23c2f705711b17b19b5759a3e5d4153b8f5eb856195fc54a1caab74f596eaf0c

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/10/2024, 08:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23c2f705711b17b19b5759a3e5d4153b8f5eb856195fc54a1caab74f596eaf0cN.exe
Size

525KB
MD5

ce65881ed7d49dc88b9a8aabf3846a80
SHA1

2d24120fa547e4808058c19bcbed60627e90cf5a
SHA256

23c2f705711b17b19b5759a3e5d4153b8f5eb856195fc54a1caab74f596eaf0c
SHA512

d8e5898114c3319662f788ff2143f1a5ca36a6b82ca643e342f5e42ef803ddd8237a7c3efd03683f771562d9d84a0445f4fae7eca7a15c5a3e184e8d7759a899
SSDEEP

6144:KWRt+eH9BpoxJI3ANJuBN0PDGxWSqqcfrj8XzL/3upuqs8j8IvwvWGEuTt3n8/yR:HRtEZNJuzVrcX8GW8j5veWpuTtMf8

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3271) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 2 IoCs

pid	Process
1584	_MpCmdRun.exe
2312	Zombie.exe

Loads dropped DLL 3 IoCs

pid	Process
1992	23c2f705711b17b19b5759a3e5d4153b8f5eb856195fc54a1caab74f596eaf0cN.exe
1992	23c2f705711b17b19b5759a3e5d4153b8f5eb856195fc54a1caab74f596eaf0cN.exe
1992	23c2f705711b17b19b5759a3e5d4153b8f5eb856195fc54a1caab74f596eaf0cN.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Zombie.exe	23c2f705711b17b19b5759a3e5d4153b8f5eb856195fc54a1caab74f596eaf0cN.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	23c2f705711b17b19b5759a3e5d4153b8f5eb856195fc54a1caab74f596eaf0cN.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1992-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x00080000000120f9-8.dat	upx
behavioral1/memory/2312-19-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x00080000000164de-21.dat	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-io-ui.xml_hidden.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-remote_ja.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\org-netbeans-modules-profiler_visualvm.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\fonts\LucidaTypewriterBold.ttf.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\7z.sfx.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\fy.txt.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\feedback.gif.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.common_2.10.1.v20140901-1043.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\npdeployJava1.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\JAWTAccessBridge-64.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-favorites.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-modules-appui_zh_CN.jar.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\es.pak.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rightnav.gif.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-api.xml.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.IdentityModel.Selectors.Resources.dll.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libaudio_format_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\msadc\msadds.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santo_Domingo.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\bin\installer.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Antarctica\Palmer.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-keyring.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-text.xml.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\ChkrRes.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Eurosti.TTF.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_notes.wmv.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\it.pak.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.net.nl_zh_4.4.0.v20140623020002.jar.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIcon.png.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_100_percent.pak.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\zh-TW.pak.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_PreComp_MATTE_PAL.wmv.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_ButtonGraphic.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core.nl_ja_4.4.0.v20140623020002.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench.nl_ja_4.4.0.v20140623020002.jar.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\zh-CN.pak.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\doclib.gif.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Rarotonga.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libugly_resampler_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-dialogs_ja.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-api.jar.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\dummy.luac.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\tipresx.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\RegisterBlock.midi.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Monrovia.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_ja_4.4.0.v20140623020002.jar.tmp	Zombie.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-locale-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\vlc.mo.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jli.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_ja_4.4.0.v20140623020002.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\.lastModified.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-output2.xml_hidden.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-print.xml_hidden.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tabskb.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\optimization_guide_internal.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\El_Aaiun.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup-impl.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-io.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Antarctica\Rothera.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.Speech.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_ButtonGraphic.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground.wmv.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\WMM2CLIP.dll.tmp	Zombie.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zombie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	23c2f705711b17b19b5759a3e5d4153b8f5eb856195fc54a1caab74f596eaf0cN.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2312	1992	23c2f705711b17b19b5759a3e5d4153b8f5eb856195fc54a1caab74f596eaf0cN.exe	30
PID 1992 wrote to memory of 2312	1992	23c2f705711b17b19b5759a3e5d4153b8f5eb856195fc54a1caab74f596eaf0cN.exe	30
PID 1992 wrote to memory of 2312	1992	23c2f705711b17b19b5759a3e5d4153b8f5eb856195fc54a1caab74f596eaf0cN.exe	30
PID 1992 wrote to memory of 2312	1992	23c2f705711b17b19b5759a3e5d4153b8f5eb856195fc54a1caab74f596eaf0cN.exe	30
PID 1992 wrote to memory of 1584	1992	23c2f705711b17b19b5759a3e5d4153b8f5eb856195fc54a1caab74f596eaf0cN.exe	31
PID 1992 wrote to memory of 1584	1992	23c2f705711b17b19b5759a3e5d4153b8f5eb856195fc54a1caab74f596eaf0cN.exe	31
PID 1992 wrote to memory of 1584	1992	23c2f705711b17b19b5759a3e5d4153b8f5eb856195fc54a1caab74f596eaf0cN.exe	31
PID 1992 wrote to memory of 1584	1992	23c2f705711b17b19b5759a3e5d4153b8f5eb856195fc54a1caab74f596eaf0cN.exe	31

C:\Users\Admin\AppData\Local\Temp\23c2f705711b17b19b5759a3e5d4153b8f5eb856195fc54a1caab74f596eaf0cN.exe
"C:\Users\Admin\AppData\Local\Temp\23c2f705711b17b19b5759a3e5d4153b8f5eb856195fc54a1caab74f596eaf0cN.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\SysWOW64\Zombie.exe
  "C:\Windows\system32\Zombie.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:2312
- C:\Users\Admin\AppData\Local\Temp\_MpCmdRun.exe
  "_MpCmdRun.exe"
  2⤵
  - Executes dropped EXE
  PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini.tmp

Filesize
69KB

MD5
fb0fa6fd5df66f525a0e28370ee58e36

SHA1
077d795b2f8c3ddacc9fb216ae447f05d0e899ef

SHA256
743d226c57ee6f5063f9308f4b695ffad0ada41d6f3cf466871bced2b98018ba

SHA512
22a7d831dff8ff0a65da69d191dadd2b0b1bd07539376e138bf8b198f224c6a6ac003a6a6d39a613ae018a2d932ba22fdea6c557b976a88e9e42058fb918b3a4

Download Submit
\Users\Admin\AppData\Local\Temp\_MpCmdRun.exe

Filesize
456KB

MD5
e08445b7cddf167e3d70734dddcecbc0

SHA1
49de5e5dcc5750d841767e537b0fca72b39a159c

SHA256
4e25c4181f8b30517eeebd36982c46364f8f1ffa60bce1d0b5bc8df459e71355

SHA512
4c761fa4a8b013a972095356b9f1aa45f3f6e738cb3c0c8b06d2fc38eb0f8e42cb5840dd33193c0048a7a628db98324706ce5f58d5227707251d48416465ed07

Download Submit
\Windows\SysWOW64\Zombie.exe

Filesize
68KB

MD5
fe167822bd148aaf800fa4b74a350a82

SHA1
a9f9a19f9773a7572b11f1cd6197c31df093318a

SHA256
c980cb563ce863dc6e6ce667eb55811cd23fe7a2c0e34e400cb00631cb9f714e

SHA512
040d75b8ae9c0b1c1b96ee3db756cf5b8aa56d3bcb7849d93ee44865b5355448631c3d933e58147743914e23093997de54c0614104fcd5aebcc96dfe8b921b23

Download Submit
memory/1992-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1992-18-0x0000000000320000-0x000000000032B000-memory.dmp

Filesize
44KB

Download
memory/1992-17-0x0000000000320000-0x000000000032B000-memory.dmp

Filesize
44KB

Download
memory/2312-19-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download