Overview

overview

7

Static

static

1

ZoomInfoCo...or.exe

windows7_x64

7

ZoomInfoCo...or.exe

windows10_x64

7

Resubmissions

19-11-2020 18:39

201119-egd25376vj 8

19-11-2020 18:34

201119-tarl1zn5le 7

19-11-2020 18:27

201119-tgzwfyek82 7

19-11-2020 18:17

201119-rg6nfjeppe 8

19-11-2020 18:00

201119-1e1ky8mt2j 8

Analysis

  • max time kernel
    149s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    19-11-2020 18:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ZoomInfoContactContributor.exe

  • Size

    259KB

  • MD5

    0b5719e9fd40b85d4d95e475e9431cd0

  • SHA1

    132151d26e61d2fda4e4b31eb376a41ea0d56e6d

  • SHA256

    2aa9f15810e2c55dbc8522e386d76d1a8fb3a63a712b33e17bd2139a7b45c76b

  • SHA512

    ed17497df8e53eb9a49ff3d6ed5bf8d84f17a045947a4b474204a8bf06254f8a801be1243599e526123ccc5e88af389f718021409567ac86ed28d988afd3d1cf

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 12 IoCs
  • Modifies Internet Explorer settings 1 TTPs 65 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe
    "C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://cswapper.freshcontacts.com/client/installcancellation?client_version=62&cancellation_point=OutlookLaunch&os_version=Windows 6.1 Service Pack 1 7601 64 [ ]&outlook_version=14&outlook_bitness=32&client_id={804233C8-D34A-4F5E-BA24-3757AD19A101}&reachout=true&appid=3
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1072
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1072 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:688

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    12e599e8a03c01f5979bda7098323e91

    SHA1

    4721353129f32fc9c3e2a0774a27b6e681b7bfd5

    SHA256

    3e49728bdb74968d8654682911388bd5daa7bcd11a0b6970d6ec3b21bb3b635c

    SHA512

    0b8bfa0b0b4be73aaa7b1085ed0ee365176c97134a2fe3f43a5863b822ee907742e68a6c794a11bc97458f49150e473d66251f2d7883adfcf55e37bdde199510

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\w5ukms8\imagestore.dat
    MD5

    23e5ec38010ab4e3a9f3c9701c79ec53

    SHA1

    3fb79e1b5aa0997fdadf3c1ae213b25e4c90cb5d

    SHA256

    18b56be177ed2e381d73d4de8bb03581a3cd66fec3429e1c7042f6ac903a7cca

    SHA512

    bb6e13e18a8b6ec8446477ec3a72c650e8fbfc38c35a56379fcdc16c359196ada9d1c7fbe506802238f1284447d30ed299b56795b0c54929f1965b142dd176f7

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\MSF8RRBJ.txt
    MD5

    9eacdd814aad3a39770c6d6fc4fdb554

    SHA1

    da5d9f5beb1625c9fdb3bd92d45bb683c508ab9f

    SHA256

    7f4540f974a6ad8b90d0249339b2826a1cc16a88c2f93dcb8c9546016702b224

    SHA512

    5519b99b6cfa8e8f6fb07c61c7ad2999848869ae952a6f886fe4a59c231e39f0b060d7a043c777dd1b42aaf60eabaa039f40c9992e467299f7e05650e1a2dc7e

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nss1F5.tmp\FindProcDLL.dll
    MD5

    83cd62eab980e3d64c131799608c8371

    SHA1

    5b57a6842a154997e31fab573c5754b358f5dd1c

    SHA256

    a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

    SHA512

    91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nss1F5.tmp\GetVersion.dll
    MD5

    2e2412281a205ed8d53aafb3ef770a2d

    SHA1

    3cae4138e8226866236cf34f8fb00dafb0954d97

    SHA256

    db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

    SHA512

    6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nss1F5.tmp\GetVersion.dll
    MD5

    2e2412281a205ed8d53aafb3ef770a2d

    SHA1

    3cae4138e8226866236cf34f8fb00dafb0954d97

    SHA256

    db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

    SHA512

    6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nss1F5.tmp\GetVersion.dll
    MD5

    2e2412281a205ed8d53aafb3ef770a2d

    SHA1

    3cae4138e8226866236cf34f8fb00dafb0954d97

    SHA256

    db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

    SHA512

    6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nss1F5.tmp\GetVersion.dll
    MD5

    2e2412281a205ed8d53aafb3ef770a2d

    SHA1

    3cae4138e8226866236cf34f8fb00dafb0954d97

    SHA256

    db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

    SHA512

    6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nss1F5.tmp\GetVersion.dll
    MD5

    2e2412281a205ed8d53aafb3ef770a2d

    SHA1

    3cae4138e8226866236cf34f8fb00dafb0954d97

    SHA256

    db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

    SHA512

    6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nss1F5.tmp\GetVersion.dll
    MD5

    2e2412281a205ed8d53aafb3ef770a2d

    SHA1

    3cae4138e8226866236cf34f8fb00dafb0954d97

    SHA256

    db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

    SHA512

    6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nss1F5.tmp\GetVersion.dll
    MD5

    2e2412281a205ed8d53aafb3ef770a2d

    SHA1

    3cae4138e8226866236cf34f8fb00dafb0954d97

    SHA256

    db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

    SHA512

    6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nss1F5.tmp\GetVersion.dll
    MD5

    2e2412281a205ed8d53aafb3ef770a2d

    SHA1

    3cae4138e8226866236cf34f8fb00dafb0954d97

    SHA256

    db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

    SHA512

    6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nss1F5.tmp\NSISdl.dll
    MD5

    a5f8399a743ab7f9c88c645c35b1ebb5

    SHA1

    168f3c158913b0367bf79fa413357fbe97018191

    SHA256

    dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

    SHA512

    824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nss1F5.tmp\System.dll
    MD5

    c17103ae9072a06da581dec998343fc1

    SHA1

    b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

    SHA256

    dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

    SHA512

    d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nss1F5.tmp\nsDialogs.dll
    MD5

    c10e04dd4ad4277d5adc951bb331c777

    SHA1

    b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

    SHA256

    e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

    SHA512

    853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

    Download Submit
  • memory/316-13-0x000007FEF6780000-0x000007FEF69FA000-memory.dmp
    Filesize

    2.5MB

    Download
  • memory/688-14-0x0000000000000000-mapping.dmp
    Download
  • memory/688-28-0x000000007EF40000-0x000000007EF50000-memory.dmp
    Filesize

    64KB

    Download
  • memory/688-32-0x000000007EF30000-0x000000007EF40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1072-12-0x0000000000000000-mapping.dmp
    Download