c0302061eaffab35f993eec903d2b6d85463fcc5b73d9bdac4e1332a4c48455b

General

Target

c0302061eaffab35f993eec903d2b6d85463fcc5b73d9bdac4e1332a4c48455b.exe
Size

356KB
MD5

cad7609bfd0a084e26e46db6b5d876ec
SHA1

c895d7a69b4922c39b832c4447b3360d459236fd
SHA256

c0302061eaffab35f993eec903d2b6d85463fcc5b73d9bdac4e1332a4c48455b
SHA512

30d13f37474ed93e6c6906c0183b99befa8f8c4f37217b9f30f3a190cd6f0fa2449f46e1d904a6d80526f61217aac585dd15c6ed69de75a2e24a1ebe4bdb9b5e
SSDEEP

6144:ndW+Dffz1gUZ3sOeNw0VqIJ/uJn9tvq3v3/sSQJw1Tn:dW+Dfhg0cvd5JIDvTJw1L

Score

9^/10

ransomware

Malware Config

Signatures

Renames multiple (3658) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Executes dropped EXE 2 IoCs

Processes:

_7z.exeZombie.exe

pid process

1672 _7z.exe
1028 Zombie.exe

pid	process
1672	_7z.exe
1028	Zombie.exe

Loads dropped DLL 3 IoCs

Processes:

c0302061eaffab35f993eec903d2b6d85463fcc5b73d9bdac4e1332a4c48455b.exe

pid	process
2328	c0302061eaffab35f993eec903d2b6d85463fcc5b73d9bdac4e1332a4c48455b.exe
2328	c0302061eaffab35f993eec903d2b6d85463fcc5b73d9bdac4e1332a4c48455b.exe
2328	c0302061eaffab35f993eec903d2b6d85463fcc5b73d9bdac4e1332a4c48455b.exe

Drops file in System32 directory 2 IoCs

Processes:

c0302061eaffab35f993eec903d2b6d85463fcc5b73d9bdac4e1332a4c48455b.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Zombie.exe	c0302061eaffab35f993eec903d2b6d85463fcc5b73d9bdac4e1332a4c48455b.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	c0302061eaffab35f993eec903d2b6d85463fcc5b73d9bdac4e1332a4c48455b.exe

Drops file in Program Files directory 64 IoCs

Processes:

Zombie.exe

description	ioc	process
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotsdarkoverlay.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIconSubpictur.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_highlights_Thumbnail.bmp.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.nl_ja_4.4.0.v20140623020002.jar.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Entity.Design.Resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\huemainsubpicture2.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-multitabs.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-windows.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-core-kit.xml_hidden.tmp	Zombie.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.sig.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_mpjpeg_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tipresx.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Windows Media Player\es-ES\WMPSideShowGadget.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\bckgzm.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_left.png.tmp	Zombie.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sk.pak.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\vlc.mo.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\reader\filename.luac.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_shout_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Windows Journal\InkSeg.dll.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_top_left.png.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_down.png.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VC\msdia100.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiler_zh_CN.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-filesystems.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\bin\policytool.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Amsterdam.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\triangle.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\mc.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-ui.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host.xml.tmp	Zombie.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l1-2-0.dll.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\settings.html.tmp	Zombie.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\booklist.gif.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\WindowsAccessBridge-64.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_zh_4.4.0.v20140623020002.jar.tmp	Zombie.exe
File created	C:\Program Files\Mozilla Firefox\firefox.cfg.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Windows.Presentation.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libtransform_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_left.png.tmp	Zombie.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssv.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\new-trigger-wiz.gif.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\text_renderer\libtdummy_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\weather.html.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitemask1047.png.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\vlc.mo.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\DvdTransform.fx.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\th.pak.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jpeg.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunjce_provider.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+6.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.properties.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-api.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\bin\javaw.exe.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\es-419.pak.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Minsk.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\license.html.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_zh_4.4.0.v20140623020002.jar.tmp	Zombie.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

c0302061eaffab35f993eec903d2b6d85463fcc5b73d9bdac4e1332a4c48455b.exe

description	pid	process	target process
PID 2328 wrote to memory of 1672	2328	c0302061eaffab35f993eec903d2b6d85463fcc5b73d9bdac4e1332a4c48455b.exe	_7z.exe
PID 2328 wrote to memory of 1672	2328	c0302061eaffab35f993eec903d2b6d85463fcc5b73d9bdac4e1332a4c48455b.exe	_7z.exe
PID 2328 wrote to memory of 1672	2328	c0302061eaffab35f993eec903d2b6d85463fcc5b73d9bdac4e1332a4c48455b.exe	_7z.exe
PID 2328 wrote to memory of 1672	2328	c0302061eaffab35f993eec903d2b6d85463fcc5b73d9bdac4e1332a4c48455b.exe	_7z.exe
PID 2328 wrote to memory of 1028	2328	c0302061eaffab35f993eec903d2b6d85463fcc5b73d9bdac4e1332a4c48455b.exe	Zombie.exe
PID 2328 wrote to memory of 1028	2328	c0302061eaffab35f993eec903d2b6d85463fcc5b73d9bdac4e1332a4c48455b.exe	Zombie.exe
PID 2328 wrote to memory of 1028	2328	c0302061eaffab35f993eec903d2b6d85463fcc5b73d9bdac4e1332a4c48455b.exe	Zombie.exe
PID 2328 wrote to memory of 1028	2328	c0302061eaffab35f993eec903d2b6d85463fcc5b73d9bdac4e1332a4c48455b.exe	Zombie.exe

C:\Users\Admin\AppData\Local\Temp\c0302061eaffab35f993eec903d2b6d85463fcc5b73d9bdac4e1332a4c48455b.exe
"C:\Users\Admin\AppData\Local\Temp\c0302061eaffab35f993eec903d2b6d85463fcc5b73d9bdac4e1332a4c48455b.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2328

C:\Windows\SysWOW64\Zombie.exe
"C:\Windows\system32\Zombie.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1028

C:\Users\Admin\AppData\Local\Temp\_7z.exe
"_7z.exe"
2⤵
- Executes dropped EXE
PID:1672

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini.tmp
Filesize
73KB

MD5
ebbddacfbacff9970e6127f00a725e08

SHA1
85ccbcc0326d83a34fda457c987b4f1553ebf91d

SHA256
976c3721c0bbbe54f99c3e4d2461c7dab1c780761ed482d6c0042189a614cd10

SHA512
f5bd2d3ab215a3beda7639823ad1a46da3c903373f35fb3e567b077fef659546218c0baf1ab962258d171c5373a42e4848d29a945c361700354f732e6c12b64c

Download Submit
\Users\Admin\AppData\Local\Temp\_7z.exe
Filesize
284KB

MD5
a42b35f975d88c1370a7aff084ee57a7

SHA1
bee1408fe0b15f6f719f003e46aee5ec424cf608

SHA256
56cc9e7e3767c0cffae8161bf0ad13457487c1b422e2879b897dbd4bab115776

SHA512
b92d05515e18277db660118934e70678ee2a3bb66005bad19bb417ffaedb22a63727a5a697ca3ac0f6c48f6f5593ba45ab80f4ebdc0eaed10d80b7af04d45b23

Download Submit
\Windows\SysWOW64\Zombie.exe
Filesize
72KB

MD5
7b216b687adea8e3dacdb29dce7119ce

SHA1
c63ceef73ea305774b7365e08b15c865fd79c815

SHA256
cd2b1c3bf9ba7faa3cf4f3f4454cc3330a85f40beb1318ab38abe395751d9dc2

SHA512
f50c5c01b322fa60a5528029f07150609b46be31521e4537b0a63e755c1422896b7b8b551629e02b950240ac2b0e99625d5838f8fd77da9f16234e626a688c80

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads