Analysis
-
max time kernel
90s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
01/12/2022, 06:42
Static task
static1
Behavioral task
behavioral1
Sample
91ff2307fe2a20acf9c60383ccfc4eecf5412bd053b43c88a12072837dc1a4e8.exe
Resource
win7-20221111-en
General
-
Target
91ff2307fe2a20acf9c60383ccfc4eecf5412bd053b43c88a12072837dc1a4e8.exe
-
Size
249KB
-
MD5
c2116084cde4231e25486e97dff3030b
-
SHA1
93b7837de9349b71773ccd0d07376a1a4ae1e6e3
-
SHA256
91ff2307fe2a20acf9c60383ccfc4eecf5412bd053b43c88a12072837dc1a4e8
-
SHA512
7a07a238655730ec6d15d9afdfbc5700bf1e43fd6eeaa6d67c63a3f92ab7378de8153d382aebf1546eb016091c7c782180a3530d9fb8933f6df8d6944edfde89
-
SSDEEP
6144:h1OgDPdkBAFZWjadD4s5xhiVkWlEr/3p6qzWtfa:h1OgLdaOriK3p65S
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x0001000000022e27-143.dat acprotect -
Executes dropped EXE 1 IoCs
pid Process 4888 50d80d76628f4.exe -
resource yara_rule behavioral2/files/0x0001000000022e27-143.dat upx behavioral2/memory/4888-144-0x0000000074C90000-0x0000000074C9A000-memory.dmp upx -
Loads dropped DLL 3 IoCs
pid Process 4888 50d80d76628f4.exe 4888 50d80d76628f4.exe 4888 50d80d76628f4.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4766D980-5F74-6A67-02CA-A4711C03463F}\NoExplorer = "1" 50d80d76628f4.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4766D980-5F74-6A67-02CA-A4711C03463F} 50d80d76628f4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4766D980-5F74-6A67-02CA-A4711C03463F}\ = "Zoomex" 50d80d76628f4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 4 IoCs
resource yara_rule behavioral2/files/0x0001000000022e15-133.dat nsis_installer_1 behavioral2/files/0x0001000000022e15-133.dat nsis_installer_2 behavioral2/files/0x0001000000022e15-134.dat nsis_installer_1 behavioral2/files/0x0001000000022e15-134.dat nsis_installer_2 -
Modifies registry class 45 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4766D980-5F74-6A67-02CA-A4711C03463F}\ = "Zoomex" 50d80d76628f4.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{4766D980-5F74-6A67-02CA-A4711C03463F}\InProcServer32 50d80d76628f4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32 50d80d76628f4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib 50d80d76628f4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" 50d80d76628f4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 50d80d76628f4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib 50d80d76628f4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" 50d80d76628f4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 50d80d76628f4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4766D980-5F74-6A67-02CA-A4711C03463F}\InProcServer32\ = "C:\\ProgramData\\Zoomex\\50d80d766292d.dll" 50d80d76628f4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0 50d80d76628f4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0" 50d80d76628f4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 50d80d76628f4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} 50d80d76628f4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" 50d80d76628f4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" 50d80d76628f4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib" 50d80d76628f4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR 50d80d76628f4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 50d80d76628f4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" 50d80d76628f4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} 50d80d76628f4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4766D980-5F74-6A67-02CA-A4711C03463F}\ProgID\ = "Zoomex.1" 50d80d76628f4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" 50d80d76628f4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 50d80d76628f4.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{4766D980-5F74-6A67-02CA-A4711C03463F} 50d80d76628f4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4766D980-5F74-6A67-02CA-A4711C03463F}\InProcServer32\ThreadingModel = "Apartment" 50d80d76628f4.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{4766D980-5F74-6A67-02CA-A4711C03463F}\ProgID 50d80d76628f4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\Zoomex\\50d80d766292d.tlb" 50d80d76628f4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\Zoomex" 50d80d76628f4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" 50d80d76628f4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} 50d80d76628f4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" 50d80d76628f4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" 50d80d76628f4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0 50d80d76628f4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" 50d80d76628f4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" 50d80d76628f4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib 50d80d76628f4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 50d80d76628f4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} 50d80d76628f4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS 50d80d76628f4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} 50d80d76628f4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 50d80d76628f4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 50d80d76628f4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" 50d80d76628f4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib 50d80d76628f4.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2952 wrote to memory of 4888 2952 91ff2307fe2a20acf9c60383ccfc4eecf5412bd053b43c88a12072837dc1a4e8.exe 81 PID 2952 wrote to memory of 4888 2952 91ff2307fe2a20acf9c60383ccfc4eecf5412bd053b43c88a12072837dc1a4e8.exe 81 PID 2952 wrote to memory of 4888 2952 91ff2307fe2a20acf9c60383ccfc4eecf5412bd053b43c88a12072837dc1a4e8.exe 81 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{4766D980-5F74-6A67-02CA-A4711C03463F} = "1" 50d80d76628f4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID 50d80d76628f4.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\91ff2307fe2a20acf9c60383ccfc4eecf5412bd053b43c88a12072837dc1a4e8.exe"C:\Users\Admin\AppData\Local\Temp\91ff2307fe2a20acf9c60383ccfc4eecf5412bd053b43c88a12072837dc1a4e8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Users\Admin\AppData\Local\Temp\7zSF571.tmp\50d80d76628f4.exe.\50d80d76628f4.exe /s2⤵
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
- System policy modification
PID:4888
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
115KB
MD56696822add17061dc0bb8ee5b42cc2d4
SHA1d4622558ba366f2f94560da301a81c6c16f95a3c
SHA25673c44d8943947e3cf9ecabdeea4d9a37652614f5490a1f972816be4123795125
SHA5120f1946ce002441d010f67156f67b9d18e01ba35edfeb66ce8096467d3126b547e5040032253275b173f2dba9bce983775f360d83ec026986b55cb85e4b63f099
-
C:\Users\Admin\AppData\Local\Temp\7zSF571.tmp\[email protected]\bootstrap.js
Filesize2KB
MD5c13eb0ac6a59f9a73232fd68aaa6f69f
SHA1c526b318735763616d5e1f483d05e40f475f8f6d
SHA256d659bbccfdee9a76183ad8b2eeef3751b312c017896eb11d75eb15137e95e624
SHA5124fa09af5906646f0f9f5d8463eeddc882ec1c4d52452783babd7b1bd3c6e1327de91111c6ec14bd737c567d2608552e51e830ad508177df8b4536e45d624e0d2
-
C:\Users\Admin\AppData\Local\Temp\7zSF571.tmp\[email protected]\chrome.manifest
Filesize116B
MD56546edc26a1e277d3a4f9024002d493d
SHA1c21ec031ac487a3cc9f4e10276c7128f0d8130b2
SHA256a476e00c344e083133c950d1760a1d5b8ff79cd2d84da648bccd4a1699435e11
SHA512d34acc2e44e01282e102c21fb13055ac3a710cf3f3bb7735c929aa306c8857db3c9de32808f0a883c09c52d9a167e68e1bf018295441557c71cc0acae1243c12
-
C:\Users\Admin\AppData\Local\Temp\7zSF571.tmp\[email protected]\content\bg.js
Filesize8KB
MD594e8bb666800cc2bb6cd23ea0162c300
SHA1d273593d91c4cb94434ed68470f32c0636201894
SHA256e15edff116c13b0e71aa657c8e75cf4e743fce71d5ca4e2884b9294b39515af2
SHA512e2784b23d66d0117d6be4625108803924af318d4aee252cf3d03dbb82a8fbd92b4c69683188cc763c2f5b12a8de06f51b40ca9d78be8474d5f0e1365087a9faf
-
C:\Users\Admin\AppData\Local\Temp\7zSF571.tmp\[email protected]\content\zy.xul
Filesize225B
MD552f5f85f455afe1e464d7140d948be2c
SHA145006b2aa70f4884ce24048467b39fae2a7b9516
SHA256ec7e8ef74a101083b85ebfdcb8b86105770898f6f179c2cbf2654b03d042d2bd
SHA51244675006d595949562b42930c1c4dfb6ed55217b8d2bd9ec1cbbca412f2d4a1eea928936a5e53ce80e8f797ef7bb066ae0e8ca1977d16f38e90c4e3b70a6af13
-
C:\Users\Admin\AppData\Local\Temp\7zSF571.tmp\[email protected]\install.rdf
Filesize700B
MD52fdf01a548a88b5e3b342655eea0dd03
SHA10daa9363ed9d18df7d9b6be4aa2e97baed7c666c
SHA256fe8f7e29b2d6547e5db97258a35d809809deab06a6020c16ba62e40c6cf48af7
SHA51253308c72f23713141d817d7c3d36bf34fc3150f8c23e17eb9f158bb2d2f49c7bdf79cb818c41cd2ec494939c835b810ce9dd8a8537a96aad4737034205f1dfe6
-
Filesize
70KB
MD5ebcc3eb1a7021aaead55fb677465a717
SHA13c8347f0fd520ee423a4aafea1112a0b06f4b6c8
SHA2565e74f0e710c067ad82301c7c14ed6afb138f974f351042cfe0ecd275cea2612c
SHA5120f18c22e6eff8ec90ccc616e62f32701d046185311e01e5f506778fae0c31f35123c3ce756ff2c0eef6f23e06e280f870b80080d11dc6da3aa25901f5a92d995
-
Filesize
70KB
MD5ebcc3eb1a7021aaead55fb677465a717
SHA13c8347f0fd520ee423a4aafea1112a0b06f4b6c8
SHA2565e74f0e710c067ad82301c7c14ed6afb138f974f351042cfe0ecd275cea2612c
SHA5120f18c22e6eff8ec90ccc616e62f32701d046185311e01e5f506778fae0c31f35123c3ce756ff2c0eef6f23e06e280f870b80080d11dc6da3aa25901f5a92d995
-
Filesize
115KB
MD56696822add17061dc0bb8ee5b42cc2d4
SHA1d4622558ba366f2f94560da301a81c6c16f95a3c
SHA25673c44d8943947e3cf9ecabdeea4d9a37652614f5490a1f972816be4123795125
SHA5120f1946ce002441d010f67156f67b9d18e01ba35edfeb66ce8096467d3126b547e5040032253275b173f2dba9bce983775f360d83ec026986b55cb85e4b63f099
-
Filesize
2KB
MD5096a65b8a695249d5d554776f1eeace3
SHA12f2506b886a59b4408b23653d8734004ec2dda6d
SHA256a602c790bcf424c154a082a88a495b256dd5456f627943568c358c74f606c568
SHA5126e832caff1951b4fdb489997af5736fdbafa1de5573f629fc6798666bffd0ca0715311ce6590202cc970cce4492d94994a588547bb579bf70bc264683bc45cdc
-
Filesize
8KB
MD547e0468cdb1b14961fdeaf0cb6628eb7
SHA168648963efc0b4dbfdefc46d0064cc0b070c1617
SHA256fec6e640452aea0f5045b418bfe02df9e7824ba764a3a012acbc57dedc1a6260
SHA512ae0d906877abf4b5ff68d32efabe916932d0c025412e717013209a2a4a5180b278780a150d83f0ce36a7d7e9123a7ee89d621a14feb4b5637dadde35394d1588
-
Filesize
6KB
MD56b7a296c8665235fbccdeb9fd381a930
SHA1bf8ea37dda22ba52ba5224fa953857375711de72
SHA256150862df3350b4ed0046869d5585204328c95f0925a06709de9145bffee80999
SHA5127ff1f6562111fe8d3fe5a326e95f749fbe8ad61623312b02359f5b3a2536bdca326cc2c863eb8f241cddc7d286e37c09a83698e45ba3505e1037efa8ab21c4c1
-
Filesize
4KB
MD57579ade7ae1747a31960a228ce02e666
SHA18ec8571a296737e819dcf86353a43fcf8ec63351
SHA256564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b
-
Filesize
7KB
MD5b9cd1b0fd3af89892348e5cc3108dce7
SHA1f7bc59bf631303facfc970c0da67a73568e1dca6
SHA25649b173504eb9cd07e42a3c4deb84c2cd3f3b49c7fb0858aee43ddfc64660e384
SHA512fdcbdd21b831a92ca686aab5b240f073a89a08588e42439564747cad9160d79cfa8e3c103b6b4f2917684c1a591880203b4303418b85bc040f9f00b6658b0c90