Analysis

  • max time kernel
    41s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    02-12-2022 01:28

General

  • Target

    87b8dfde1aa02de6bc7060e980ab6adf2a5158967a8b92177b97378aca5ac405.exe

  • Size

    194KB

  • MD5

    e4ff3c97e90a3854a7d66e0474ac1bf8

  • SHA1

    6131c4a787c91f9b17a5a48f557e6b567cedb0b0

  • SHA256

    87b8dfde1aa02de6bc7060e980ab6adf2a5158967a8b92177b97378aca5ac405

  • SHA512

    b6134904001c8d4d4267534d46d790f7a0b8433c1ac73da2da11ccb4ff51859596b578fd4b1aa6d4dfc44e20b96579de7e398d544957be565abae21a78eef868

  • SSDEEP

    3072:hn1/uEAgDPdkBlyFZ+ScjaiKWbETBquAEXlqsUUypbXZc410uGg+QUWSR:h1OgDPdkBAFZWjadD4s5OJcWviR

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 8 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\87b8dfde1aa02de6bc7060e980ab6adf2a5158967a8b92177b97378aca5ac405.exe
    "C:\Users\Admin\AppData\Local\Temp\87b8dfde1aa02de6bc7060e980ab6adf2a5158967a8b92177b97378aca5ac405.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:868
    • C:\Users\Admin\AppData\Local\Temp\7zS195B.tmp\50df0da6e8490.exe
      .\50df0da6e8490.exe /s
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:908

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7zS195B.tmp\[email protected]\bootstrap.js

    Filesize

    2KB

    MD5

    fa8f412695cef076870397420a39f6f6

    SHA1

    7d9031bef94d310328e802cc0822ae5d73c9c7df

    SHA256

    b5630df366bd6b1e655c3431650e92ef74be5489ef741661bb47afccf9ff4df1

    SHA512

    bd067ae925342c40fda821f93aa5a19fed4be9c74bf3e01f9dd7602a5fc1e2b54bd63491c1fc466c4b660da1eee4c9762361140f22f311f9ee52edf2b96fe9f9

  • C:\Users\Admin\AppData\Local\Temp\7zS195B.tmp\[email protected]\chrome.manifest

    Filesize

    116B

    MD5

    f36f87e4375857894574a3ac0ab47248

    SHA1

    59aaf1a5ca6afa73eb862b9cfd48a93fd9246a68

    SHA256

    b0190769fabc91d2e87c34489dda30fda176be465935fda8f61393ea85440d52

    SHA512

    8437f270963de0134dffa60a9eff1c50a40296a158bdac1ffbbc09497c21a25c1b577188f4d76bc1d9c21c48b1c090e4efe2e1dd29dfc9112ee5a38c2f609e93

  • C:\Users\Admin\AppData\Local\Temp\7zS195B.tmp\[email protected]\content\bg.js

    Filesize

    8KB

    MD5

    caa870d8dc647eb3d2f84d68a7b74768

    SHA1

    10ab317e1695addd4269e15b398d7c7e1a4e9988

    SHA256

    e6d244b12786b7060707e50858aae88852dfa3d8b356cc6724230e13a7f5bf8b

    SHA512

    6663f8fcb97ed55b7a7eca6d2376e05b8258a5abdd973c5051cd50456585f6084ce4fbd256150307e87322453570dd3c6670194a150e4f7bc21246a374410f1f

  • C:\Users\Admin\AppData\Local\Temp\7zS195B.tmp\[email protected]\content\zy.xul

    Filesize

    225B

    MD5

    1247a4e57e7ee41a5b408d68d78267b3

    SHA1

    c84b7ac6f1331d70382224428e57e2269d220bc5

    SHA256

    19f3a3be0e9bf961d725a4cf814dfb7b91680701adf5bf11d754036ab793c53c

    SHA512

    13e8b57165ecdc288c4495edf7534ab2ea00a1b21ebe1fb1f18db0e8a73d60de86c133632ea1b68b6bcece082b223255fb39c7bdd0062b37746ad1b29fdd9b76

  • C:\Users\Admin\AppData\Local\Temp\7zS195B.tmp\[email protected]\install.rdf

    Filesize

    700B

    MD5

    d1283958fae5735f95e1aea6aec619ac

    SHA1

    4d91fa4132df7b34d5f52d2f8a3ca6c378b6bedd

    SHA256

    965cd6aae1db934ed1d81f463c963aea510688ee144fbf1f0263c98631d27b6a

    SHA512

    54dbfd9b10420df1b667b39d051a5e27ff3c42e3418e47ed55bb7f4d34a054fc3e3821368e41751996f08705cdce026aa3dc2d3b1f30d5e29a6fbdb60e60dbf6

  • C:\Users\Admin\AppData\Local\Temp\7zS195B.tmp\50df0da6e8490.exe

    Filesize

    70KB

    MD5

    ebcc3eb1a7021aaead55fb677465a717

    SHA1

    3c8347f0fd520ee423a4aafea1112a0b06f4b6c8

    SHA256

    5e74f0e710c067ad82301c7c14ed6afb138f974f351042cfe0ecd275cea2612c

    SHA512

    0f18c22e6eff8ec90ccc616e62f32701d046185311e01e5f506778fae0c31f35123c3ce756ff2c0eef6f23e06e280f870b80080d11dc6da3aa25901f5a92d995

  • C:\Users\Admin\AppData\Local\Temp\7zS195B.tmp\50df0da6e8490.exe

    Filesize

    70KB

    MD5

    ebcc3eb1a7021aaead55fb677465a717

    SHA1

    3c8347f0fd520ee423a4aafea1112a0b06f4b6c8

    SHA256

    5e74f0e710c067ad82301c7c14ed6afb138f974f351042cfe0ecd275cea2612c

    SHA512

    0f18c22e6eff8ec90ccc616e62f32701d046185311e01e5f506778fae0c31f35123c3ce756ff2c0eef6f23e06e280f870b80080d11dc6da3aa25901f5a92d995

  • C:\Users\Admin\AppData\Local\Temp\7zS195B.tmp\mkmmpapmehjeilgkhokoapmbfmbffjmd.crx

    Filesize

    8KB

    MD5

    b403e4d3b44d640c04a78a94ebd77431

    SHA1

    8d5fa967349086e71f9df6b25f5b7915aff46233

    SHA256

    84c22f70fd373668b4850fa90969663a6cc5e50f38ce3a9818b8c112024b08c5

    SHA512

    a948a5a64d44ccdff77c19f0760e4e1f01cb35e4561202f9ccb8c5f4562fe6f1fa589bb4443aae1eb2adfa5d4e25f8bb9b174ae18df552517f2af7b7e7800769

  • C:\Users\Admin\AppData\Local\Temp\7zS195B.tmp\settings.ini

    Filesize

    615B

    MD5

    ef08555933efca7b1918ec0ce6940702

    SHA1

    48ae1cd37dbf261eb4f3165fa4d2265984cdabad

    SHA256

    aeffecf0e3e08a9f74b3d066847acae92e7047e71a23ac880836b039130fc4d2

    SHA512

    2404c9057a5ae2f66bbd22aeb3392d7f35dbc3ebf6491b3ce2e200d304b48e61b6a570de85b03a533963ea31f32a68297676b6b638c1bdd7ec8b699631e7dd1b

  • \ProgramData\Zoomex\uninstall.exe

    Filesize

    48KB

    MD5

    e9c9582996a23b2a49a058dcaa3b5525

    SHA1

    f527cc64e759f06c011e5eeffbd217d5249c04df

    SHA256

    43c3e8d7aa00a299f084db17e384aa96de508565f82264ee88bd9c7647fa9fc9

    SHA512

    665613fc7f20e2c4ea40b7a8f39b4c2ea2a24c5119ee86ef072bbe29f606cd78a43081aa0a89b678a46d34e470e1ed10e31d590d3cb5447e1231707fea8e490f

  • \Users\Admin\AppData\Local\Temp\7zS195B.tmp\50df0da6e8490.exe

    Filesize

    70KB

    MD5

    ebcc3eb1a7021aaead55fb677465a717

    SHA1

    3c8347f0fd520ee423a4aafea1112a0b06f4b6c8

    SHA256

    5e74f0e710c067ad82301c7c14ed6afb138f974f351042cfe0ecd275cea2612c

    SHA512

    0f18c22e6eff8ec90ccc616e62f32701d046185311e01e5f506778fae0c31f35123c3ce756ff2c0eef6f23e06e280f870b80080d11dc6da3aa25901f5a92d995

  • \Users\Admin\AppData\Local\Temp\nst20BC.tmp\UserInfo.dll

    Filesize

    4KB

    MD5

    7579ade7ae1747a31960a228ce02e666

    SHA1

    8ec8571a296737e819dcf86353a43fcf8ec63351

    SHA256

    564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

    SHA512

    a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

  • \Users\Admin\AppData\Local\Temp\nst20BC.tmp\nsJSON.dll

    Filesize

    7KB

    MD5

    b9cd1b0fd3af89892348e5cc3108dce7

    SHA1

    f7bc59bf631303facfc970c0da67a73568e1dca6

    SHA256

    49b173504eb9cd07e42a3c4deb84c2cd3f3b49c7fb0858aee43ddfc64660e384

    SHA512

    fdcbdd21b831a92ca686aab5b240f073a89a08588e42439564747cad9160d79cfa8e3c103b6b4f2917684c1a591880203b4303418b85bc040f9f00b6658b0c90

  • memory/868-54-0x0000000075131000-0x0000000075133000-memory.dmp

    Filesize

    8KB

  • memory/908-56-0x0000000000000000-mapping.dmp

  • memory/908-69-0x00000000743E0000-0x00000000743EA000-memory.dmp

    Filesize

    40KB