17af2cd1babbcf8eb80d3935ac59b9885cd282256d4ad1a95f8b51fc4402d596

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26-12-2023 15:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

791be324a1afc6df847d0dc5fee0fa05.exe
Size

194KB
MD5

791be324a1afc6df847d0dc5fee0fa05
SHA1

968fa8f86bb429aeaf1f1bd4d0f51816f2c51fac
SHA256

17af2cd1babbcf8eb80d3935ac59b9885cd282256d4ad1a95f8b51fc4402d596
SHA512

8e77a38aff0f49def9b951fc3a51d2fe9f90bcc2771e3084a79b96339476c9c14da881d1fb4587ed21d670771838bdd123732dbf3078832d921d41fbdd434f1b
SSDEEP

3072:hn1/uEAgDPdkBlyFZ+ScjaiKWbETBquAEXlqsUUaWp9OUjDRmV9KbhRk:h1OgDPdkBAFZWjadD4s5rpIq0V9Mc

Score

7^/10

discovery spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0006000000016db6-48.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2416	50e02c663669a.exe

Loads dropped DLL 4 IoCs

pid	Process
3012	791be324a1afc6df847d0dc5fee0fa05.exe
2416	50e02c663669a.exe
2416	50e02c663669a.exe
2416	50e02c663669a.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000016db6-48.dat	upx
behavioral1/memory/2416-58-0x0000000074A90000-0x0000000074A9A000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x000700000001656d-16.dat	nsis_installer_1
behavioral1/files/0x000700000001656d-16.dat	nsis_installer_2
behavioral1/files/0x0006000000016e8a-53.dat	nsis_installer_1
behavioral1/files/0x0006000000016e8a-53.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2416	3012	791be324a1afc6df847d0dc5fee0fa05.exe	28
PID 3012 wrote to memory of 2416	3012	791be324a1afc6df847d0dc5fee0fa05.exe	28
PID 3012 wrote to memory of 2416	3012	791be324a1afc6df847d0dc5fee0fa05.exe	28
PID 3012 wrote to memory of 2416	3012	791be324a1afc6df847d0dc5fee0fa05.exe	28
PID 3012 wrote to memory of 2416	3012	791be324a1afc6df847d0dc5fee0fa05.exe	28
PID 3012 wrote to memory of 2416	3012	791be324a1afc6df847d0dc5fee0fa05.exe	28
PID 3012 wrote to memory of 2416	3012	791be324a1afc6df847d0dc5fee0fa05.exe	28

C:\Users\Admin\AppData\Local\Temp\791be324a1afc6df847d0dc5fee0fa05.exe
"C:\Users\Admin\AppData\Local\Temp\791be324a1afc6df847d0dc5fee0fa05.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Local\Temp\7zS117E.tmp\50e02c663669a.exe
  .\50e02c663669a.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Zoomex\uninstall.exe

Filesize
48KB

MD5
e9c9582996a23b2a49a058dcaa3b5525

SHA1
f527cc64e759f06c011e5eeffbd217d5249c04df

SHA256
43c3e8d7aa00a299f084db17e384aa96de508565f82264ee88bd9c7647fa9fc9

SHA512
665613fc7f20e2c4ea40b7a8f39b4c2ea2a24c5119ee86ef072bbe29f606cd78a43081aa0a89b678a46d34e470e1ed10e31d590d3cb5447e1231707fea8e490f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS117E.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
9b706c89444d973a26b9f3f296f98a9d

SHA1
0f7a0627f87c0280a54e9999d284d670fba51373

SHA256
8ebee638198e323b56086f73ecec5c39a1247ec9096f7d06b7cdcd91597dd09d

SHA512
328df87482789fcdaed7309e5fa4bb620e7614c7a39fdd60bbf37c4ca1756a6b0d323aaef42d601158333d1d935e4ac2514a6bec3628cd56c5db52b531536aa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS117E.tmp\[email protected]\chrome.manifest

Filesize
116B

MD5
51871ae0894d8bf6db8d0ff91553526d

SHA1
f0fb8d891b52fad88c88522b327fffb92a1f9f67

SHA256
c95abec1892cd344f972e8a4f015fc2c68550476cd7d51771cf475ee02ae86f5

SHA512
df8c9f40dfe90eb1b33ea4543e211436458b606c1813a34581c0b7afb1b218e9d7ca555801c44b594ff95cb1a587a6dde34af36dcd61dcea377e3648d994315a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS117E.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
653ceb55f69c693fedc42f70af7657cd

SHA1
3e2ff754ab03ad153d65a98f5c932348f9820fde

SHA256
faffab56f6482258704921a93dfb7296d1217fd30d12e72b99a9bee731eeeb6c

SHA512
7726a02bc5ea43160561ed1c0e673968d43403a206a1e406e37f2ca61215872065530c6aa07e90dbbead3bb6a0d6e6e2940653bb57a7b8bb8758feb9ff963f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS117E.tmp\[email protected]\content\zy.xul

Filesize
225B

MD5
2a7e1fc3363debd1cb29cbbad6d82cbf

SHA1
b0ed09847fa00e8f118ac8512dff5dd42d7f7c67

SHA256
d52c18b92ce7730f732ce9b297baedac56672a765f3c5abd5aa794fe8e5029d9

SHA512
7bfb406b4a7ebe726f86653a6c84079e9e410622fe3da069e7c2e62c73d60e613dcfb2f22e4ce7629f8779b2d3401fba84a4f00991c89076f200ec77a56e6b30

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS117E.tmp\[email protected]\install.rdf

Filesize
700B

MD5
85f0500169daf5939c2d1b08a7f9f54a

SHA1
a1b45ea527dee5cb805118d371c806c91620b65a

SHA256
8e5e84bb1a4d299a914dd48fb40ed9a9bd89211be595fee6cc4067e6ca1e6e54

SHA512
0211276299c39897a37688e32922fd07b9c9357403f0fbab187050b424260ab28ee06927c8cd14088311cea1ceb33cca0f8425d426d6ca652ad55e42a5090b88

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS117E.tmp\adnjggmmechhnajfakklpnelocbciagp.crx

Filesize
8KB

MD5
1d9e4214f85f83f289d1f5d08b191df7

SHA1
885f9bc87903c64c6b7e578a774acc264f307b0d

SHA256
556223850e456fef01ac8823539e44363e730122b84972c1a595a1d9255d6566

SHA512
185be9582d2c5d706538de50970ca71c7dfc983aaf1c6223186aabdfb88eb66b64aca4f411fcf9d26dc5a1919b4b886bbd43ab66c368c2168692587880e91171

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS117E.tmp\settings.ini

Filesize
615B

MD5
8511dbc37626f906eb55c841e3afc3ee

SHA1
15462322e0f9f24e6029d320dede7dd4a92d2333

SHA256
d6bbdee504ffa4e96c19e6c9b80024ed0b86e5bbf1b7b59e5b0c5fcaf01ec8ff

SHA512
c3f576ac07ffe1f7c6fb4ad8955a3f66d2d47a77556dc1ffc814a0ec2228f611c0613d3be0391661c403debbe4e190a741fb58661e12b36a5f91ffd1aeeb74fe

Download Submit
\Users\Admin\AppData\Local\Temp\7zS117E.tmp\50e02c663669a.exe

Filesize
70KB

MD5
ebcc3eb1a7021aaead55fb677465a717

SHA1
3c8347f0fd520ee423a4aafea1112a0b06f4b6c8

SHA256
5e74f0e710c067ad82301c7c14ed6afb138f974f351042cfe0ecd275cea2612c

SHA512
0f18c22e6eff8ec90ccc616e62f32701d046185311e01e5f506778fae0c31f35123c3ce756ff2c0eef6f23e06e280f870b80080d11dc6da3aa25901f5a92d995

Download Submit
\Users\Admin\AppData\Local\Temp\nso11DD.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
\Users\Admin\AppData\Local\Temp\nso11DD.tmp\nsJSON.dll

Filesize
7KB

MD5
b9cd1b0fd3af89892348e5cc3108dce7

SHA1
f7bc59bf631303facfc970c0da67a73568e1dca6

SHA256
49b173504eb9cd07e42a3c4deb84c2cd3f3b49c7fb0858aee43ddfc64660e384

SHA512
fdcbdd21b831a92ca686aab5b240f073a89a08588e42439564747cad9160d79cfa8e3c103b6b4f2917684c1a591880203b4303418b85bc040f9f00b6658b0c90

Download Submit
memory/2416-58-0x0000000074A90000-0x0000000074A9A000-memory.dmp

Filesize
40KB

Download
memory/2416-68-0x0000000074A90000-0x0000000074A99000-memory.dmp

Filesize
36KB

Download