dba22c6f3f11d46b9b8884043be6907e5b428d5595baad0a50d75789e5f4f0cb

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/03/2024, 01:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

vn-zugo.exe
Size

720KB
MD5

6ee75d20b907780781e90fa97897b8ed
SHA1

03c0ce29326ceef11b237c91ca0922f3dc6ac0b4
SHA256

a2efbc9b9a4d99cf60bd3e3b631dbe6116f31c15ccefc9f28ba3c95404afd63f
SHA512

36eb2dc03ec76756a92aca72b3827105344b4ee2b179b4abf9432828505ee6d151df6959b2280d4086952ebefa4b273f83ab25ae1e2299bb4c3ef859483f1e08
SSDEEP

12288:CU1qWMBibgTEX4MXAoQu7uIpKfHB/mY+oCIPR08gu+8uRj2d4Gp57m63OM0u:CIqWeibgoIaUCoh+/ZyudGp5/3JB

Score

7^/10

spyware stealer

Malware Config

Signatures

Loads dropped DLL 63 IoCs

pid	Process
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe
1100	vn-zugo.exe

C:\Users\Admin\AppData\Local\Temp\vn-zugo.exe
"C:\Users\Admin\AppData\Local\Temp\vn-zugo.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsj9427.tmp\tbdata.json

Filesize
1KB

MD5
94a58297a33fac752722b569560bf43e

SHA1
8e2a0326d417ea3e2c0db16f960af3f5d3ae0d1b

SHA256
a7e1b75380f693353c17de4e8de48785fd346fc57d8422cc4074ac4d09cbef3a

SHA512
b7378f16e97b5f4941910d8b7fa508e4f51cbbabb92eba5a13cfe8d58445312b807872716abdb0c938590a7114ee221830243926aa15df63e0f9ada0e3bb675c

Download Submit
\Users\Admin\AppData\Local\Temp\nsj9427.tmp\GetVersion.dll

Filesize
6KB

MD5
5264f7d6d89d1dc04955cfb391798446

SHA1
211d8d3e7c2b2f57f54a11cb8bc4fa536df08acc

SHA256
7d76c7dd8f7cd5a87e0118dacb434db3971a049501e22a5f4b947154621ab3d4

SHA512
80d27ee2f87e2822bd5c8c55cc3d1e49beebb86d8557c92b52b7cbea9f27882d80e59eefa25e414eecee268a9a6193b6b50b748de33c778b007cde24ef8bcfb7

Download Submit
\Users\Admin\AppData\Local\Temp\nsj9427.tmp\Math.dll

Filesize
66KB

MD5
b140459077c7c39be4bef249c2f84535

SHA1
c56498241c2ddafb01961596da16d08d1b11cd35

SHA256
0598f7d83db44929b7170c1285457b52b4281185f63ced102e709bf065f10d67

SHA512
fbcb19a951d96a216d73b6b3e005338bbb6e11332c6cc8c3f179ccd420b4db0e5682dc4245bd120dcb67bc70960eab368e74c68c7c165a485a12a7d0d8a00328

Download Submit
\Users\Admin\AppData\Local\Temp\nsj9427.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
\Users\Admin\AppData\Local\Temp\nsj9427.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsj9427.tmp\inetc.dll

Filesize
20KB

MD5
2f94245152dbd233e248909f9c01c578

SHA1
ab4e5879c001b36a2f9ff214946599fd015edda9

SHA256
4c4d85eb9725fc7fade03467990e3dd9671c29a7870c97e69babc2cb3c9adef9

SHA512
f92830de27d6663be5e0df9e32cd88732bc7ee93b14c1ded65258c325d22436400801aff1124f40400c6c3b3c16e71deb08436714716f3888d13a8a6b6a32231

Download Submit
\Users\Admin\AppData\Local\Temp\nsj9427.tmp\linker.dll

Filesize
6KB

MD5
8450b29ee8d592c208ba1aaf6ee50267

SHA1
75096da057bc85cef63bb0eec168652ea75cf618

SHA256
53aa57e582dc56421c1191a0a9efac9c36960b903b7d825f3b9682605ec2b612

SHA512
d23a3057053a1f36f5eb212ae0b09b9b0b41e50b8a6a20bbc46c12c51199ad0bca741bcce17534488158e8f2b9470dbdac2aa059688b7588a05778c40d461039

Download Submit
\Users\Admin\AppData\Local\Temp\nsj9427.tmp\md5dll.dll

Filesize
8KB

MD5
a7d710e78711d5ab90e4792763241754

SHA1
f31cecd926c5d497aba163a17b75975ec34beb13

SHA256
9b05dd603f13c196f3f21c43f48834208fed2294f7090fcd1334931014611fb2

SHA512
f0ca2d6f9a8aeac84ef8b051154a041adffc46e3e9aced142e9c7bf5f7272b047e1db421d38cb2d9182d7442bee3dd806618b019ec042a23ae0e71671d2943c0

Download Submit
\Users\Admin\AppData\Local\Temp\nsj9427.tmp\nsProcess.dll

Filesize
4KB

MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
\Users\Admin\AppData\Local\Temp\nsj9427.tmp\nshist.dll

Filesize
39KB

MD5
56bf72527ae93d35cd8f8778ad29902b

SHA1
3248a7ca75a3c2e715a13b455ccc5d45e04cf9b9

SHA256
77f38240d729758f04fbd6ac00dc638e99ba27c42fa48200c99f51449e245343

SHA512
c8ea0445bb83bb67dffa85b167fcc9b6ea874493442db5707e939ee0f2864a0d464ee605de486febffc27b60cd3c35a91302f226f6c4f13186119687a7e6000e

Download Submit
\Users\Admin\AppData\Local\Temp\nsj9427.tmp\timepro.dll

Filesize
20KB

MD5
009dbbdd1ef470dd752c2b73835da3e7

SHA1
f97da6556b24302df8201a092eaa32a80d49064b

SHA256
c1ed8c398108dc56fbb6fd6797c3c9df59447e2a2f198b72a45058124971b09c

SHA512
dbffa0eb830b292e5550eb3f3cfce90f881282652afb0463672ece7eb0946c34a8f75c4852f77b1db3604f0f346d0ed9d9babbad40b41de109e9f5119d555ec5

Download Submit
memory/1100-166-0x0000000001ED0000-0x0000000001ED9000-memory.dmp

Filesize
36KB

Download
memory/1100-29-0x00000000003F0000-0x00000000003F9000-memory.dmp

Filesize
36KB

Download
memory/1100-18-0x0000000000550000-0x000000000056A000-memory.dmp

Filesize
104KB

Download