Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 23:45
Behavioral task
behavioral1
Sample
81feec4a201a83d7dc490de813c2f0739d5d9e888c72de67052e1216fcaaaa8f.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
81feec4a201a83d7dc490de813c2f0739d5d9e888c72de67052e1216fcaaaa8f.exe
Resource
win10v2004-20240508-en
General
-
Target
81feec4a201a83d7dc490de813c2f0739d5d9e888c72de67052e1216fcaaaa8f.exe
-
Size
682KB
-
MD5
f849e424deb6622c9872620e6bb2a5cf
-
SHA1
c1ffd0087ef183737e006984b9a137de724c95c3
-
SHA256
81feec4a201a83d7dc490de813c2f0739d5d9e888c72de67052e1216fcaaaa8f
-
SHA512
81d66e9bf27ac10c0d44cee608be3af753e31118a7852a93ded3433ef7d2eb36aa325cc1021b9f99727493997cb33d788a6e08d49c5926b871ffebd5c0f3de1c
-
SSDEEP
12288:7AIuZAIuOYS3ycUVRMstsD5pAfujVvaYMLc9RS/o:IYS3ycU/zt45W6vdLR
Malware Config
Signatures
-
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_MpCmdRun.exe INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender -
Renames multiple (3447) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
UPX dump on OEP (original entry point) 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1992-0-0x0000000000400000-0x000000000040B000-memory.dmp UPX \Windows\SysWOW64\Zombie.exe UPX behavioral1/memory/1992-9-0x00000000003E0000-0x00000000003EB000-memory.dmp UPX C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini.tmp UPX behavioral1/memory/1992-23-0x0000000000400000-0x000000000040B000-memory.dmp UPX -
Executes dropped EXE 2 IoCs
Processes:
_MpCmdRun.exeZombie.exepid process 3020 _MpCmdRun.exe 2788 Zombie.exe -
Loads dropped DLL 4 IoCs
Processes:
81feec4a201a83d7dc490de813c2f0739d5d9e888c72de67052e1216fcaaaa8f.exepid process 1992 81feec4a201a83d7dc490de813c2f0739d5d9e888c72de67052e1216fcaaaa8f.exe 1992 81feec4a201a83d7dc490de813c2f0739d5d9e888c72de67052e1216fcaaaa8f.exe 2880 1992 81feec4a201a83d7dc490de813c2f0739d5d9e888c72de67052e1216fcaaaa8f.exe -
Processes:
resource yara_rule behavioral1/memory/1992-0-0x0000000000400000-0x000000000040B000-memory.dmp upx \Windows\SysWOW64\Zombie.exe upx behavioral1/memory/1992-9-0x00000000003E0000-0x00000000003EB000-memory.dmp upx C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini.tmp upx behavioral1/memory/1992-23-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
Processes:
81feec4a201a83d7dc490de813c2f0739d5d9e888c72de67052e1216fcaaaa8f.exedescription ioc process File created C:\Windows\SysWOW64\Zombie.exe 81feec4a201a83d7dc490de813c2f0739d5d9e888c72de67052e1216fcaaaa8f.exe File opened for modification C:\Windows\SysWOW64\Zombie.exe 81feec4a201a83d7dc490de813c2f0739d5d9e888c72de67052e1216fcaaaa8f.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Zombie.exedescription ioc process File created C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee100.tlb.tmp Zombie.exe File created C:\Program Files\Common Files\System\msadc\de-DE\msaddsr.dll.mui.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground.wmv.tmp Zombie.exe File created C:\Program Files\Internet Explorer\en-US\networkinspection.dll.mui.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.nl_zh_4.4.0.v20140623020002.jar.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-modules.xml.tmp Zombie.exe File created C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.dll.tmp Zombie.exe File created C:\Program Files\Java\jre7\lib\zi\America\Cayenne.tmp Zombie.exe File created C:\Program Files\Java\jre7\lib\zi\Europe\Warsaw.tmp Zombie.exe File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspeex_resampler_plugin.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyclient.jar.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine.nl_zh_4.4.0.v20140623020002.jar.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-multitabs.jar.tmp Zombie.exe File created C:\Program Files\Java\jre7\lib\zi\Pacific\Chatham.tmp Zombie.exe File created C:\Program Files\Microsoft Games\Purble Place\PurblePlace2.dll.tmp Zombie.exe File created C:\Program Files\Mozilla Firefox\api-ms-win-crt-utility-l1-1-0.dll.tmp Zombie.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libantiflicker_plugin.dll.tmp Zombie.exe File created C:\Program Files\7-Zip\Lang\fi.txt.tmp Zombie.exe File created C:\Program Files\7-Zip\Lang\sq.txt.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\prodbig.gif.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.httpcomponents.httpclient_4.2.6.v201311072007.jar.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-settings.xml.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-keymap.xml.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\softedges.png.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookbig.gif.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.nl_ja_4.4.0.v20140623020002.jar.tmp Zombie.exe File created C:\Program Files\Java\jre7\lib\zi\America\Danmarkshavn.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jaas_nt.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_zh_CN.jar.tmp Zombie.exe File created C:\Program Files\VideoLAN\VLC\plugins\logger\libconsole_logger_plugin.dll.tmp Zombie.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\rtscom.dll.mui.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.ssl_1.0.0.v20140827-1444.jar.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-execution_zh_CN.jar.tmp Zombie.exe File created C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_asf_plugin.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.felix.gogo.shell_0.10.0.v201212101605.jar.tmp Zombie.exe File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\bckgzm.exe.mui.tmp Zombie.exe File created C:\Program Files\RestoreSend.reg.tmp Zombie.exe File created C:\Program Files\VideoLAN\VLC\lua\http\vlm_export.html.tmp Zombie.exe File created C:\Program Files\VideoLAN\VLC\plugins\access\libsatip_plugin.dll.tmp Zombie.exe File created C:\Program Files\DVD Maker\DVDMaker.exe.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property.nl_ja_4.4.0.v20140623020002.jar.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata_2.2.0.v20131211-1531.jar.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-annotations-common_zh_CN.jar.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-lib-uihandler.xml_hidden.tmp Zombie.exe File created C:\Program Files\Java\jre7\lib\content-types.properties.tmp Zombie.exe File created C:\Program Files\Java\jre7\lib\zi\America\Argentina\San_Luis.tmp Zombie.exe File created C:\Program Files\VideoLAN\VLC\plugins\codec\libspeex_plugin.dll.tmp Zombie.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe.tmp Zombie.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bg.pak.tmp Zombie.exe File created C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_150.png.tmp Zombie.exe File created C:\Program Files\VideoLAN\VLC\plugins\audio_output\libwasapi_plugin.dll.tmp Zombie.exe File created C:\Program Files\Windows Journal\it-IT\Journal.exe.mui.tmp Zombie.exe File created C:\Program Files\Internet Explorer\en-US\F12Tools.dll.mui.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\new-trigger-wiz.gif.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_ButtonGraphic.png.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Thunder_Bay.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-nodes_zh_CN.jar.tmp Zombie.exe File created C:\Program Files\Java\jre7\Welcome.html.tmp Zombie.exe File created C:\Program Files\DVD Maker\rtstreamsource.ax.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\userContent_16x9_imagemask.png.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\db\bin\ij.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Tunis.tmp Zombie.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
81feec4a201a83d7dc490de813c2f0739d5d9e888c72de67052e1216fcaaaa8f.exedescription pid process target process PID 1992 wrote to memory of 3020 1992 81feec4a201a83d7dc490de813c2f0739d5d9e888c72de67052e1216fcaaaa8f.exe _MpCmdRun.exe PID 1992 wrote to memory of 3020 1992 81feec4a201a83d7dc490de813c2f0739d5d9e888c72de67052e1216fcaaaa8f.exe _MpCmdRun.exe PID 1992 wrote to memory of 3020 1992 81feec4a201a83d7dc490de813c2f0739d5d9e888c72de67052e1216fcaaaa8f.exe _MpCmdRun.exe PID 1992 wrote to memory of 3020 1992 81feec4a201a83d7dc490de813c2f0739d5d9e888c72de67052e1216fcaaaa8f.exe _MpCmdRun.exe PID 1992 wrote to memory of 2788 1992 81feec4a201a83d7dc490de813c2f0739d5d9e888c72de67052e1216fcaaaa8f.exe Zombie.exe PID 1992 wrote to memory of 2788 1992 81feec4a201a83d7dc490de813c2f0739d5d9e888c72de67052e1216fcaaaa8f.exe Zombie.exe PID 1992 wrote to memory of 2788 1992 81feec4a201a83d7dc490de813c2f0739d5d9e888c72de67052e1216fcaaaa8f.exe Zombie.exe PID 1992 wrote to memory of 2788 1992 81feec4a201a83d7dc490de813c2f0739d5d9e888c72de67052e1216fcaaaa8f.exe Zombie.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\81feec4a201a83d7dc490de813c2f0739d5d9e888c72de67052e1216fcaaaa8f.exe"C:\Users\Admin\AppData\Local\Temp\81feec4a201a83d7dc490de813c2f0739d5d9e888c72de67052e1216fcaaaa8f.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Zombie.exe"C:\Windows\system32\Zombie.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\_MpCmdRun.exe"_MpCmdRun.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini.tmpFilesize
130KB
MD573454bdc4a68e95b7e48f4da2966a96e
SHA15bcc41e6f5ae5a901af85c14b9a7233e4d320ed9
SHA2564ae48c69d03e013f99065e84f5325aa41a8301fc256182e3122818a76656984e
SHA512a8021ab8be6b5a4ca9d53130f6d2f7241d8f749f77423e460f1902f602a0f318d9c510f59d6ce00f87f63aaf7a7c0005485b7ef548028127197d78fc8427c195
-
C:\Users\Admin\AppData\Local\Temp\_MpCmdRun.exeFilesize
553KB
MD5f2e5f64caba5341d1942bb7eb2287436
SHA1c5b5091f98ee7affccd6209112cc4838fc4a1c6f
SHA2561511c3b7230cf8cec1e9684a50de2034baa3e5e0c7be564989f279db3c90af53
SHA512f9dde456e9abc240a30389e72913d69b8d5a7ead60fcf3c796b3872f0330b335005faf4d1adc742587761be56fafbabe5b6574cd7b544b38b09a0e7a22f37cdb
-
\Windows\SysWOW64\Zombie.exeFilesize
129KB
MD5b80193c2193c789821603b49dff8b9d3
SHA1bcf4d048b668d75e532ef5f175f67c6248025c91
SHA2560bc0090a8682c001f1155d4d84df233d54b3f6e32fc06dc054ad132b1398a2f6
SHA512daee89fe4538f12be23de809700abeff1d086dccbf0b4d9fd9109a5a7b22bc962e09e11ca36951e3275ff2c2bf62380ca402a9df3c787025edc61e7d21281101
-
memory/1992-0-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/1992-9-0x00000000003E0000-0x00000000003EB000-memory.dmpFilesize
44KB
-
memory/1992-17-0x00000000003E0000-0x00000000003EB000-memory.dmpFilesize
44KB
-
memory/1992-23-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB