Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14/10/2024, 08:47
Behavioral task
behavioral1
Sample
23c2f705711b17b19b5759a3e5d4153b8f5eb856195fc54a1caab74f596eaf0cN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
23c2f705711b17b19b5759a3e5d4153b8f5eb856195fc54a1caab74f596eaf0cN.exe
Resource
win10v2004-20241007-en
General
-
Target
23c2f705711b17b19b5759a3e5d4153b8f5eb856195fc54a1caab74f596eaf0cN.exe
-
Size
525KB
-
MD5
ce65881ed7d49dc88b9a8aabf3846a80
-
SHA1
2d24120fa547e4808058c19bcbed60627e90cf5a
-
SHA256
23c2f705711b17b19b5759a3e5d4153b8f5eb856195fc54a1caab74f596eaf0c
-
SHA512
d8e5898114c3319662f788ff2143f1a5ca36a6b82ca643e342f5e42ef803ddd8237a7c3efd03683f771562d9d84a0445f4fae7eca7a15c5a3e184e8d7759a899
-
SSDEEP
6144:KWRt+eH9BpoxJI3ANJuBN0PDGxWSqqcfrj8XzL/3upuqs8j8IvwvWGEuTt3n8/yR:HRtEZNJuzVrcX8GW8j5veWpuTtMf8
Malware Config
Signatures
-
Renames multiple (3271) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 2 IoCs
pid Process 1584 _MpCmdRun.exe 2312 Zombie.exe -
Loads dropped DLL 3 IoCs
pid Process 1992 23c2f705711b17b19b5759a3e5d4153b8f5eb856195fc54a1caab74f596eaf0cN.exe 1992 23c2f705711b17b19b5759a3e5d4153b8f5eb856195fc54a1caab74f596eaf0cN.exe 1992 23c2f705711b17b19b5759a3e5d4153b8f5eb856195fc54a1caab74f596eaf0cN.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Zombie.exe 23c2f705711b17b19b5759a3e5d4153b8f5eb856195fc54a1caab74f596eaf0cN.exe File opened for modification C:\Windows\SysWOW64\Zombie.exe 23c2f705711b17b19b5759a3e5d4153b8f5eb856195fc54a1caab74f596eaf0cN.exe -
resource yara_rule behavioral1/memory/1992-0-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/files/0x00080000000120f9-8.dat upx behavioral1/memory/2312-19-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/files/0x00080000000164de-21.dat upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-io-ui.xml_hidden.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-remote_ja.jar.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\org-netbeans-modules-profiler_visualvm.jar.tmp Zombie.exe File created C:\Program Files\Java\jre7\lib\fonts\LucidaTypewriterBold.ttf.tmp Zombie.exe File created C:\Program Files\7-Zip\7z.sfx.tmp Zombie.exe File created C:\Program Files\7-Zip\Lang\fy.txt.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\feedback.gif.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.common_2.10.1.v20140901-1043.jar.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\npdeployJava1.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\JAWTAccessBridge-64.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-favorites.xml.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-modules-appui_zh_CN.jar.tmp Zombie.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\es.pak.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rightnav.gif.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-api.xml.tmp Zombie.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.IdentityModel.Selectors.Resources.dll.tmp Zombie.exe File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libaudio_format_plugin.dll.tmp Zombie.exe File created C:\Program Files\Common Files\System\msadc\msadds.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santo_Domingo.tmp Zombie.exe File created C:\Program Files\Java\jre7\bin\installer.dll.tmp Zombie.exe File created C:\Program Files\Java\jre7\lib\zi\Antarctica\Palmer.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-keyring.jar.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-text.xml.tmp Zombie.exe File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\ChkrRes.dll.mui.tmp Zombie.exe File created C:\Program Files\DVD Maker\Eurosti.TTF.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_notes.wmv.tmp Zombie.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\it.pak.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.net.nl_zh_4.4.0.v20140623020002.jar.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIcon.png.tmp Zombie.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_100_percent.pak.tmp Zombie.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\zh-TW.pak.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_PreComp_MATTE_PAL.wmv.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_ButtonGraphic.png.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core.nl_ja_4.4.0.v20140623020002.jar.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench.nl_ja_4.4.0.v20140623020002.jar.tmp Zombie.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\zh-CN.pak.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\doclib.gif.tmp Zombie.exe File created C:\Program Files\Java\jre7\lib\zi\Pacific\Rarotonga.tmp Zombie.exe File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libugly_resampler_plugin.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-dialogs_ja.jar.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-api.jar.tmp Zombie.exe File created C:\Program Files\VideoLAN\VLC\lua\intf\dummy.luac.tmp Zombie.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\tipresx.dll.mui.tmp Zombie.exe File created C:\Program Files\RegisterBlock.midi.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Monrovia.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_ja_4.4.0.v20140623020002.jar.tmp Zombie.exe File created C:\Program Files\Mozilla Firefox\api-ms-win-crt-locale-l1-1-0.dll.tmp Zombie.exe File created C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\vlc.mo.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jli.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_ja_4.4.0.v20140623020002.jar.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\.lastModified.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-output2.xml_hidden.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-print.xml_hidden.tmp Zombie.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tabskb.dll.mui.tmp Zombie.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\optimization_guide_internal.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\El_Aaiun.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup-impl.xml.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-io.xml.tmp Zombie.exe File created C:\Program Files\Java\jre7\lib\zi\Antarctica\Rothera.tmp Zombie.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.Speech.resources.dll.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_ButtonGraphic.png.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground.wmv.tmp Zombie.exe File created C:\Program Files\DVD Maker\WMM2CLIP.dll.tmp Zombie.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Zombie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 23c2f705711b17b19b5759a3e5d4153b8f5eb856195fc54a1caab74f596eaf0cN.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1992 wrote to memory of 2312 1992 23c2f705711b17b19b5759a3e5d4153b8f5eb856195fc54a1caab74f596eaf0cN.exe 30 PID 1992 wrote to memory of 2312 1992 23c2f705711b17b19b5759a3e5d4153b8f5eb856195fc54a1caab74f596eaf0cN.exe 30 PID 1992 wrote to memory of 2312 1992 23c2f705711b17b19b5759a3e5d4153b8f5eb856195fc54a1caab74f596eaf0cN.exe 30 PID 1992 wrote to memory of 2312 1992 23c2f705711b17b19b5759a3e5d4153b8f5eb856195fc54a1caab74f596eaf0cN.exe 30 PID 1992 wrote to memory of 1584 1992 23c2f705711b17b19b5759a3e5d4153b8f5eb856195fc54a1caab74f596eaf0cN.exe 31 PID 1992 wrote to memory of 1584 1992 23c2f705711b17b19b5759a3e5d4153b8f5eb856195fc54a1caab74f596eaf0cN.exe 31 PID 1992 wrote to memory of 1584 1992 23c2f705711b17b19b5759a3e5d4153b8f5eb856195fc54a1caab74f596eaf0cN.exe 31 PID 1992 wrote to memory of 1584 1992 23c2f705711b17b19b5759a3e5d4153b8f5eb856195fc54a1caab74f596eaf0cN.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\23c2f705711b17b19b5759a3e5d4153b8f5eb856195fc54a1caab74f596eaf0cN.exe"C:\Users\Admin\AppData\Local\Temp\23c2f705711b17b19b5759a3e5d4153b8f5eb856195fc54a1caab74f596eaf0cN.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\Zombie.exe"C:\Windows\system32\Zombie.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2312
-
-
C:\Users\Admin\AppData\Local\Temp\_MpCmdRun.exe"_MpCmdRun.exe"2⤵
- Executes dropped EXE
PID:1584
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
69KB
MD5fb0fa6fd5df66f525a0e28370ee58e36
SHA1077d795b2f8c3ddacc9fb216ae447f05d0e899ef
SHA256743d226c57ee6f5063f9308f4b695ffad0ada41d6f3cf466871bced2b98018ba
SHA51222a7d831dff8ff0a65da69d191dadd2b0b1bd07539376e138bf8b198f224c6a6ac003a6a6d39a613ae018a2d932ba22fdea6c557b976a88e9e42058fb918b3a4
-
Filesize
456KB
MD5e08445b7cddf167e3d70734dddcecbc0
SHA149de5e5dcc5750d841767e537b0fca72b39a159c
SHA2564e25c4181f8b30517eeebd36982c46364f8f1ffa60bce1d0b5bc8df459e71355
SHA5124c761fa4a8b013a972095356b9f1aa45f3f6e738cb3c0c8b06d2fc38eb0f8e42cb5840dd33193c0048a7a628db98324706ce5f58d5227707251d48416465ed07
-
Filesize
68KB
MD5fe167822bd148aaf800fa4b74a350a82
SHA1a9f9a19f9773a7572b11f1cd6197c31df093318a
SHA256c980cb563ce863dc6e6ce667eb55811cd23fe7a2c0e34e400cb00631cb9f714e
SHA512040d75b8ae9c0b1c1b96ee3db756cf5b8aa56d3bcb7849d93ee44865b5355448631c3d933e58147743914e23093997de54c0614104fcd5aebcc96dfe8b921b23