Analysis
-
max time kernel
112s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2023, 23:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1fbbef8e04438e9462bc9a282fd6f774.exe
Resource
win7-20231215-en
windows7-x64
13 signatures
150 seconds
General
-
Target
1fbbef8e04438e9462bc9a282fd6f774.exe
-
Size
250KB
-
MD5
1fbbef8e04438e9462bc9a282fd6f774
-
SHA1
66b9941d645e5b67c43ad45a46d7022f1dd26371
-
SHA256
12f4bbd977aaae2f6323d28e67c8a2d2a6cbc78e1b8d34a5db1716e406377159
-
SHA512
5c81ff04868381ab8cf4a6717f4c9b72a51fc6f2fd6c42678da89c11138720dd0cf12d5fe3bedb4742c0a1407c6e5d24b6f5135053d2daa2e764412c15e4022c
-
SSDEEP
6144:h1OgDPdkBAFZWjadD4s50OC/bQIPXBYgqT80p5YIzT8+:h1OgLdaO0j7eR7mIzY+
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2616 50fc14f600fae.exe -
Loads dropped DLL 3 IoCs
pid Process 2616 50fc14f600fae.exe 2616 50fc14f600fae.exe 2616 50fc14f600fae.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/2616-78-0x0000000074540000-0x000000007454A000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aafanaelphkkmfmindbmoeenjohhnigj\1\manifest.json 50fc14f600fae.exe -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{466EC3B0-942C-149E-4F2D-50EE38771EF4} 50fc14f600fae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{466EC3B0-942C-149E-4F2D-50EE38771EF4}\ = "Zoomex" 50fc14f600fae.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{466EC3B0-942C-149E-4F2D-50EE38771EF4}\NoExplorer = "1" 50fc14f600fae.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 45 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 50fc14f600fae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" 50fc14f600fae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 50fc14f600fae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib 50fc14f600fae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} 50fc14f600fae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS 50fc14f600fae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0" 50fc14f600fae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} 50fc14f600fae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{466EC3B0-942C-149E-4F2D-50EE38771EF4}\InProcServer32\ = "C:\\ProgramData\\Zoomex\\50fc14f600fe6.dll" 50fc14f600fae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" 50fc14f600fae.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{466EC3B0-942C-149E-4F2D-50EE38771EF4}\ProgID 50fc14f600fae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" 50fc14f600fae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0 50fc14f600fae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\Zoomex\\50fc14f600fe6.tlb" 50fc14f600fae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" 50fc14f600fae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib" 50fc14f600fae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} 50fc14f600fae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" 50fc14f600fae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 50fc14f600fae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 50fc14f600fae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 50fc14f600fae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0 50fc14f600fae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\Zoomex" 50fc14f600fae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" 50fc14f600fae.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{466EC3B0-942C-149E-4F2D-50EE38771EF4} 50fc14f600fae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{466EC3B0-942C-149E-4F2D-50EE38771EF4}\ = "Zoomex" 50fc14f600fae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" 50fc14f600fae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 50fc14f600fae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib 50fc14f600fae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} 50fc14f600fae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 50fc14f600fae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib 50fc14f600fae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" 50fc14f600fae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" 50fc14f600fae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} 50fc14f600fae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32 50fc14f600fae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib 50fc14f600fae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 50fc14f600fae.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{466EC3B0-942C-149E-4F2D-50EE38771EF4}\InProcServer32 50fc14f600fae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{466EC3B0-942C-149E-4F2D-50EE38771EF4}\ProgID\ = "Zoomex.1" 50fc14f600fae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" 50fc14f600fae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{466EC3B0-942C-149E-4F2D-50EE38771EF4}\InProcServer32\ThreadingModel = "Apartment" 50fc14f600fae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR 50fc14f600fae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" 50fc14f600fae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" 50fc14f600fae.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2384 wrote to memory of 2616 2384 1fbbef8e04438e9462bc9a282fd6f774.exe 22 PID 2384 wrote to memory of 2616 2384 1fbbef8e04438e9462bc9a282fd6f774.exe 22 PID 2384 wrote to memory of 2616 2384 1fbbef8e04438e9462bc9a282fd6f774.exe 22 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID 50fc14f600fae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{466EC3B0-942C-149E-4F2D-50EE38771EF4} = "1" 50fc14f600fae.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1fbbef8e04438e9462bc9a282fd6f774.exe"C:\Users\Admin\AppData\Local\Temp\1fbbef8e04438e9462bc9a282fd6f774.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Users\Admin\AppData\Local\Temp\7zS4F58.tmp\50fc14f600fae.exe.\50fc14f600fae.exe /s2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Modifies registry class
- System policy modification
PID:2616
-