87a218d141c61d1f3d88633d5f72c22b96c9e62737a622d75c74d525637f39f3

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
23/06/2024, 23:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87a218d141c61d1f3d88633d5f72c22b96c9e62737a622d75c74d525637f39f3.exe
Size

502KB
MD5

f4f58a4f9f829e8a848e2e90a21c6cc4
SHA1

43a65e5c7d4a2be1cd24c3060732a13a0613b5e8
SHA256

87a218d141c61d1f3d88633d5f72c22b96c9e62737a622d75c74d525637f39f3
SHA512

709092131e2d0331bff10cb725c1ab9e1e8c529d8dc07e88735ab9703233de831e3ea50d0795a89baa70f33a239255bab0225ca6efd7709fc952a0f9a59b3927
SSDEEP

6144:PEYrIOXsqmWzJrdc6GJRQUWGUA9PRWLiFSbE56FORFL:I2lWRPWhA9PRWg97

Score

9^/10

ransomware

Malware Config

Signatures

Renames multiple (3979) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 2 IoCs

pid	Process
1228	Zombie.exe
2976	_setup.exe

Loads dropped DLL 3 IoCs

pid	Process
1516	87a218d141c61d1f3d88633d5f72c22b96c9e62737a622d75c74d525637f39f3.exe
1516	87a218d141c61d1f3d88633d5f72c22b96c9e62737a622d75c74d525637f39f3.exe
1516	87a218d141c61d1f3d88633d5f72c22b96c9e62737a622d75c74d525637f39f3.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Zombie.exe	87a218d141c61d1f3d88633d5f72c22b96c9e62737a622d75c74d525637f39f3.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	87a218d141c61d1f3d88633d5f72c22b96c9e62737a622d75c74d525637f39f3.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\calendar.html.tmp	Zombie.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\THMBNAIL.PNG.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-actions.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_zh_CN.jar.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\libwinhibit_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-utilities.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\bin\libxslt.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\msadc\msdfmap.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-spi-actions.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\meta-index.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Riga.tmp	Zombie.exe
File created	C:\Program Files\Windows Media Player\it-IT\wmplayer.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\Internet Explorer\JSProfilerCore.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.inject_1.0.0.v20091030.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\bin\hprof.dll.tmp	Zombie.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\WPGIMP32.FLT.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Ushuaia.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\security\javafx.policy.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-multiview.xml.tmp	Zombie.exe
File created	C:\Program Files\Mozilla Firefox\firefox.cfg.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport.png.tmp	Zombie.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf.tmp	Zombie.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annots.api.tmp	Zombie.exe
File created	C:\Program Files\MoveSet.potm.tmp	Zombie.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\weather.css.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\ado\msado26.tlb.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-highlight.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-7.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NavigationButtonSubpicture.png.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_m.png.tmp	Zombie.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_ja.jar.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\flyout.html.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\master_preferences.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Nicosia.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_few-showers.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\COPYRIGHT.tmp	Zombie.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\rtscom.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkServerCP.bat.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help_3.6.0.v20130326-1254.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\bin\jfxwebkit.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\rtscom.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-editor-mimelookup.jar.tmp	Zombie.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_70.png.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationClientsideProviders.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\clock.js.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerConstraints.exsd.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-modules-appui_zh_CN.jar.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\vlc.mo.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\libcaca_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\mshwLatin.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup_zh_CN.jar.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\vlc.mo.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-static.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\feature.xml.tmp	Zombie.exe
File created	C:\Program Files\Windows Journal\es-ES\jnwmon.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Games\Hearts\es-ES\Hearts.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\lua\modules\dkjson.luac.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libflacsys_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE.tmp	Zombie.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2976	_setup.exe
2976	_setup.exe
2976	_setup.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 1228	1516	87a218d141c61d1f3d88633d5f72c22b96c9e62737a622d75c74d525637f39f3.exe	28
PID 1516 wrote to memory of 1228	1516	87a218d141c61d1f3d88633d5f72c22b96c9e62737a622d75c74d525637f39f3.exe	28
PID 1516 wrote to memory of 1228	1516	87a218d141c61d1f3d88633d5f72c22b96c9e62737a622d75c74d525637f39f3.exe	28
PID 1516 wrote to memory of 1228	1516	87a218d141c61d1f3d88633d5f72c22b96c9e62737a622d75c74d525637f39f3.exe	28
PID 1516 wrote to memory of 2976	1516	87a218d141c61d1f3d88633d5f72c22b96c9e62737a622d75c74d525637f39f3.exe	29
PID 1516 wrote to memory of 2976	1516	87a218d141c61d1f3d88633d5f72c22b96c9e62737a622d75c74d525637f39f3.exe	29
PID 1516 wrote to memory of 2976	1516	87a218d141c61d1f3d88633d5f72c22b96c9e62737a622d75c74d525637f39f3.exe	29
PID 1516 wrote to memory of 2976	1516	87a218d141c61d1f3d88633d5f72c22b96c9e62737a622d75c74d525637f39f3.exe	29
PID 1516 wrote to memory of 2976	1516	87a218d141c61d1f3d88633d5f72c22b96c9e62737a622d75c74d525637f39f3.exe	29
PID 1516 wrote to memory of 2976	1516	87a218d141c61d1f3d88633d5f72c22b96c9e62737a622d75c74d525637f39f3.exe	29
PID 1516 wrote to memory of 2976	1516	87a218d141c61d1f3d88633d5f72c22b96c9e62737a622d75c74d525637f39f3.exe	29

