e016e262ee57ec75ca27b7c274a22a3b9a788aef1f24ffd4123382d9211a0003

General

Target

e016e262ee57ec75ca27b7c274a22a3b9a788aef1f24ffd4123382d9211a0003.exe
Size

226KB
MD5

e0373cfcfa13504c6d1d6d7a981747e4
SHA1

502c1314d59570fc57db132234e17235ebb5a146
SHA256

e016e262ee57ec75ca27b7c274a22a3b9a788aef1f24ffd4123382d9211a0003
SHA512

30602f591a1d5fbb0ad7ee947ac118244bd0c6440441ab985515dd089f976890cf7d38fca6d86baec38f5be75676beb12748a5df8bcc15a5609485edc5d6b025
SSDEEP

3072:69WpQEJAzEWzVNOx0ypIzIu73mYdE9d3s9XL7EWzVNOx0ypIzIu73mYdE9d3s9Xo:nfAnCLGdE9XNgShcHUaO

Score

9^/10

ransomware

Malware Config

Signatures

Renames multiple (3452) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Executes dropped EXE 2 IoCs

Processes:

_cuninst.exeZombie.exe

pid process

2724 _cuninst.exe
2884 Zombie.exe

pid	process
2724	_cuninst.exe
2884	Zombie.exe

Loads dropped DLL 3 IoCs

Processes:

e016e262ee57ec75ca27b7c274a22a3b9a788aef1f24ffd4123382d9211a0003.exe

pid	process
3036	e016e262ee57ec75ca27b7c274a22a3b9a788aef1f24ffd4123382d9211a0003.exe
3036	e016e262ee57ec75ca27b7c274a22a3b9a788aef1f24ffd4123382d9211a0003.exe
3036	e016e262ee57ec75ca27b7c274a22a3b9a788aef1f24ffd4123382d9211a0003.exe

Drops file in System32 directory 2 IoCs

Processes:

e016e262ee57ec75ca27b7c274a22a3b9a788aef1f24ffd4123382d9211a0003.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	e016e262ee57ec75ca27b7c274a22a3b9a788aef1f24ffd4123382d9211a0003.exe
File created	C:\Windows\SysWOW64\Zombie.exe	e016e262ee57ec75ca27b7c274a22a3b9a788aef1f24ffd4123382d9211a0003.exe

Drops file in Program Files directory 64 IoCs

Processes:

Zombie.exe

description	ioc	process
File created	C:\Program Files\FormatGrant.vdw.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Gaza.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libtextst_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-tabcontrol.xml.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.Speech.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libdca_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-api-caching.xml.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.cpl.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator.nl_ja_4.4.0.v20140623020002.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_zh_CN.jar.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.ServiceModel.Resources.dll.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-image-mask.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialmainsubpicture.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\tools.jar.tmp	Zombie.exe
File created	C:\Program Files\Mozilla Firefox\update-settings.ini.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\vlc.mo.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msadcor.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\deploy\messages_zh_HK.properties.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Kuching.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\hr.txt.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\jce.jar.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Entity.Resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Rangoon.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libwebvtt_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Mozilla Firefox\private_browsing.exe.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\vlc.mo.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libdvdnav_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_record_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Menominee.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Adelaide.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\MANIFEST.MF.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.util_1.0.500.v20130404-1337.jar.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\images\speaker-32.png.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libtrivial_channel_mixer_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state.nl_ja_4.4.0.v20140623020002.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-options.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\bin\jsoundds.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPOlive.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-annotations-common_ja.jar.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\MAPISHELLR.DLL.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_MATTE_PAL.wmv.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\diagnostic-command-16.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.nl_zh_4.4.0.v20140623020002.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security.ui_1.1.200.v20130626-2037.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Samara.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Windows.Presentation.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols.xml.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-previous-static.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services_3.4.0.v20140312-2051.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.properties.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.nl_zh_4.4.0.v20140623020002.jar.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\tipresx.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TipBand.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Porto_Velho.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\license.html.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Dawson_Creek.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macTSFrame.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-javahelp.xml.tmp	Zombie.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

