b4d8b0d8a073d4bf8e68e3512dd24aa43ddc891067c62fc5048196555188f98d

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 21:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0f3ce55182f243885b57c8609c212e10N.exe
Size

189KB
MD5

0f3ce55182f243885b57c8609c212e10
SHA1

49ef39d0c34c1b6759e8fe5f27c1c7dd34704876
SHA256

b4d8b0d8a073d4bf8e68e3512dd24aa43ddc891067c62fc5048196555188f98d
SHA512

349d19d54e482e3c39b91329218eab12f0c1e8a61c27ebb956ecbdc1ede78da980aab07be85057ae033143d73f854c8afefdf7a289fbab2ee30491a9d6d04f39
SSDEEP

3072:6Tuf7fs6UMU90HpKOrGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2Ixyi:Tf7fG59OpKgShcHUa2

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3203) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 2 IoCs

pid	Process
3004	_chocolatey.exe
2692	Zombie.exe

Loads dropped DLL 3 IoCs

pid	Process
2716	0f3ce55182f243885b57c8609c212e10N.exe
2716	0f3ce55182f243885b57c8609c212e10N.exe
2716	0f3ce55182f243885b57c8609c212e10N.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2716-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x0008000000012115-8.dat	upx
behavioral1/memory/2692-18-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2716-9-0x0000000000270000-0x000000000027A000-memory.dmp	upx
behavioral1/files/0x000700000001940f-20.dat	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Zombie.exe	0f3ce55182f243885b57c8609c212e10N.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	0f3ce55182f243885b57c8609c212e10N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\chkrzm.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground.wmv.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-2.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.IdentityModel.Resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-coredump_zh_CN.jar.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\vlc.mo.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Chuuk.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\vlc.mo.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Australia\Brisbane.tmp	Zombie.exe
File created	C:\Program Files\Mozilla Firefox\private_browsing.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\MANIFEST.MF.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Kentucky\Monticello.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\sRGB.pf.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-explorer_zh_CN.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\charsets.jar.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\WindowsFormsIntegration.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\descript.ion.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport.wmv.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util-lookup_ja.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-windows_ja.jar.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\reader\filename.luac.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\DvdTransform.fx.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Moscow.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-impl.xml.tmp	Zombie.exe
File created	C:\Program Files\Internet Explorer\F12.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Tarawa.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.contexts_1.3.100.v20140407-1019.jar.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\appletrailers.luac.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\7z.sfx.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\vulkan-1.dll.tmp	Zombie.exe
File created	C:\Program Files\Internet Explorer\D3DCompiler_47.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-options.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\cmm\CIEXYZ.pf.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\jconsole.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_mac.css.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs.xml.tmp	Zombie.exe
File created	C:\Program Files\InstallUnblock.mp3.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jmx.jar.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\highlight.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_fr.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Dublin.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.properties.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-services_zh_CN.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Paramaribo.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Tarawa.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fil.pak.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cambridge_Bay.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-threaddump.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7Handle.png.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_PreComp_MATTE_PAL.wmv.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Yerevan.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-oql.xml.tmp	Zombie.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.sig.tmp	Zombie.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0f3ce55182f243885b57c8609c212e10N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zombie.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 3004	2716	0f3ce55182f243885b57c8609c212e10N.exe	30
PID 2716 wrote to memory of 3004	2716	0f3ce55182f243885b57c8609c212e10N.exe	30
PID 2716 wrote to memory of 3004	2716	0f3ce55182f243885b57c8609c212e10N.exe	30
PID 2716 wrote to memory of 3004	2716	0f3ce55182f243885b57c8609c212e10N.exe	30
PID 2716 wrote to memory of 2692	2716	0f3ce55182f243885b57c8609c212e10N.exe	32
PID 2716 wrote to memory of 2692	2716	0f3ce55182f243885b57c8609c212e10N.exe	32
PID 2716 wrote to memory of 2692	2716	0f3ce55182f243885b57c8609c212e10N.exe	32
PID 2716 wrote to memory of 2692	2716	0f3ce55182f243885b57c8609c212e10N.exe	32

C:\Users\Admin\AppData\Local\Temp\0f3ce55182f243885b57c8609c212e10N.exe
"C:\Users\Admin\AppData\Local\Temp\0f3ce55182f243885b57c8609c212e10N.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Users\Admin\AppData\Local\Temp\_chocolatey.exe
  "_chocolatey.exe"
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Windows\SysWOW64\Zombie.exe
  "C:\Windows\system32\Zombie.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-940600906-3464502421-4240639183-1000\desktop.ini.tmp

Filesize
46KB

MD5
e635873a4d458c94ae5d8b4e2553f465

SHA1
7ce53c9c906f06ffba385836acd4620338500578

SHA256
f58537e8109f24b6937f9ab93383bde836b00d6a7407ca5acefafd850d70910e

SHA512
9d768f4f36593d15a09d8e24862a1e6a2c40879402650e9c382d41a2b54d0fad5e2f6a8746102def5e9b3072a1b0121753777ca7432b4a1966c8d41283e777f8

Download Submit
\Users\Admin\AppData\Local\Temp\_chocolatey.exe

Filesize
143KB

MD5
c583d768336377e263ed3de978da7c6e

SHA1
2c48977d57dfe983781ae622056588233d7d67ee

SHA256
54836a96884e0e9b30b1ff5b3ece61ce17dd472a4b09137296cd7915ec4a0fac

SHA512
284adabd0b025057d4f43e860b9cb64fd9505439c658cf011b87fcce5b15c6d6ebeae1134373c48401b559bdb465e882798127edb7c0fbbba59f225f85150b93

Download Submit
\Windows\SysWOW64\Zombie.exe

Filesize
46KB

MD5
6050bc6267797378f3368945423c3756

SHA1
c6f4d97502de1532beea4e3302527448b592df50

SHA256
8b9cf1ec50779d5a225dec92ce60996e29515e8af2ef1d87349778a80279fa5f

SHA512
f620f6a45e95b75c185673f5db145cd70a3b86fd8d931d1cc4c8cdb778724fd747cc1b7d50dc196b71ebf132493407f86c4f815d40bcd158c92b9732836a8206

Download Submit
memory/2692-18-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2716-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2716-15-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/2716-9-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/3004-23-0x000007FEF4CA3000-0x000007FEF4CA4000-memory.dmp

Filesize
4KB

Download
memory/3004-24-0x0000000000040000-0x0000000000068000-memory.dmp

Filesize
160KB

Download