C:\Users\Admin\AppData\Local\Temp\87a218d141c61d1f3d88633d5f72c22b96c9e62737a622d75c74d525637f39f3.exe
"C:\Users\Admin\AppData\Local\Temp\87a218d141c61d1f3d88633d5f72c22b96c9e62737a622d75c74d525637f39f3.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Windows\SysWOW64\Zombie.exe
  "C:\Windows\system32\Zombie.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1228
- C:\Users\Admin\AppData\Local\Temp\_setup.exe
  "_setup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2976

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-481678230-3773327859-3495911762-1000\desktop.ini.tmp

Filesize
45KB

MD5
b5ad52330b3909d1fc8c7f8f80131371

SHA1
8ff3e72fb568673f50c0c66305e8270e69171b29

SHA256
2bffb99a326bf2867d6cbfd83aa84d3394fdc755d7be54a27a5af6f54f28a83a

SHA512
e182c112a3e683291662b490f47d628a9eada0478a8fe8ffa7e327406b483b3e61dbed8b6349ba7e664fc755c79952994fdab60da6ce2deaa6f779b8defd7e60

Download Submit
\Users\Admin\AppData\Local\Temp\_setup.exe

Filesize
457KB

MD5
446366ca32877e2290d0bd8f22e11809

SHA1
b620d296d53566d9a07c1cabc92c50d0f5c4f34a

SHA256
4b76c0ea832d58966f824cfedb9a3831b1c286b13cc22d56e29dad7966847184

SHA512
edbb4cd70b9c372f827136db217087451732f83a34af854ff031a659e9aee0fe849c0005a38d2bd19f438f8277147101a577fa900b89e2e1f804b369134255cf

Download Submit
\Windows\SysWOW64\Zombie.exe

Filesize
45KB

MD5
5da943d5defacbf3c7637db9d666199e

SHA1
893e468bc234b4341d91912321a704d3b1079e5f

SHA256
6021df60b1cbb78a6859f6d0d329a66877100343202255f45b7d677c5a41dd9c

SHA512
c987ca49057cb3ddb89c837d6a4786c2e0aa3fa0db17e2c35ccb3236c29e06b647ccbcfaa0fd4dfe07bd81c8a9ce8f28e06c8d0ca84125244e45b03d8440bb66

Download Submit