02ebbdc3498c822d2d08ca3e8255279982e2d1ad23e33c64d5bcef503df5fa38

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 03:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50a3fabe509fd67f754aba4177a3b87d.exe
Size

194KB
MD5

50a3fabe509fd67f754aba4177a3b87d
SHA1

2e9b4f2b4d946f1db0b945f547c8ff23f99447e6
SHA256

02ebbdc3498c822d2d08ca3e8255279982e2d1ad23e33c64d5bcef503df5fa38
SHA512

fb508c5eec002d50ef5347a0fadecc29291c2bd306e014eb81f764f9dc4b42fa8797f2d53212ad61c7dde842b350eabf70b36e69705972649cb64820ad53b093
SSDEEP

3072:hn1/uEAgDPdkBlyFZ+ScjaiKWbETBquAEXlqsUUIaN3EgHeXA2cedWvzlR6/9Jr2:h1OgDPdkBAFZWjadD4s5IQ3XKNqzl4F8

Score

7^/10

discovery spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0006000000016d63-73.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2872	5104e54f7dcf4.exe

Loads dropped DLL 4 IoCs

pid	Process
2672	50a3fabe509fd67f754aba4177a3b87d.exe
2872	5104e54f7dcf4.exe
2872	5104e54f7dcf4.exe
2872	5104e54f7dcf4.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000016d63-73.dat	upx
behavioral1/memory/2872-76-0x0000000074A40000-0x0000000074A4A000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhcdmhdadgbfajlpbbnlglnlpbkfbimh\1\manifest.json	5104e54f7dcf4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x00060000000162a6-26.dat	nsis_installer_1
behavioral1/files/0x00060000000162a6-26.dat	nsis_installer_2
behavioral1/files/0x0006000000016d71-80.dat	nsis_installer_1
behavioral1/files/0x0006000000016d71-80.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 2872	2672	50a3fabe509fd67f754aba4177a3b87d.exe	28
PID 2672 wrote to memory of 2872	2672	50a3fabe509fd67f754aba4177a3b87d.exe	28
PID 2672 wrote to memory of 2872	2672	50a3fabe509fd67f754aba4177a3b87d.exe	28
PID 2672 wrote to memory of 2872	2672	50a3fabe509fd67f754aba4177a3b87d.exe	28
PID 2672 wrote to memory of 2872	2672	50a3fabe509fd67f754aba4177a3b87d.exe	28
PID 2672 wrote to memory of 2872	2672	50a3fabe509fd67f754aba4177a3b87d.exe	28
PID 2672 wrote to memory of 2872	2672	50a3fabe509fd67f754aba4177a3b87d.exe	28

C:\Users\Admin\AppData\Local\Temp\50a3fabe509fd67f754aba4177a3b87d.exe
"C:\Users\Admin\AppData\Local\Temp\50a3fabe509fd67f754aba4177a3b87d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Users\Admin\AppData\Local\Temp\7zS57F0.tmp\5104e54f7dcf4.exe
  .\5104e54f7dcf4.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Zoomex\uninstall.exe

Filesize
48KB

MD5
f3c79bda3fdf7c5dd24d60400a57cadb

SHA1
1adb606aaeedb246a371c8877c737f0f8c798625

SHA256
a76272ed3bbf23308782a308d428ee805ec77fbb622a830af26cb0ddbbf7377b

SHA512
c43cb957bdea357bd016fe03a8004a48d8117a12106f62876394feba05ad01a321ff6017ffb7b926cc77712f5ab63ea2e4b169a419c444c8f62aa4933f289935

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS57F0.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
1a9fa9c06c7b2f5d05bce04d26057e3e

SHA1
23eff6f297dbafce1698eddd7145b935205bf31b

SHA256
f47b9154c8216915e288c9f1b99951d2714f53b8f1446bb8652d15dc26d40067

SHA512
9afe27dbf822b3a44de50d5f05bd139ad429c2fdc722fda483e586b4ed42220571e7aa297ff9496b5befe99c8c98ba7413c83ac4b4a912b9f3b0242b14bde701

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS57F0.tmp\[email protected]\chrome.manifest

Filesize
116B

MD5
3373a3b52de1897da2132f5b728af879

SHA1
78b3dd9a754293ac2a05a431d3bed89f05795efa

SHA256
acb684451e652cab22d58c88bd816ecc747ec60d2eb883ad03a2ffe02296921c

SHA512
104619ff11ec5460d586bab8cf5eddde7fb6aaf746b8bc31df6e54a62e575d656ac7e51bf9a1c51b2b2e7ff98e841ad0a7421feb80d1eba2de851ba774276586

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS57F0.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
6c105e9caba11c55b2e2c15c7ce40f76

SHA1
e8bf862477e49b4a4d9807191c949e59a0ace968

SHA256
5e432849eed55de3814482711660a2b88ce088bcec4b32163951244d601d6e33

SHA512
57b6e104897aa94f514337546f71115daf38ce3b3bccd3d98fa8b850f8e6202d45cd164bad3f33e4ba08d9dc43b93a43f1fcd37421c2100100a58f1200644913

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS57F0.tmp\[email protected]\content\zy.xul

Filesize
225B

MD5
d8140014b14f90c9ec7cee6e4f115c7b

SHA1
b21b7ca4da48edb05b1929383bb78400b29c6152

SHA256
6fd8b3657ec81d4cf12a76660bd33954b3f9bf6bbaa61fd57c151e27ec15dc51

SHA512
4c5e89819563c3039a711884b96aac9d5a3e6ea873b9dce17e1b554a450693c6736435b9c2b8b1a36c5d3175868ff72248fa59f4e6816689c5129ffdc5a02682

