a4976f5c8c46674083c3030ab8b44a8ea4b1153e74a07fa68221d3e9e7890cd1

Analysis

max time kernel
104s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02-12-2022 01:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4976f5c8c46674083c3030ab8b44a8ea4b1153e74a07fa68221d3e9e7890cd1.exe
Size

194KB
MD5

e6676a658799c699b96f6f027606b222
SHA1

09bcb0b245fa03310f6a7b742950e36d2ff99505
SHA256

a4976f5c8c46674083c3030ab8b44a8ea4b1153e74a07fa68221d3e9e7890cd1
SHA512

b92a78f682c1decbf318afe9d9e4fe1eaabbbbfa9ccd5f74e8f6cc194c0d651de261aa0e4ebefba71ec9d0331bd7c6fff2ca3a83364da99daa031947f610d5c2
SSDEEP

3072:hn1/uEAgDPdkBlyFZ+ScjaiKWbETBquAEXlqsUU1occMdz8wWH2wA:h1OgDPdkBAFZWjadD4s5K7wWWf

Score

9^/10

discovery spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0006000000014159-68.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
1456	50d86ef2781d1.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000014159-68.dat	upx
behavioral1/memory/1456-69-0x0000000074910000-0x000000007491A000-memory.dmp	upx

Loads dropped DLL 4 IoCs

pid	Process
1724	a4976f5c8c46674083c3030ab8b44a8ea4b1153e74a07fa68221d3e9e7890cd1.exe
1456	50d86ef2781d1.exe
1456	50d86ef2781d1.exe
1456	50d86ef2781d1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 8 IoCs

installer

resource	yara_rule
behavioral1/files/0x00070000000131fd-55.dat	nsis_installer_1
behavioral1/files/0x00070000000131fd-55.dat	nsis_installer_2
behavioral1/files/0x00070000000131fd-57.dat	nsis_installer_1
behavioral1/files/0x00070000000131fd-57.dat	nsis_installer_2
behavioral1/files/0x00070000000131fd-59.dat	nsis_installer_1
behavioral1/files/0x00070000000131fd-59.dat	nsis_installer_2
behavioral1/files/0x0006000000014236-70.dat	nsis_installer_1
behavioral1/files/0x0006000000014236-70.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 1456	1724	a4976f5c8c46674083c3030ab8b44a8ea4b1153e74a07fa68221d3e9e7890cd1.exe	28
PID 1724 wrote to memory of 1456	1724	a4976f5c8c46674083c3030ab8b44a8ea4b1153e74a07fa68221d3e9e7890cd1.exe	28
PID 1724 wrote to memory of 1456	1724	a4976f5c8c46674083c3030ab8b44a8ea4b1153e74a07fa68221d3e9e7890cd1.exe	28
PID 1724 wrote to memory of 1456	1724	a4976f5c8c46674083c3030ab8b44a8ea4b1153e74a07fa68221d3e9e7890cd1.exe	28
PID 1724 wrote to memory of 1456	1724	a4976f5c8c46674083c3030ab8b44a8ea4b1153e74a07fa68221d3e9e7890cd1.exe	28
PID 1724 wrote to memory of 1456	1724	a4976f5c8c46674083c3030ab8b44a8ea4b1153e74a07fa68221d3e9e7890cd1.exe	28
PID 1724 wrote to memory of 1456	1724	a4976f5c8c46674083c3030ab8b44a8ea4b1153e74a07fa68221d3e9e7890cd1.exe	28

C:\Users\Admin\AppData\Local\Temp\a4976f5c8c46674083c3030ab8b44a8ea4b1153e74a07fa68221d3e9e7890cd1.exe
"C:\Users\Admin\AppData\Local\Temp\a4976f5c8c46674083c3030ab8b44a8ea4b1153e74a07fa68221d3e9e7890cd1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Users\Admin\AppData\Local\Temp\7zS1AD2.tmp\50d86ef2781d1.exe
  .\50d86ef2781d1.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS1AD2.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
63b7e515caea2350fc65d090c3feb87d

SHA1
4dc35222ea3c2e08f9ce0ced4a3718284eb88c0d

SHA256
7c703bc2e00022ff4572e4ea4587b2c3463aba449a85df747834897a16cb1455

SHA512
f7603f576875330546485451d68c0cbbbeb1a3df7e97531ca7c5c0cf3d044b786d9d5c449cb628b780a3a4373bb6cc64c78ee8bac1b6ade3c6f400b2fb6ade76

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1AD2.tmp\[email protected]\chrome.manifest

Filesize
116B

MD5
90a2fb9e8bd9a15fc03c3c33a51c2ab0

SHA1
5f05194ce891d367e94348b870acc3e105ca4324

SHA256
0302c841afc8b6ed458c1a1c9aa02cd29fcb6fd1dd22cbb463de84d91dcab656

SHA512
8afbf23c6695c65b45668e80d1baf395d3f6a2ad884d46a1d95425ac60a6f4eb291cff318e484930eac088527272b188779efd812203015816a6222689623f61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1AD2.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
fc513ce7c2ec246f15991760c63a46f1

SHA1
2cb00a1c4660e42c35cdea02460275bac52bdbf8

SHA256
b965b5ab5db19c6032aa40e4b420a0770722ea0fc65c2b22664ec59e6d4a5f9e

SHA512
819f17b5cd48fc06876e45105b6b062763cabb877a3a415348303ed147faa61b4439f3dd8185bc02bd0ffd7161a7059be1b7a24935bd3b293b14aacb3e2c989b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1AD2.tmp\[email protected]\content\zy.xul

Filesize
225B

MD5
779618bf0022ddcc6d7662bb359980f6

SHA1
eb24039c8b4f0c208fc2a021c4e2d08b857bde5e

SHA256
0ff2385626c182203cf0c710ad3792efaf4924d8e4324ca519907fcc29a40629

SHA512
055a44d75d411309a0981d7df02a5376fdcd16873ead11aaff48c557c5e915acba837a51c050f377921fae18ab329508475ff6f93dc139d902562288f14cb987

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1AD2.tmp\[email protected]\install.rdf

Filesize
700B

MD5
1f2d8fbbdad4a13ca50ec9878af98908

SHA1
033141d08d874027e98715496892093cc326d6cf

SHA256
a2ce9b0e36fee63ac4262c3254c632b008dd5470596751a3b1b792c9f06e10f9

SHA512
57f370e2977fc96cdb8814e3656f12e437136550cb114394c4c6edb74bc5c7dc6da3178cee76d590d70865c755df0f0037808af372e4e0425b8e47c555b2b0f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1AD2.tmp\50d86ef2781d1.exe

Filesize
70KB

MD5
ebcc3eb1a7021aaead55fb677465a717

SHA1
3c8347f0fd520ee423a4aafea1112a0b06f4b6c8

SHA256
5e74f0e710c067ad82301c7c14ed6afb138f974f351042cfe0ecd275cea2612c

SHA512
0f18c22e6eff8ec90ccc616e62f32701d046185311e01e5f506778fae0c31f35123c3ce756ff2c0eef6f23e06e280f870b80080d11dc6da3aa25901f5a92d995

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1AD2.tmp\50d86ef2781d1.exe

Filesize
70KB

MD5
ebcc3eb1a7021aaead55fb677465a717

SHA1
3c8347f0fd520ee423a4aafea1112a0b06f4b6c8

SHA256
5e74f0e710c067ad82301c7c14ed6afb138f974f351042cfe0ecd275cea2612c

SHA512
0f18c22e6eff8ec90ccc616e62f32701d046185311e01e5f506778fae0c31f35123c3ce756ff2c0eef6f23e06e280f870b80080d11dc6da3aa25901f5a92d995

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1AD2.tmp\lbaoggbficccecpbbalocddlbiiphoek.crx

Filesize
8KB

MD5
e69a09d07975c84b473311596accee70

SHA1
7baacfa70cb5fcfc6a74ee6a8d0b5a60ca04a11a

SHA256
74f99e9beaa995c3be3de2ed62eddd899a10752159fad6173be14a3199eecbac

SHA512
c00ecea87e43246d6c2113b13bc3a4fc63d63a097dc2ef865cf3e5322041f2610a5e2888402c043fa36ac754999c7a33724427e29721b42a94eb66128bac2dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1AD2.tmp\settings.ini

Filesize
615B

MD5
b6fe8fe6b0849c65da8680018c48865f

SHA1
9845f39caab0f3b3c6f9f3401843764aa63ba01c

SHA256
045b49ac896210a0b12cdc7d74fa94feb8f1cc2abfb4b71894c5e686d71dd271

SHA512
4c4a97a9bad8d039b7e8cddb2409f440cd79e96f24122c4fba31a744a46491c727c6670f4cb2e2e3aea423c133d68eb4eb626a76e8885210c5503fe199d2fecc

Download Submit
\ProgramData\Zoomex\uninstall.exe

Filesize
48KB

MD5
e9c9582996a23b2a49a058dcaa3b5525

SHA1
f527cc64e759f06c011e5eeffbd217d5249c04df

SHA256
43c3e8d7aa00a299f084db17e384aa96de508565f82264ee88bd9c7647fa9fc9

SHA512
665613fc7f20e2c4ea40b7a8f39b4c2ea2a24c5119ee86ef072bbe29f606cd78a43081aa0a89b678a46d34e470e1ed10e31d590d3cb5447e1231707fea8e490f

Download Submit
\Users\Admin\AppData\Local\Temp\7zS1AD2.tmp\50d86ef2781d1.exe

Filesize
70KB

MD5
ebcc3eb1a7021aaead55fb677465a717

SHA1
3c8347f0fd520ee423a4aafea1112a0b06f4b6c8

SHA256
5e74f0e710c067ad82301c7c14ed6afb138f974f351042cfe0ecd275cea2612c

SHA512
0f18c22e6eff8ec90ccc616e62f32701d046185311e01e5f506778fae0c31f35123c3ce756ff2c0eef6f23e06e280f870b80080d11dc6da3aa25901f5a92d995

Download Submit
\Users\Admin\AppData\Local\Temp\nso6CB9.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
\Users\Admin\AppData\Local\Temp\nso6CB9.tmp\nsJSON.dll

Filesize
7KB

MD5
b9cd1b0fd3af89892348e5cc3108dce7

SHA1
f7bc59bf631303facfc970c0da67a73568e1dca6

SHA256
49b173504eb9cd07e42a3c4deb84c2cd3f3b49c7fb0858aee43ddfc64660e384

SHA512
fdcbdd21b831a92ca686aab5b240f073a89a08588e42439564747cad9160d79cfa8e3c103b6b4f2917684c1a591880203b4303418b85bc040f9f00b6658b0c90

Download Submit
memory/1456-56-0x0000000000000000-mapping.dmp

Download
memory/1456-69-0x0000000074910000-0x000000007491A000-memory.dmp

Filesize
40KB

Download
memory/1724-54-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download