8f3a47a7d972a777e04f061769d861a5b29db26f118e6fd06a8b0b2efe4b3474

Analysis

max time kernel
147s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1739c81176881d4f63e55c3d21133fb5.exe
Size

249KB
MD5

1739c81176881d4f63e55c3d21133fb5
SHA1

892473c5f816031aa2a8959015dc00ba5d9382bb
SHA256

8f3a47a7d972a777e04f061769d861a5b29db26f118e6fd06a8b0b2efe4b3474
SHA512

50ca1d2a3e51a8fe747b44836ca9cae89cd65843c61df0a1554971ba493eb5ca32dc9eec088a6cddf952d2397b4d5eee7555104cb81d05c47c84efa0a959a552
SSDEEP

6144:h1OgDPdkBAFZWjadD4s5DPfDKgC0ycgR20UYy2RWs:h1OgLdaOTrKKsRvUYTWs

Score

7^/10

adware discovery spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
440	50fbe1e6b9e72.exe

Loads dropped DLL 3 IoCs

pid	Process
440	50fbe1e6b9e72.exe
440	50fbe1e6b9e72.exe
440	50fbe1e6b9e72.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/440-78-0x00000000744A0000-0x00000000744AA000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkgkigkombafbicapidkpjghcopflpoh\1\manifest.json	50fbe1e6b9e72.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E5A3B166-AC69-8E77-FC66-76F667EF9B7A}	50fbe1e6b9e72.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E5A3B166-AC69-8E77-FC66-76F667EF9B7A}\ = "Zoomex"	50fbe1e6b9e72.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E5A3B166-AC69-8E77-FC66-76F667EF9B7A}\NoExplorer = "1"	50fbe1e6b9e72.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 45 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	50fbe1e6b9e72.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	50fbe1e6b9e72.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	50fbe1e6b9e72.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	50fbe1e6b9e72.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{E5A3B166-AC69-8E77-FC66-76F667EF9B7A}\InProcServer32	50fbe1e6b9e72.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	50fbe1e6b9e72.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	50fbe1e6b9e72.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\Zoomex\\50fbe1e6b9eab.tlb"	50fbe1e6b9e72.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E5A3B166-AC69-8E77-FC66-76F667EF9B7A}\InProcServer32\ThreadingModel = "Apartment"	50fbe1e6b9e72.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E5A3B166-AC69-8E77-FC66-76F667EF9B7A}\ProgID\ = "Zoomex.1"	50fbe1e6b9e72.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	50fbe1e6b9e72.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	50fbe1e6b9e72.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{E5A3B166-AC69-8E77-FC66-76F667EF9B7A}\ProgID	50fbe1e6b9e72.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	50fbe1e6b9e72.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	50fbe1e6b9e72.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	50fbe1e6b9e72.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	50fbe1e6b9e72.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	50fbe1e6b9e72.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	50fbe1e6b9e72.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	50fbe1e6b9e72.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	50fbe1e6b9e72.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	50fbe1e6b9e72.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	50fbe1e6b9e72.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	50fbe1e6b9e72.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{E5A3B166-AC69-8E77-FC66-76F667EF9B7A}	50fbe1e6b9e72.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	50fbe1e6b9e72.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	50fbe1e6b9e72.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	50fbe1e6b9e72.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	50fbe1e6b9e72.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\Zoomex"	50fbe1e6b9e72.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	50fbe1e6b9e72.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	50fbe1e6b9e72.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	50fbe1e6b9e72.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E5A3B166-AC69-8E77-FC66-76F667EF9B7A}\ = "Zoomex"	50fbe1e6b9e72.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E5A3B166-AC69-8E77-FC66-76F667EF9B7A}\InProcServer32\ = "C:\\ProgramData\\Zoomex\\50fbe1e6b9eab.dll"	50fbe1e6b9e72.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	50fbe1e6b9e72.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	50fbe1e6b9e72.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	50fbe1e6b9e72.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	50fbe1e6b9e72.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	50fbe1e6b9e72.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	50fbe1e6b9e72.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	50fbe1e6b9e72.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	50fbe1e6b9e72.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	50fbe1e6b9e72.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	50fbe1e6b9e72.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4380 wrote to memory of 440	4380	1739c81176881d4f63e55c3d21133fb5.exe	20
PID 4380 wrote to memory of 440	4380	1739c81176881d4f63e55c3d21133fb5.exe	20
PID 4380 wrote to memory of 440	4380	1739c81176881d4f63e55c3d21133fb5.exe	20

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	50fbe1e6b9e72.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{E5A3B166-AC69-8E77-FC66-76F667EF9B7A} = "1"	50fbe1e6b9e72.exe

C:\Users\Admin\AppData\Local\Temp\1739c81176881d4f63e55c3d21133fb5.exe
"C:\Users\Admin\AppData\Local\Temp\1739c81176881d4f63e55c3d21133fb5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4380
- C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\50fbe1e6b9e72.exe
  .\50fbe1e6b9e72.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  - System policy modification
  PID:440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\[email protected]\chrome.manifest

Filesize
116B

MD5
7a384cbc97095c9b1cc227c24672f101

SHA1
d5de0621265123f2ce12eb253b596d6129a12cf4

SHA256
e03bdea30a04e29c815c2c2e9eb71dd5369fcf56baaaad6cb54bb4e4ab5c03f3

SHA512
9badbbfd8a834166c8d5f3716277306f07eafdd578b4a801be77f08b9b3fb575679df0d07697342633ea8102d6d81a69f5407362508d55609e5b915231546752

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
78a63c7c98a36416a833c30719ee965b

SHA1
641bf06c2e6a85b8ad710cd08a8ab186e7cdd59b

SHA256
4d194fabcb54eace297d679a9a3ceff8e8719eb75dd1c9b33e866dedad0187b7

SHA512
16fded6be18f11b54016a02af719e579f2b238cd3b4b5a9e913a42aaa0959b155b580396df5dfa7ca762faaa8ba8405f86b5f977916604ee4c5219ff6a4d0c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\[email protected]\install.rdf

Filesize
700B

MD5
bf7330d8aaa7ae13953a1b05f01dd962

SHA1
4d4e8ef1c45498cffa77cf6c4fc1152c9b788079

SHA256
098533b2b56ca161a98298c7f043372adcb90d51d3906b723a0bd1191c1ffaf9

SHA512
a50a0fb02b78d9fa8b10eb8c3b526e1c3d95032a714a56a920ba3cd47bc5db4ac52cb9af56ab59f2d4d2d5f7cdd7963ffb34233fea691e98bee218eb56bfce5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\dkgkigkombafbicapidkpjghcopflpoh\50fbe1e6b9c7b2.32706925.js

Filesize
4KB

MD5
1abb48d5ff882d3dd13f9e7ecc10776f

SHA1
15421ebfb5047942499b9d729a612f493f5b9d58

SHA256
4ae812dc7a39961719f412fd6f8d27c1deea53b1660e66111babbf87453011e9

SHA512
7b497e2fb690edaf9f346b21088175603d346a59c54516472e0fee34f71c6861408f665e2e7b78cc4133d64f36c3fbd73cf197c6db3a0c43658cc6625675c1c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\dkgkigkombafbicapidkpjghcopflpoh\background.html

Filesize
161B

MD5
1072624379d2cc60b3993e24d0d40e94

SHA1
dd7e6bad01672c96fe26d23091f114e3c71eea48

SHA256
37a74c90c838c55abf0ed7b4b2166972b0cb2027734e705a7fea15628e34fd19

SHA512
1ff684168ec2cddaa4e5737c4da7751931e23cbe6b33a65d26b44048a4a9a38ed1ede1185547114455a89c28e25407fe6a586c8ebd8843eaf519c278f10883b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\dkgkigkombafbicapidkpjghcopflpoh\content.js

Filesize
197B

MD5
5f9891607f65f433b0690bae7088b2c1

SHA1
b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de

SHA256
fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b

SHA512
76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\dkgkigkombafbicapidkpjghcopflpoh\lsdb.js

Filesize
559B

MD5
209b7ae0b6d8c3f9687c979d03b08089

SHA1
6449f8bff917115eef4e7488fae61942a869200f

SHA256
e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704

SHA512
1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS45B4.tmp\settings.ini

Filesize
6KB

MD5
486adaa82b80bb804a0020434210b3ea

SHA1
1cf8d2a789ee64b75fb059d47b4b7912970593a0

SHA256
0ac8446d27a93652d481fac5e627896a69436c77017c4a08fb06354b0c5f8899

SHA512
9ad0e020bb2109c9a4970a50e046508628ac0d0cd954abe3016c67c18793389b53838f3469c477fafd0b2cf3ac0ef7164eeb9980ce4a76094935ab2adca5a39b

Download Submit
memory/440-78-0x00000000744A0000-0x00000000744AA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads