/memory/4768-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral2/files/0x000900000002297e-8.dat	UPX
behavioral2/files/0x0007000000023493-12.dat	UPX
behavioral2/memory/4768-25-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

Executes dropped EXE 2 IoCs

pid	Process
2716	_cpush.exe
4352	Zombie.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4768-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000900000002297e-8.dat	upx
behavioral2/files/0x0007000000023493-12.dat	upx
behavioral2/memory/4768-25-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Zombie.exe	0eb588fba24a6681351c62f74d9b38aaf2f343d3ebdd39b5d2fcec8e036c231c.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	0eb588fba24a6681351c62f74d9b38aaf2f343d3ebdd39b5d2fcec8e036c231c.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.ReaderWriter.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Controls.Ribbon.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\xmlresolver.md.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TabTip.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationClientSideProviders.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunmscapi.jar.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\release.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\xalan.md.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Office 2007 - 2010.xml.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-datetime-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XPath.XDocument.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Xaml.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Xaml.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\ReachFramework.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\PresentationUI.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\deployJava1.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ul-phn.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Input.Manipulations.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.Win32.SystemEvents.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Luna.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_MoveDrop32x32.gif.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond.xml.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\dotnet\host\fxr\6.0.27\hostfxr.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Forms.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Forms.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\vcruntime140_cor3.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Xml.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.FileSystem.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Cryptography.Pkcs.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\charsets.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_ko.properties.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\zh-CN.pak.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-file-l1-2-0.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.en-us.xml.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.TypeExtensions.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\WindowsFormsIntegration.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 6.0.27 (x64).swidtag.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\fi\msipc.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ul.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InputPersonalization.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jvisualvm.txt.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationTypes.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\VisualElements\SmallLogoDev.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\local_policy.jar.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-environment-l1-1-0.dll.tmp	Zombie.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 2716	4768	0eb588fba24a6681351c62f74d9b38aaf2f343d3ebdd39b5d2fcec8e036c231c.exe	82
PID 4768 wrote to memory of 2716	4768	0eb588fba24a6681351c62f74d9b38aaf2f343d3ebdd39b5d2fcec8e036c231c.exe	82
PID 4768 wrote to memory of 4352	4768	0eb588fba24a6681351c62f74d9b38aaf2f343d3ebdd39b5d2fcec8e036c231c.exe	83
PID 4768 wrote to memory of 4352	4768	0eb588fba24a6681351c62f74d9b38aaf2f343d3ebdd39b5d2fcec8e036c231c.exe	83
PID 4768 wrote to memory of 4352	4768	0eb588fba24a6681351c62f74d9b38aaf2f343d3ebdd39b5d2fcec8e036c231c.exe	83

C:\Users\Admin\AppData\Local\Temp\0eb588fba24a6681351c62f74d9b38aaf2f343d3ebdd39b5d2fcec8e036c231c.exe
"C:\Users\Admin\AppData\Local\Temp\0eb588fba24a6681351c62f74d9b38aaf2f343d3ebdd39b5d2fcec8e036c231c.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Users\Admin\AppData\Local\Temp\_cpush.exe
  "_cpush.exe"
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\SysWOW64\Zombie.exe
  "C:\Windows\system32\Zombie.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:4352

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3571316656-3665257725-2415531812-1000\desktop.ini.exe

Filesize
214KB

MD5
29406b374c68bd949413a066bbeb7e00

SHA1
dfbb3c18f001134cf7a5af60b000fca5512239bc

SHA256
738387612f6f0434e8ffa3e7e5660c2b96afe5447f0555dac79e82172d8cb288

SHA512
feb24d45ef4753fb6cbc713296def941ee08588ef08285107da6c9809813d647bf460f73771709bfc023a6dc1fdd4294447e66d53080b2e1500a0e078c40f81a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_cpush.exe

Filesize
143KB

MD5
c1d5e48111f4984433e6318466ee1bce

SHA1
d3379a99f504b38794f491e4fff6c77cfab53eac

SHA256
dfdf187874d7368a92bbebb68c8cdc5c183af47d954b5b27ddaeca6774ae4822

SHA512
dfce97a9dc92521c2d576b3d21071cb04df4a6d927676a2b95abc0093b67a044aab8d3f8612a4a70f9128cf2555d3a554a1c3f941647a64d30298ab28bba7441

Download Submit
C:\Windows\SysWOW64\Zombie.exe

Filesize
214KB

MD5
9a7187011efccc07ca802e776c5686b2

SHA1
6e46d26e0ef556fd630aa8fe0e14abd92bdba16a

SHA256
2ccf25550a3e4a8ac1b4ab953b168eef1b50d740a5438c090c37ac2497d024e5

SHA512
4df0193283f05ce677064fc1b4cf90411486bae7249caf449a9c4a4d9b570a83a112b3b24123cd83975ad2f45a4a0def257c86904958e155656d80d499baba5a

Download Submit
memory/2716-21-0x00007FFAE99C3000-0x00007FFAE99C5000-memory.dmp

Filesize
8KB

Download
memory/2716-20-0x0000000000800000-0x0000000000828000-memory.dmp

Filesize
160KB

Download
memory/4768-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4768-25-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download