Overview

overview

8

Static

static

1

ZoomInfoCo...or.exe

windows7_x64

8

ZoomInfoCo...or.exe

windows10_x64

7

Resubmissions

19-11-2020 18:39

201119-egd25376vj 8

19-11-2020 18:34

201119-tarl1zn5le 7

19-11-2020 18:27

201119-tgzwfyek82 7

19-11-2020 18:17

201119-rg6nfjeppe 8

19-11-2020 18:00

201119-1e1ky8mt2j 8

Analysis

  • max time kernel
    106s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    19-11-2020 18:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ZoomInfoContactContributor.exe

  • Size

    259KB

  • MD5

    0b5719e9fd40b85d4d95e475e9431cd0

  • SHA1

    132151d26e61d2fda4e4b31eb376a41ea0d56e6d

  • SHA256

    2aa9f15810e2c55dbc8522e386d76d1a8fb3a63a712b33e17bd2139a7b45c76b

  • SHA512

    ed17497df8e53eb9a49ff3d6ed5bf8d84f17a045947a4b474204a8bf06254f8a801be1243599e526123ccc5e88af389f718021409567ac86ed28d988afd3d1cf

Score
8/10
discoverypersistencepyinstaller

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 16 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Detects Pyinstaller 3 IoCs
    pyinstaller
  • NSIS installer 2 IoCs
    installer
  • Modifies Internet Explorer settings 1 TTPs 65 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe
    "C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:752
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\launch.bat""
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:608
      • C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2214\coordinator.exe
        "C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2214\coordinator.exe"
        3⤵
        • Executes dropped EXE
        PID:1468
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://cswapper.freshcontacts.com/client/installsuccess?client_version=62&os_version=Windows 6.1 Service Pack 1 7601 64 [ ]&outlook_version=14&outlook_bitness=32&autostart=1&client_id={63152E97-C012-4C96-A81D-F8D4104D74DD}&reachout=true&appid=3
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1836
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1836 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1656

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    fafd51b5380e011583e99da8b0d8b683

    SHA1

    3bc78c5d06fc563693df2361d774a3fdb571b1e7

    SHA256

    f6f1edc575ca109f1812066ca3ebb09df0b9234f64af478490defa0e891125eb

    SHA512

    2965e0a142d4b4ed9da1ddb8b29d7778f6938e98cf4798746e5041840e7eed763d30c35f195353d5fd398f2fc21aae230a77d6ebdef868d56720760000a9f29b

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\s7iy1jn\imagestore.dat
    MD5

    7e4c38ad056035353bff543b42dbe27c

    SHA1

    f4e09d96dd3d2e255327ceb353f2e049bf2cc2f4

    SHA256

    14d28602d7c6593a9096b34664546b555297e3a634d09fa038064942d3b55562

    SHA512

    1b64abc191323de03d107f96d5e5d830a336ec96f4bb68a61b02ae0483b7ff6cf8012db09ab31a301b38c343893f04dd13fecfffce27fd2119bbb86d139cc605

    Download Submit
  • C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2214\coordinator.exe
    MD5

    d4ead13be3274f2b42fb3b53ff142cd9

    SHA1

    d7cb84bcb2c3e4f57171462000c125f35e63f7e8

    SHA256

    554f8fea1460df263070edd9f0b5cf2905fa677e744b53734ffc0b321ca311b2

    SHA512

    6aada02815a75297f57c81cb8ac3db54b8cfd4888d586445f23b6f7296c9a9a167bafe5a3f581bd795e4f18e7a0cde660c9552612d706dbd88e3121477111233

    Download Submit
  • C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2214\coordinator.exe
    MD5

    d4ead13be3274f2b42fb3b53ff142cd9

    SHA1

    d7cb84bcb2c3e4f57171462000c125f35e63f7e8

    SHA256

    554f8fea1460df263070edd9f0b5cf2905fa677e744b53734ffc0b321ca311b2

    SHA512

    6aada02815a75297f57c81cb8ac3db54b8cfd4888d586445f23b6f7296c9a9a167bafe5a3f581bd795e4f18e7a0cde660c9552612d706dbd88e3121477111233

    Download Submit
  • C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\launch.bat
    MD5

    fd4594751cb4a3b23e54ae582c4dd0e8

    SHA1

    13218cd2470e14221f6fce227a056ca489c98fa7

    SHA256

    5d7a9c239af404e403f16dd2f1383aee58721c5cfd66e4e1a40e41aec2da057e

    SHA512

    34af0afd31ad70d21f642c56d1d14491a82213c2f524c9c24037173109ce88267257a33ee0a03cc8ce430697823833c4567b5fa457c9e8ab29ca638dff85131e

    Download Submit
  • C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\version.dat
    MD5

    f3d9de86462c28781cbe5c47ef22c3e5

    SHA1

    5ec475005d2a5e68419080231b038c154aefaeed

    SHA256

    4ff57f0bce33b3f1663fb61a77e73fa4a65692726efb43b547ce6ceaa37145f6

    SHA512

    b47286c41cab48b98af5facde13b16de6873b1f0708ec173c9a8a087c9b6c54e8be836aca17d5b0cfb4fc6d963787a8d995b85bf2c8b90249edb91eb005799e3

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\1K6NSDEC.txt
    MD5

    e31a9372e509a593099ec43d41c8ef91

    SHA1

    fad5f711dbf5f9e28e0c4d9c438ea5b0dd0d1e60

    SHA256

    5779a48aea41fea623d793077444580157d8831cf237066df7fb7f6b85c7d5b4

    SHA512

    9f600e9b5e1d95fbf317d3d7854796048ca0a2b834cc3d69babe2b7fe54544d1fd18ccf9ed29689c0e235b23b355eabb6283b64d2cb4b312bd8ffd79373ca725

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsc697D.tmp\FindProcDLL.dll
    MD5

    83cd62eab980e3d64c131799608c8371

    SHA1

    5b57a6842a154997e31fab573c5754b358f5dd1c

    SHA256

    a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

    SHA512

    91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsc697D.tmp\GetVersion.dll
    MD5

    2e2412281a205ed8d53aafb3ef770a2d

    SHA1

    3cae4138e8226866236cf34f8fb00dafb0954d97

    SHA256

    db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

    SHA512

    6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsc697D.tmp\GetVersion.dll
    MD5

    2e2412281a205ed8d53aafb3ef770a2d

    SHA1

    3cae4138e8226866236cf34f8fb00dafb0954d97

    SHA256

    db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

    SHA512

    6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsc697D.tmp\GetVersion.dll
    MD5

    2e2412281a205ed8d53aafb3ef770a2d

    SHA1

    3cae4138e8226866236cf34f8fb00dafb0954d97

    SHA256

    db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

    SHA512

    6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsc697D.tmp\GetVersion.dll
    MD5

    2e2412281a205ed8d53aafb3ef770a2d

    SHA1

    3cae4138e8226866236cf34f8fb00dafb0954d97

    SHA256

    db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

    SHA512

    6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsc697D.tmp\GetVersion.dll
    MD5

    2e2412281a205ed8d53aafb3ef770a2d

    SHA1

    3cae4138e8226866236cf34f8fb00dafb0954d97

    SHA256

    db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

    SHA512

    6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsc697D.tmp\GetVersion.dll
    MD5

    2e2412281a205ed8d53aafb3ef770a2d

    SHA1

    3cae4138e8226866236cf34f8fb00dafb0954d97

    SHA256

    db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

    SHA512

    6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsc697D.tmp\GetVersion.dll
    MD5

    2e2412281a205ed8d53aafb3ef770a2d

    SHA1

    3cae4138e8226866236cf34f8fb00dafb0954d97

    SHA256

    db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

    SHA512

    6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsc697D.tmp\GetVersion.dll
    MD5

    2e2412281a205ed8d53aafb3ef770a2d

    SHA1

    3cae4138e8226866236cf34f8fb00dafb0954d97

    SHA256

    db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

    SHA512

    6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsc697D.tmp\NSISdl.dll
    MD5

    a5f8399a743ab7f9c88c645c35b1ebb5

    SHA1

    168f3c158913b0367bf79fa413357fbe97018191

    SHA256

    dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

    SHA512

    824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsc697D.tmp\NSISdl.dll
    MD5

    a5f8399a743ab7f9c88c645c35b1ebb5

    SHA1

    168f3c158913b0367bf79fa413357fbe97018191

    SHA256

    dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

    SHA512

    824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsc697D.tmp\System.dll
    MD5

    c17103ae9072a06da581dec998343fc1

    SHA1

    b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

    SHA256

    dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

    SHA512

    d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsc697D.tmp\nsDialogs.dll
    MD5

    c10e04dd4ad4277d5adc951bb331c777

    SHA1

    b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

    SHA256

    e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

    SHA512

    853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsc697D.tmp\nsisunz.dll
    MD5

    5f13dbc378792f23e598079fc1e4422b

    SHA1

    5813c05802f15930aa860b8363af2b58426c8adf

    SHA256

    6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

    SHA512

    9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

    Download Submit
  • \Users\Admin\AppData\Local\ZoomInfoCEUtility\2214\coordinator.exe
    MD5

    d4ead13be3274f2b42fb3b53ff142cd9

    SHA1

    d7cb84bcb2c3e4f57171462000c125f35e63f7e8

    SHA256

    554f8fea1460df263070edd9f0b5cf2905fa677e744b53734ffc0b321ca311b2

    SHA512

    6aada02815a75297f57c81cb8ac3db54b8cfd4888d586445f23b6f7296c9a9a167bafe5a3f581bd795e4f18e7a0cde660c9552612d706dbd88e3121477111233

    Download Submit
  • \Users\Admin\AppData\Local\ZoomInfoCEUtility\uninstall.exe
    MD5

    80c52c4e77d49a21c61cd1f2809e82c2

    SHA1

    ffc2bdc4c18c60340c04b65e19b19479e3447f52

    SHA256

    4e12c7c834cc57263432dd0925de522a4aab07a0532a4693ea5d90aca6aaaa38

    SHA512

    1a96e0978f9837f870fb95e9922b54263852a814a444a9dd692d41671f2e711080940734327eba32cdd12e71048fbe250b3ea7b4033ff834f4beff26b0939fea

    Download Submit
  • memory/608-17-0x0000000000000000-mapping.dmp
    Download
  • memory/752-16-0x0000000003450000-0x0000000003551000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/1004-27-0x000007FEF7500000-0x000007FEF777A000-memory.dmp
    Filesize

    2.5MB

    Download
  • memory/1468-24-0x0000000000000000-mapping.dmp
    Download
  • memory/1468-23-0x0000000000000000-mapping.dmp
    Download
  • memory/1656-28-0x0000000000000000-mapping.dmp
    Download
  • memory/1836-26-0x0000000000000000-mapping.dmp
    Download