719ce6fa8d023a0ecccf4c2caeda8961debacf6d23444f76e7c9a50274bcd33e

Resubmissions

21/05/2024, 11:02

240521-m5dmeabb56 7

21/05/2024, 11:01

240521-m4sd6sbb38 3

21/05/2024, 10:58

240521-m25xgsba9t 7

Analysis

max time kernel
20s
max time network
21s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 11:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ZoomInfoContactContributor.exe
Size

259KB
MD5

1c0674970e55ff28e3d6d4b9fc435f39
SHA1

e33df0cd1ead927fb3ad769ff311e5598c533da2
SHA256

be790b55b11f6502be0c8cf14f2ab4f9e97debe7e07efde26cf24f3927d791db
SHA512

d7118c1d4df00ba69ac69a8d8907a93122e7414c127280250d1e8dcf5603c762923fc19e26c770b5dcecec306fe1559bb1ea813cdcfadc0031ca72ae29c5b74f
SSDEEP

3072:6gXdZt9P6D3XJazx7Op5KmEOm9Ek1ydrZeDAf1OnV8AHzsFypc9U:6e348t7uUmq9EnvAH4F8uU

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 19 IoCs

pid	Process
2988	ZoomInfoContactContributor.exe
2988	ZoomInfoContactContributor.exe
2988	ZoomInfoContactContributor.exe
2988	ZoomInfoContactContributor.exe
2988	ZoomInfoContactContributor.exe
2988	ZoomInfoContactContributor.exe
2988	ZoomInfoContactContributor.exe
2988	ZoomInfoContactContributor.exe
2988	ZoomInfoContactContributor.exe
2988	ZoomInfoContactContributor.exe
2988	ZoomInfoContactContributor.exe
2988	ZoomInfoContactContributor.exe
2988	ZoomInfoContactContributor.exe
2988	ZoomInfoContactContributor.exe
2988	ZoomInfoContactContributor.exe
2988	ZoomInfoContactContributor.exe
2988	ZoomInfoContactContributor.exe
2988	ZoomInfoContactContributor.exe
2988	ZoomInfoContactContributor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2996	msedge.exe
2996	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 3828	2988	ZoomInfoContactContributor.exe	93
PID 2988 wrote to memory of 3828	2988	ZoomInfoContactContributor.exe	93
PID 3828 wrote to memory of 212	3828	msedge.exe	94
PID 3828 wrote to memory of 212	3828	msedge.exe	94
PID 3828 wrote to memory of 2392	3828	msedge.exe	95
PID 3828 wrote to memory of 2392	3828	msedge.exe	95
PID 3828 wrote to memory of 2392	3828	msedge.exe	95
PID 3828 wrote to memory of 2392	3828	msedge.exe	95
PID 3828 wrote to memory of 2392	3828	msedge.exe	95
PID 3828 wrote to memory of 2392	3828	msedge.exe	95
PID 3828 wrote to memory of 2392	3828	msedge.exe	95
PID 3828 wrote to memory of 2392	3828	msedge.exe	95
PID 3828 wrote to memory of 2392	3828	msedge.exe	95
PID 3828 wrote to memory of 2392	3828	msedge.exe	95
PID 3828 wrote to memory of 2392	3828	msedge.exe	95
PID 3828 wrote to memory of 2392	3828	msedge.exe	95
PID 3828 wrote to memory of 2392	3828	msedge.exe	95
PID 3828 wrote to memory of 2392	3828	msedge.exe	95
PID 3828 wrote to memory of 2392	3828	msedge.exe	95
PID 3828 wrote to memory of 2392	3828	msedge.exe	95
PID 3828 wrote to memory of 2392	3828	msedge.exe	95
PID 3828 wrote to memory of 2392	3828	msedge.exe	95
PID 3828 wrote to memory of 2392	3828	msedge.exe	95
PID 3828 wrote to memory of 2392	3828	msedge.exe	95
PID 3828 wrote to memory of 2392	3828	msedge.exe	95
PID 3828 wrote to memory of 2392	3828	msedge.exe	95
PID 3828 wrote to memory of 2392	3828	msedge.exe	95
PID 3828 wrote to memory of 2392	3828	msedge.exe	95
PID 3828 wrote to memory of 2392	3828	msedge.exe	95
PID 3828 wrote to memory of 2392	3828	msedge.exe	95
PID 3828 wrote to memory of 2392	3828	msedge.exe	95
PID 3828 wrote to memory of 2392	3828	msedge.exe	95
PID 3828 wrote to memory of 2392	3828	msedge.exe	95
PID 3828 wrote to memory of 2392	3828	msedge.exe	95
PID 3828 wrote to memory of 2392	3828	msedge.exe	95
PID 3828 wrote to memory of 2392	3828	msedge.exe	95
PID 3828 wrote to memory of 2392	3828	msedge.exe	95
PID 3828 wrote to memory of 2392	3828	msedge.exe	95
PID 3828 wrote to memory of 2392	3828	msedge.exe	95
PID 3828 wrote to memory of 2392	3828	msedge.exe	95
PID 3828 wrote to memory of 2392	3828	msedge.exe	95
PID 3828 wrote to memory of 2392	3828	msedge.exe	95
PID 3828 wrote to memory of 2392	3828	msedge.exe	95
PID 3828 wrote to memory of 2392	3828	msedge.exe	95
PID 3828 wrote to memory of 2996	3828	msedge.exe	96
PID 3828 wrote to memory of 2996	3828	msedge.exe	96
PID 3828 wrote to memory of 1980	3828	msedge.exe	97
PID 3828 wrote to memory of 1980	3828	msedge.exe	97
PID 3828 wrote to memory of 1980	3828	msedge.exe	97
PID 3828 wrote to memory of 1980	3828	msedge.exe	97
PID 3828 wrote to memory of 1980	3828	msedge.exe	97
PID 3828 wrote to memory of 1980	3828	msedge.exe	97
PID 3828 wrote to memory of 1980	3828	msedge.exe	97
PID 3828 wrote to memory of 1980	3828	msedge.exe	97
PID 3828 wrote to memory of 1980	3828	msedge.exe	97
PID 3828 wrote to memory of 1980	3828	msedge.exe	97
PID 3828 wrote to memory of 1980	3828	msedge.exe	97
PID 3828 wrote to memory of 1980	3828	msedge.exe	97
PID 3828 wrote to memory of 1980	3828	msedge.exe	97
PID 3828 wrote to memory of 1980	3828	msedge.exe	97
PID 3828 wrote to memory of 1980	3828	msedge.exe	97
PID 3828 wrote to memory of 1980	3828	msedge.exe	97
PID 3828 wrote to memory of 1980	3828	msedge.exe	97
PID 3828 wrote to memory of 1980	3828	msedge.exe	97

C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe
"C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://cswapper.freshcontacts.com/client/installfailure?client_version=62&failure_point=DetermineOutlookCompatibility&os_version=Windows 6.2 9200 64 [ ]&outlook_version=none&outlook_bitness=none&client_id={33BD350B-A417-433E-84A1-B31885DBB3D9}&error_message=&reachout=true&appid=4
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3828
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc744346f8,0x7ffc74434708,0x7ffc74434718
    3⤵
    PID:212
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,17597920790082972687,12494438426106769065,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
    3⤵
    PID:2392
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,17597920790082972687,12494438426106769065,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2996
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,17597920790082972687,12494438426106769065,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
    3⤵
    PID:1980
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17597920790082972687,12494438426106769065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
    3⤵
    PID:2008
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17597920790082972687,12494438426106769065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
    3⤵
    PID:2904
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17597920790082972687,12494438426106769065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
    3⤵
    PID:2360

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4348

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecdc2754d7d2ae862272153aa9b9ca6e

SHA1
c19bed1c6e1c998b9fa93298639ad7961339147d

SHA256
a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7

SHA512
cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2daa93382bba07cbc40af372d30ec576

SHA1
c5e709dc3e2e4df2ff841fbde3e30170e7428a94

SHA256
1826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30

SHA512
65635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
448d5cd80274ebfb8a68f27d5db66eaf

SHA1
65f7f98adf9e413ca78f810827996dc4142c0b99

SHA256
b2e13557902740b23b4f94911af76252e5d882f7220e935fb16ac44f9b4c46db

SHA512
3b4d1d5f3dd14e7c4a628416a19f915081cf5bfbce352c063965ed56c38939a620a550de67e7fa155cc49d4fa39d1577d08ab1e4489bb7a452a413cb0c43c91c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
701B

MD5
3a623a9ca7555bd6fad9df33e386fa55

SHA1
2b1d88d17a469ca91cd77feba77049567ffb2035

SHA256
65f70c7a6f21ec066906c29b50071c912e937ad9060af9b1ebdc35da156d2083

SHA512
46b916d88357f52f89e30fa8b6b2b172210bd4bccae2024f60c3ca54d18c507126dbdbb3059a97ecb381a2a34a392168cfc0f1d7be4537d1336ad56142b5fa94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
47371fe5ee37b6a31d0e79d537c9436b

SHA1
5444814f07cdfed30ecac3988f66e857de10f503

SHA256
0d1e730c54137a9e42dd3f65e3a9e03223ddc60336cc7e348c21772598201afb

SHA512
95bfbedfe325b01f65381e9ac5aed023cdf76369d16dbd58b6b8d12bf6fe594bbfb4ad883849e3aa81ee40aaedbb323b978d7a8401e4d756f0b96804b5c44614

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1804e465ac4adb5ae99617c4c2619c4c

SHA1
26d0040d6b991145891b685a1d77ad7eab569b7d

SHA256
899df73f14140c09b1e6a90433cc77b501ae1ca6076720c576c2de64c4d793fc

SHA512
9d0867d5137dc1096c575ef803bcd17529ded4e12411893ce12d942e3a10138dbe6eb9b416da3dd8aae53ef0359116d654e4d04ae3b40a6846cd6ac3ab81c0e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
838d9f11e8b21fa0e7b083698841a868

SHA1
c3162f97ed0812849d5ef6fbc9ff20e517555186

SHA256
565313662b395e41bfb728c8acfbb85053eb0d50a59432cf40e20b76e0b34b2e

SHA512
59b888148d6fc48f7dc618700537eb8a9ca07065eaed528da06fbd1ad9f32644ef4da64bc771af24f4cc26af0038f9ddb72695e9ee43f3eb73229364e7bd3ef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw24BF.tmp\GetVersion.dll

Filesize
5KB

MD5
2e2412281a205ed8d53aafb3ef770a2d

SHA1
3cae4138e8226866236cf34f8fb00dafb0954d97

SHA256
db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

SHA512
6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw24BF.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw24BF.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit