Overview

overview

7

Static

static

1

ZoomInfoCo...or.exe

windows7_x64

7

ZoomInfoCo...or.exe

windows10_x64

7

Resubmissions

19-11-2020 18:39

201119-egd25376vj 8

19-11-2020 18:34

201119-tarl1zn5le 7

19-11-2020 18:27

201119-tgzwfyek82 7

19-11-2020 18:17

201119-rg6nfjeppe 8

19-11-2020 18:00

201119-1e1ky8mt2j 8

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    19-11-2020 18:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ZoomInfoContactContributor.exe

  • Size

    259KB

  • MD5

    0b5719e9fd40b85d4d95e475e9431cd0

  • SHA1

    132151d26e61d2fda4e4b31eb376a41ea0d56e6d

  • SHA256

    2aa9f15810e2c55dbc8522e386d76d1a8fb3a63a712b33e17bd2139a7b45c76b

  • SHA512

    ed17497df8e53eb9a49ff3d6ed5bf8d84f17a045947a4b474204a8bf06254f8a801be1243599e526123ccc5e88af389f718021409567ac86ed28d988afd3d1cf

Score
7/10
spyware

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 19 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Drops file in Windows directory 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Control Panel 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 268 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe
    "C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    PID:656
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
    1⤵
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:2068
  • C:\Windows\system32\browser_broker.exe
    C:\Windows\system32\browser_broker.exe -Embedding
    1⤵
    • Modifies Internet Explorer settings
    PID:3836
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2328
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:60
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4240
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4316
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4316.0.54094600\257398872" -parentBuildID 20200403170909 -prefsHandle 1524 -prefMapHandle 1516 -prefsLen 1 -prefMapSize 219631 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4316 "\\.\pipe\gecko-crash-server-pipe.4316" 1624 gpu
        3⤵
          PID:4372
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:4520
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      PID:5004
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      PID:4104

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\nsg56D1.tmp\GetVersion.dll
      MD5

      2e2412281a205ed8d53aafb3ef770a2d

      SHA1

      3cae4138e8226866236cf34f8fb00dafb0954d97

      SHA256

      db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

      SHA512

      6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

      Download Submit
    • \Users\Admin\AppData\Local\Temp\nsg56D1.tmp\GetVersion.dll
      MD5

      2e2412281a205ed8d53aafb3ef770a2d

      SHA1

      3cae4138e8226866236cf34f8fb00dafb0954d97

      SHA256

      db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

      SHA512

      6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

      Download Submit
    • \Users\Admin\AppData\Local\Temp\nsg56D1.tmp\GetVersion.dll
      MD5

      2e2412281a205ed8d53aafb3ef770a2d

      SHA1

      3cae4138e8226866236cf34f8fb00dafb0954d97

      SHA256

      db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

      SHA512

      6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

      Download Submit
    • \Users\Admin\AppData\Local\Temp\nsg56D1.tmp\GetVersion.dll
      MD5

      2e2412281a205ed8d53aafb3ef770a2d

      SHA1

      3cae4138e8226866236cf34f8fb00dafb0954d97

      SHA256

      db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

      SHA512

      6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

      Download Submit
    • \Users\Admin\AppData\Local\Temp\nsg56D1.tmp\GetVersion.dll
      MD5

      2e2412281a205ed8d53aafb3ef770a2d

      SHA1

      3cae4138e8226866236cf34f8fb00dafb0954d97

      SHA256

      db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

      SHA512

      6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

      Download Submit
    • \Users\Admin\AppData\Local\Temp\nsg56D1.tmp\GetVersion.dll
      MD5

      2e2412281a205ed8d53aafb3ef770a2d

      SHA1

      3cae4138e8226866236cf34f8fb00dafb0954d97

      SHA256

      db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

      SHA512

      6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

      Download Submit
    • \Users\Admin\AppData\Local\Temp\nsg56D1.tmp\GetVersion.dll
      MD5

      2e2412281a205ed8d53aafb3ef770a2d

      SHA1

      3cae4138e8226866236cf34f8fb00dafb0954d97

      SHA256

      db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

      SHA512

      6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

      Download Submit
    • \Users\Admin\AppData\Local\Temp\nsg56D1.tmp\GetVersion.dll
      MD5

      2e2412281a205ed8d53aafb3ef770a2d

      SHA1

      3cae4138e8226866236cf34f8fb00dafb0954d97

      SHA256

      db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

      SHA512

      6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

      Download Submit
    • \Users\Admin\AppData\Local\Temp\nsg56D1.tmp\GetVersion.dll
      MD5

      2e2412281a205ed8d53aafb3ef770a2d

      SHA1

      3cae4138e8226866236cf34f8fb00dafb0954d97

      SHA256

      db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

      SHA512

      6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

      Download Submit
    • \Users\Admin\AppData\Local\Temp\nsg56D1.tmp\GetVersion.dll
      MD5

      2e2412281a205ed8d53aafb3ef770a2d

      SHA1

      3cae4138e8226866236cf34f8fb00dafb0954d97

      SHA256

      db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

      SHA512

      6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

      Download Submit
    • \Users\Admin\AppData\Local\Temp\nsg56D1.tmp\GetVersion.dll
      MD5

      2e2412281a205ed8d53aafb3ef770a2d

      SHA1

      3cae4138e8226866236cf34f8fb00dafb0954d97

      SHA256

      db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

      SHA512

      6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

      Download Submit
    • \Users\Admin\AppData\Local\Temp\nsg56D1.tmp\GetVersion.dll
      MD5

      2e2412281a205ed8d53aafb3ef770a2d

      SHA1

      3cae4138e8226866236cf34f8fb00dafb0954d97

      SHA256

      db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

      SHA512

      6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

      Download Submit
    • \Users\Admin\AppData\Local\Temp\nsg56D1.tmp\GetVersion.dll
      MD5

      2e2412281a205ed8d53aafb3ef770a2d

      SHA1

      3cae4138e8226866236cf34f8fb00dafb0954d97

      SHA256

      db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

      SHA512

      6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

      Download Submit
    • \Users\Admin\AppData\Local\Temp\nsg56D1.tmp\GetVersion.dll
      MD5

      2e2412281a205ed8d53aafb3ef770a2d

      SHA1

      3cae4138e8226866236cf34f8fb00dafb0954d97

      SHA256

      db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

      SHA512

      6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

      Download Submit
    • \Users\Admin\AppData\Local\Temp\nsg56D1.tmp\GetVersion.dll
      MD5

      2e2412281a205ed8d53aafb3ef770a2d

      SHA1

      3cae4138e8226866236cf34f8fb00dafb0954d97

      SHA256

      db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

      SHA512

      6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

      Download Submit
    • \Users\Admin\AppData\Local\Temp\nsg56D1.tmp\GetVersion.dll
      MD5

      2e2412281a205ed8d53aafb3ef770a2d

      SHA1

      3cae4138e8226866236cf34f8fb00dafb0954d97

      SHA256

      db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

      SHA512

      6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

      Download Submit
    • \Users\Admin\AppData\Local\Temp\nsg56D1.tmp\NSISdl.dll
      MD5

      a5f8399a743ab7f9c88c645c35b1ebb5

      SHA1

      168f3c158913b0367bf79fa413357fbe97018191

      SHA256

      dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

      SHA512

      824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

      Download Submit
    • \Users\Admin\AppData\Local\Temp\nsg56D1.tmp\NSISdl.dll
      MD5

      a5f8399a743ab7f9c88c645c35b1ebb5

      SHA1

      168f3c158913b0367bf79fa413357fbe97018191

      SHA256

      dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

      SHA512

      824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

      Download Submit
    • \Users\Admin\AppData\Local\Temp\nsg56D1.tmp\System.dll
      MD5

      c17103ae9072a06da581dec998343fc1

      SHA1

      b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

      SHA256

      dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

      SHA512

      d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

      Download Submit
    • memory/4316-19-0x0000000000000000-mapping.dmp
      Download
    • memory/4372-237-0x0000000000000000-mapping.dmp
      Download