Resubmissions

19-11-2020 18:39

201119-egd25376vj 8

19-11-2020 18:34

201119-tarl1zn5le 7

19-11-2020 18:27

201119-tgzwfyek82 7

19-11-2020 18:17

201119-rg6nfjeppe 8

19-11-2020 18:00

201119-1e1ky8mt2j 8

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    19-11-2020 18:00

General

  • Target

    ZoomInfoContactContributor.exe

  • Size

    259KB

  • MD5

    0b5719e9fd40b85d4d95e475e9431cd0

  • SHA1

    132151d26e61d2fda4e4b31eb376a41ea0d56e6d

  • SHA256

    2aa9f15810e2c55dbc8522e386d76d1a8fb3a63a712b33e17bd2139a7b45c76b

  • SHA512

    ed17497df8e53eb9a49ff3d6ed5bf8d84f17a045947a4b474204a8bf06254f8a801be1243599e526123ccc5e88af389f718021409567ac86ed28d988afd3d1cf

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 19 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies Control Panel 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies registry class 391 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 61 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe
    "C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    PID:4684
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
    1⤵
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:1868
  • C:\Windows\system32\browser_broker.exe
    C:\Windows\system32\browser_broker.exe -Embedding
    1⤵
    • Modifies Internet Explorer settings
    PID:992
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2424
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:2756
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:4608
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2816
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
      PID:3544
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      PID:5112

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Defense Evasion

    Modify Registry

    1
    T1112

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      MD5

      dc099c19530cb428e987d49a5cb7fd37

      SHA1

      4ae9f585e7072c95eabf0513ec290e38d3317b27

      SHA256

      6d1480c4496a1f189a2023835dd411c01528a6ec271497437d7a04fc5ef4f049

      SHA512

      35d813738e9de113275c91d21ed0aa14ff79918cb5a551d730452a4072d672d0a5cde270a8d512c45dcdba5b456a67e9aec86135f842c8136e2511de7888daed

    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
      MD5

      81115e5e6bc58610924521c68e4388e9

      SHA1

      c2ead5456fa6dc55584a73c13aef1bd4c87ef408

      SHA256

      e6f401becd6320696a20407c31482ad05b72c23516ba6a58c58b36135516c0c1

      SHA512

      3a5349494a001914fe667cfdc6951c4a7d79c348980d905f69c1afa13b04cc13f1296ffa515a8503f64c00583e764f84733df40830fbc4958cbf632517da874a

    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      MD5

      b1973390b5d9d627ec5d2772a1628eeb

      SHA1

      88b99721dc6a1023f8c23511910e3a2d00e26a49

      SHA256

      b78a03fc4999e6209d0ce4411d5665d7142da49d8491253345696ceccd052b4d

      SHA512

      f4469255dd96130a9d934c9f9ea847035d703d45b966f351326ae54377b1eafe6dabf777806be9b4a0c18215e603de730e5e9ac2712dc083b8d8712dc92949aa

    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
      MD5

      9eb7f0b1f65c0c5fc3d80e9d5da8f6a9

      SHA1

      37b05917657ab4cec2e82f46e19ab5730002d4b8

      SHA256

      1a3535969633f0fc13e86982339a3b43bf2bc922f8d4c3b94b4f3bb920ac6cff

      SHA512

      8af0c74a702e3e9fa12bd3ca208c3795d82364abf41cb7e37a7cde695136a2699173b8dfbb51afede9abb8e11b65b60d73ddf5c1eb6cc4ac8307f6c0005bb69d

    • \Users\Admin\AppData\Local\Temp\nsi4F01.tmp\GetVersion.dll
      MD5

      2e2412281a205ed8d53aafb3ef770a2d

      SHA1

      3cae4138e8226866236cf34f8fb00dafb0954d97

      SHA256

      db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

      SHA512

      6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

    • \Users\Admin\AppData\Local\Temp\nsi4F01.tmp\GetVersion.dll
      MD5

      2e2412281a205ed8d53aafb3ef770a2d

      SHA1

      3cae4138e8226866236cf34f8fb00dafb0954d97

      SHA256

      db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

      SHA512

      6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

    • \Users\Admin\AppData\Local\Temp\nsi4F01.tmp\GetVersion.dll
      MD5

      2e2412281a205ed8d53aafb3ef770a2d

      SHA1

      3cae4138e8226866236cf34f8fb00dafb0954d97

      SHA256

      db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

      SHA512

      6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

    • \Users\Admin\AppData\Local\Temp\nsi4F01.tmp\GetVersion.dll
      MD5

      2e2412281a205ed8d53aafb3ef770a2d

      SHA1

      3cae4138e8226866236cf34f8fb00dafb0954d97

      SHA256

      db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

      SHA512

      6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

    • \Users\Admin\AppData\Local\Temp\nsi4F01.tmp\GetVersion.dll
      MD5

      2e2412281a205ed8d53aafb3ef770a2d

      SHA1

      3cae4138e8226866236cf34f8fb00dafb0954d97

      SHA256

      db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

      SHA512

      6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

    • \Users\Admin\AppData\Local\Temp\nsi4F01.tmp\GetVersion.dll
      MD5

      2e2412281a205ed8d53aafb3ef770a2d

      SHA1

      3cae4138e8226866236cf34f8fb00dafb0954d97

      SHA256

      db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

      SHA512

      6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

    • \Users\Admin\AppData\Local\Temp\nsi4F01.tmp\GetVersion.dll
      MD5

      2e2412281a205ed8d53aafb3ef770a2d

      SHA1

      3cae4138e8226866236cf34f8fb00dafb0954d97

      SHA256

      db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

      SHA512

      6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

    • \Users\Admin\AppData\Local\Temp\nsi4F01.tmp\GetVersion.dll
      MD5

      2e2412281a205ed8d53aafb3ef770a2d

      SHA1

      3cae4138e8226866236cf34f8fb00dafb0954d97

      SHA256

      db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

      SHA512

      6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

    • \Users\Admin\AppData\Local\Temp\nsi4F01.tmp\GetVersion.dll
      MD5

      2e2412281a205ed8d53aafb3ef770a2d

      SHA1

      3cae4138e8226866236cf34f8fb00dafb0954d97

      SHA256

      db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

      SHA512

      6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

    • \Users\Admin\AppData\Local\Temp\nsi4F01.tmp\GetVersion.dll
      MD5

      2e2412281a205ed8d53aafb3ef770a2d

      SHA1

      3cae4138e8226866236cf34f8fb00dafb0954d97

      SHA256

      db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

      SHA512

      6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

    • \Users\Admin\AppData\Local\Temp\nsi4F01.tmp\GetVersion.dll
      MD5

      2e2412281a205ed8d53aafb3ef770a2d

      SHA1

      3cae4138e8226866236cf34f8fb00dafb0954d97

      SHA256

      db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

      SHA512

      6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

    • \Users\Admin\AppData\Local\Temp\nsi4F01.tmp\GetVersion.dll
      MD5

      2e2412281a205ed8d53aafb3ef770a2d

      SHA1

      3cae4138e8226866236cf34f8fb00dafb0954d97

      SHA256

      db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

      SHA512

      6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

    • \Users\Admin\AppData\Local\Temp\nsi4F01.tmp\GetVersion.dll
      MD5

      2e2412281a205ed8d53aafb3ef770a2d

      SHA1

      3cae4138e8226866236cf34f8fb00dafb0954d97

      SHA256

      db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

      SHA512

      6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

    • \Users\Admin\AppData\Local\Temp\nsi4F01.tmp\GetVersion.dll
      MD5

      2e2412281a205ed8d53aafb3ef770a2d

      SHA1

      3cae4138e8226866236cf34f8fb00dafb0954d97

      SHA256

      db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

      SHA512

      6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

    • \Users\Admin\AppData\Local\Temp\nsi4F01.tmp\GetVersion.dll
      MD5

      2e2412281a205ed8d53aafb3ef770a2d

      SHA1

      3cae4138e8226866236cf34f8fb00dafb0954d97

      SHA256

      db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

      SHA512

      6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

    • \Users\Admin\AppData\Local\Temp\nsi4F01.tmp\GetVersion.dll
      MD5

      2e2412281a205ed8d53aafb3ef770a2d

      SHA1

      3cae4138e8226866236cf34f8fb00dafb0954d97

      SHA256

      db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

      SHA512

      6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

    • \Users\Admin\AppData\Local\Temp\nsi4F01.tmp\NSISdl.dll
      MD5

      a5f8399a743ab7f9c88c645c35b1ebb5

      SHA1

      168f3c158913b0367bf79fa413357fbe97018191

      SHA256

      dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

      SHA512

      824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

    • \Users\Admin\AppData\Local\Temp\nsi4F01.tmp\NSISdl.dll
      MD5

      a5f8399a743ab7f9c88c645c35b1ebb5

      SHA1

      168f3c158913b0367bf79fa413357fbe97018191

      SHA256

      dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

      SHA512

      824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

    • \Users\Admin\AppData\Local\Temp\nsi4F01.tmp\System.dll
      MD5

      c17103ae9072a06da581dec998343fc1

      SHA1

      b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

      SHA256

      dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

      SHA512

      d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f