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS57F0.tmp\[email protected]\install.rdf

Filesize
700B

MD5
61b10a9e9d47a597acdaab92830560da

SHA1
d289c067d53ffe05499b77367401f5b9d7dc09b2

SHA256
27b21157724048f8afaf81ee1a55700e66a3f69ef6eb7ddfa364afa560462a73

SHA512
e175a1a56db74d871a55f093b9e6ae122d0f1b46cda4627a11278fdb22be808e220ac632863c3bdc2405e3a3b7a5f16502f528a2c321c8e79ffa2a3f2865c39f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS57F0.tmp\jhcdmhdadgbfajlpbbnlglnlpbkfbimh\5104e54f7db2b3.83419369.js

Filesize
4KB

MD5
f36491cdd3eb67a048e3fd6633ba48ed

SHA1
e30dab092e63e9f05d27298a4d90c4ce42934dc6

SHA256
2e4916e9e5219d9375c4aea78888b9be55e3918dc2bae01609a716b489f24ebd

SHA512
d85f834b3202a5c4566575cb4d7427a22c41594df5b938df868349b4f1195cb979e34d52cb2c61a1b903aaa4c99eddcb996f29ed89e30b2cf9bab19065461e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS57F0.tmp\jhcdmhdadgbfajlpbbnlglnlpbkfbimh\background.html

Filesize
161B

MD5
1a6f7b082e39ef00d2b6c9090ef069d8

SHA1
5cb34a0427dbb3461878aec56efe23c6b58981cd

SHA256
ed6cf7e7dd0f2b3e1f02b015453cc2b7db346fbf002fcce174bf0494ec647ba0

SHA512
741a2c880b75cdb1f39e0fa1fce64dc8ab8a84a0a8ca6304c8fd12731520a18cdfa2a3d8747c994a2cf168bbf2ec7aac22d70ba2c05535622d6fc7f7ae96d036

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS57F0.tmp\jhcdmhdadgbfajlpbbnlglnlpbkfbimh\content.js

Filesize
197B

MD5
5f9891607f65f433b0690bae7088b2c1

SHA1
b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de

SHA256
fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b

SHA512
76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS57F0.tmp\jhcdmhdadgbfajlpbbnlglnlpbkfbimh\lsdb.js

Filesize
559B

MD5
209b7ae0b6d8c3f9687c979d03b08089

SHA1
6449f8bff917115eef4e7488fae61942a869200f

SHA256
e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704

SHA512
1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS57F0.tmp\jhcdmhdadgbfajlpbbnlglnlpbkfbimh\manifest.json

Filesize
479B

MD5
d9670f9c069ec46aaff5a60a9608e885

SHA1
c15da079582c4bf21b06e934dc78f3bd8fbc5607

SHA256
a631255a7467449ff89bb97a8d97632411076d00bfb8dc84c19abd100e235e7c

SHA512
d7ead015d25cdf1d31ec3330020bd43c5ec702a148c130083fb5ee70a8a4691fe94db7f9390b93d7afbc083531c9c1f23d29bd607c22d7cb362a0cb299645ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS57F0.tmp\jhcdmhdadgbfajlpbbnlglnlpbkfbimh\sqlite.js

Filesize
1KB

MD5
1fb34d71d9a51dc1c5d9e9b9d7add25e

SHA1
d8837a1c32f281d77b1706a0139e48cda8575b21

SHA256
5dbaa02596c9497f0290d0bdebb4d05509a43e624e19e69c6bcfcb31b6b77b09

SHA512
7766a520cee98ce93b7bb6a36cf8b8822d80032e18695f6e62d5c5cac00c32c03f9af337e7441b27c781e9d31a9e62b1dc6883e7429c80e2a46d830036eecaff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS57F0.tmp\settings.ini

Filesize
898B

MD5
95148b0a96f22216be907f7e65a5b8e8

SHA1
0edb82ca973c28f7b0486d988420755510785211

SHA256
3df5b28fe72ded50f1618d30aed33d9ac89170e54a021cec618a9587761da2fc

SHA512
ebf844974772fa63559111832bf96fc7f2ad38c813c3b03b49449eca3067d668f4b6adf395138ec11949fad3aa65df74f234343d1610691278642c21d59ea2fa

Download Submit
\Users\Admin\AppData\Local\Temp\7zS57F0.tmp\5104e54f7dcf4.exe

Filesize
71KB

MD5
b78633fae8aaf5f7e99e9c736f44f9c5

SHA1
26fc60e29c459891ac0909470ac6c61a1eca1544

SHA256
d205693516dbaf34cfbd216e825190de4de1412e861bc9cb30ce863907b30d22

SHA512
3885b609269b26918ccfcd9069181168c12f4271b6bdfcc51afe176b2dd242d4c0953ac1a4ddaf25abcfaf28a0b694a6269d96ae39bb7b2db2f0140d2d60cd43

Download Submit
\Users\Admin\AppData\Local\Temp\nsi5ADD.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
\Users\Admin\AppData\Local\Temp\nsi5ADD.tmp\nsJSON.dll

Filesize
7KB

MD5
b9cd1b0fd3af89892348e5cc3108dce7

SHA1
f7bc59bf631303facfc970c0da67a73568e1dca6

SHA256
49b173504eb9cd07e42a3c4deb84c2cd3f3b49c7fb0858aee43ddfc64660e384

SHA512
fdcbdd21b831a92ca686aab5b240f073a89a08588e42439564747cad9160d79cfa8e3c103b6b4f2917684c1a591880203b4303418b85bc040f9f00b6658b0c90

Download Submit
memory/2872-76-0x0000000074A40000-0x0000000074A4A000-memory.dmp

Filesize
40KB

Download