e016e262ee57ec75ca27b7c274a22a3b9a788aef1f24ffd4123382d9211a0003.exe

description	pid	process	target process
PID 3036 wrote to memory of 2724	3036	e016e262ee57ec75ca27b7c274a22a3b9a788aef1f24ffd4123382d9211a0003.exe	_cuninst.exe
PID 3036 wrote to memory of 2724	3036	e016e262ee57ec75ca27b7c274a22a3b9a788aef1f24ffd4123382d9211a0003.exe	_cuninst.exe
PID 3036 wrote to memory of 2724	3036	e016e262ee57ec75ca27b7c274a22a3b9a788aef1f24ffd4123382d9211a0003.exe	_cuninst.exe
PID 3036 wrote to memory of 2724	3036	e016e262ee57ec75ca27b7c274a22a3b9a788aef1f24ffd4123382d9211a0003.exe	_cuninst.exe
PID 3036 wrote to memory of 2884	3036	e016e262ee57ec75ca27b7c274a22a3b9a788aef1f24ffd4123382d9211a0003.exe	Zombie.exe
PID 3036 wrote to memory of 2884	3036	e016e262ee57ec75ca27b7c274a22a3b9a788aef1f24ffd4123382d9211a0003.exe	Zombie.exe
PID 3036 wrote to memory of 2884	3036	e016e262ee57ec75ca27b7c274a22a3b9a788aef1f24ffd4123382d9211a0003.exe	Zombie.exe
PID 3036 wrote to memory of 2884	3036	e016e262ee57ec75ca27b7c274a22a3b9a788aef1f24ffd4123382d9211a0003.exe	Zombie.exe

C:\Users\Admin\AppData\Local\Temp\e016e262ee57ec75ca27b7c274a22a3b9a788aef1f24ffd4123382d9211a0003.exe
"C:\Users\Admin\AppData\Local\Temp\e016e262ee57ec75ca27b7c274a22a3b9a788aef1f24ffd4123382d9211a0003.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Users\Admin\AppData\Local\Temp\_cuninst.exe
  "_cuninst.exe"
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\SysWOW64\Zombie.exe
  "C:\Windows\system32\Zombie.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2884

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini.tmp

Filesize
86KB

MD5
b22f1c9ce465bfc3a1a31014bf5d6a97

SHA1
1d236673350c7ca57cebe0c060d2436feb8bf2b7

SHA256
0d15d45852a352a5af945d27ac505d69d40255cfb055c98759c2d4f44d727713

SHA512
2022d2e38599f78497e2f589a50d88feb090a667b9fc930e480a294e33459d054707d1101df133092c3f5d2fde38ff310097380403e49b9599d15005f3b15cf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_cuninst.exe

Filesize
140KB

MD5
3bc2cb2446a5b8fffd7ab3a98b9f51f6

SHA1
4f898bd1af88359128837e58cfe2a52f192a5d1f

SHA256
2ae11cc8a144df879a7be3fb6b1ce2cdce6c720a3e8c73b3a33fe120133b51b8

SHA512
482f58d2f62b6ebfc5822b5afd63b64a1fc99dd32cafdbd67ac0b206f055b3ca9415905494c375c4d7c5f22e86b53fb8d7a8943504b157df21c5a5b52e9b632b

Download Submit
\Windows\SysWOW64\Zombie.exe

Filesize
86KB

MD5
808ecdc5aadfcc69022400a6d9a556bf

SHA1
0711eee2ed4a082b5141fa274e87df70b44ca589

SHA256
24cfd9caf46a1c1224a940556419a7365558a631d11e0ae0c0567d08fa382d40

SHA512
15c083bb55c57646e0782d4ac9465c648e374a5deaa594dc343a3fe178e0b48789de43c4a6b48e10250a20e75baf3f57b674ae83a3e6d85350e2c6e25068e017

Download Submit
memory/2724-19-0x000007FEF5693000-0x000007FEF5694000-memory.dmp

Filesize
4KB

Download
memory/2724-20-0x0000000000B50000-0x0000000000B78000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads