Overview
overview
7Static
static
3ZoomInfoCo...exe.7z
windows10-2004-x64
3ZoomInfoCo...or.exe
windows10-2004-x64
7$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...on.dll
windows10-2004-x64
3$PLUGINSDI...dl.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...rd.bmp
windows10-2004-x64
7$PLUGINSDI...gs.dll
windows10-2004-x64
3$PLUGINSDI...nz.dll
windows10-2004-x64
3$TEMP/unin...fc.exe
windows10-2004-x64
7uninstall.exe.nsis
windows10-2004-x64
3zi.ico
windows10-2004-x64
3Resubmissions
21/05/2024, 11:02
240521-m5dmeabb56 721/05/2024, 11:01
240521-m4sd6sbb38 321/05/2024, 10:58
240521-m25xgsba9t 7Analysis
-
max time kernel
20s -
max time network
21s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
21/05/2024, 11:02
Static task
static1
Behavioral task
behavioral1
Sample
ZoomInfoContactContributor.exe.7z
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
ZoomInfoContactContributor.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/GetVersion.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/modern-wizard.bmp
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/nsisunz.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
$TEMP/uninstall_fc.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
uninstall.exe.nsis
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
zi.ico
Resource
win10v2004-20240426-en
General
-
Target
ZoomInfoContactContributor.exe
-
Size
259KB
-
MD5
1c0674970e55ff28e3d6d4b9fc435f39
-
SHA1
e33df0cd1ead927fb3ad769ff311e5598c533da2
-
SHA256
be790b55b11f6502be0c8cf14f2ab4f9e97debe7e07efde26cf24f3927d791db
-
SHA512
d7118c1d4df00ba69ac69a8d8907a93122e7414c127280250d1e8dcf5603c762923fc19e26c770b5dcecec306fe1559bb1ea813cdcfadc0031ca72ae29c5b74f
-
SSDEEP
3072:6gXdZt9P6D3XJazx7Op5KmEOm9Ek1ydrZeDAf1OnV8AHzsFypc9U:6e348t7uUmq9EnvAH4F8uU
Malware Config
Signatures
-
Loads dropped DLL 19 IoCs
pid Process 2988 ZoomInfoContactContributor.exe 2988 ZoomInfoContactContributor.exe 2988 ZoomInfoContactContributor.exe 2988 ZoomInfoContactContributor.exe 2988 ZoomInfoContactContributor.exe 2988 ZoomInfoContactContributor.exe 2988 ZoomInfoContactContributor.exe 2988 ZoomInfoContactContributor.exe 2988 ZoomInfoContactContributor.exe 2988 ZoomInfoContactContributor.exe 2988 ZoomInfoContactContributor.exe 2988 ZoomInfoContactContributor.exe 2988 ZoomInfoContactContributor.exe 2988 ZoomInfoContactContributor.exe 2988 ZoomInfoContactContributor.exe 2988 ZoomInfoContactContributor.exe 2988 ZoomInfoContactContributor.exe 2988 ZoomInfoContactContributor.exe 2988 ZoomInfoContactContributor.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2996 msedge.exe 2996 msedge.exe 3828 msedge.exe 3828 msedge.exe 3828 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 3828 msedge.exe 3828 msedge.exe 3828 msedge.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 3828 msedge.exe 3828 msedge.exe 3828 msedge.exe 3828 msedge.exe 3828 msedge.exe 3828 msedge.exe 3828 msedge.exe 3828 msedge.exe 3828 msedge.exe 3828 msedge.exe 3828 msedge.exe 3828 msedge.exe 3828 msedge.exe 3828 msedge.exe 3828 msedge.exe 3828 msedge.exe 3828 msedge.exe 3828 msedge.exe 3828 msedge.exe 3828 msedge.exe 3828 msedge.exe 3828 msedge.exe 3828 msedge.exe 3828 msedge.exe 3828 msedge.exe 3828 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3828 msedge.exe 3828 msedge.exe 3828 msedge.exe 3828 msedge.exe 3828 msedge.exe 3828 msedge.exe 3828 msedge.exe 3828 msedge.exe 3828 msedge.exe 3828 msedge.exe 3828 msedge.exe 3828 msedge.exe 3828 msedge.exe 3828 msedge.exe 3828 msedge.exe 3828 msedge.exe 3828 msedge.exe 3828 msedge.exe 3828 msedge.exe 3828 msedge.exe 3828 msedge.exe 3828 msedge.exe 3828 msedge.exe 3828 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2988 wrote to memory of 3828 2988 ZoomInfoContactContributor.exe 93 PID 2988 wrote to memory of 3828 2988 ZoomInfoContactContributor.exe 93 PID 3828 wrote to memory of 212 3828 msedge.exe 94 PID 3828 wrote to memory of 212 3828 msedge.exe 94 PID 3828 wrote to memory of 2392 3828 msedge.exe 95 PID 3828 wrote to memory of 2392 3828 msedge.exe 95 PID 3828 wrote to memory of 2392 3828 msedge.exe 95 PID 3828 wrote to memory of 2392 3828 msedge.exe 95 PID 3828 wrote to memory of 2392 3828 msedge.exe 95 PID 3828 wrote to memory of 2392 3828 msedge.exe 95 PID 3828 wrote to memory of 2392 3828 msedge.exe 95 PID 3828 wrote to memory of 2392 3828 msedge.exe 95 PID 3828 wrote to memory of 2392 3828 msedge.exe 95 PID 3828 wrote to memory of 2392 3828 msedge.exe 95 PID 3828 wrote to memory of 2392 3828 msedge.exe 95 PID 3828 wrote to memory of 2392 3828 msedge.exe 95 PID 3828 wrote to memory of 2392 3828 msedge.exe 95 PID 3828 wrote to memory of 2392 3828 msedge.exe 95 PID 3828 wrote to memory of 2392 3828 msedge.exe 95 PID 3828 wrote to memory of 2392 3828 msedge.exe 95 PID 3828 wrote to memory of 2392 3828 msedge.exe 95 PID 3828 wrote to memory of 2392 3828 msedge.exe 95 PID 3828 wrote to memory of 2392 3828 msedge.exe 95 PID 3828 wrote to memory of 2392 3828 msedge.exe 95 PID 3828 wrote to memory of 2392 3828 msedge.exe 95 PID 3828 wrote to memory of 2392 3828 msedge.exe 95 PID 3828 wrote to memory of 2392 3828 msedge.exe 95 PID 3828 wrote to memory of 2392 3828 msedge.exe 95 PID 3828 wrote to memory of 2392 3828 msedge.exe 95 PID 3828 wrote to memory of 2392 3828 msedge.exe 95 PID 3828 wrote to memory of 2392 3828 msedge.exe 95 PID 3828 wrote to memory of 2392 3828 msedge.exe 95 PID 3828 wrote to memory of 2392 3828 msedge.exe 95 PID 3828 wrote to memory of 2392 3828 msedge.exe 95 PID 3828 wrote to memory of 2392 3828 msedge.exe 95 PID 3828 wrote to memory of 2392 3828 msedge.exe 95 PID 3828 wrote to memory of 2392 3828 msedge.exe 95 PID 3828 wrote to memory of 2392 3828 msedge.exe 95 PID 3828 wrote to memory of 2392 3828 msedge.exe 95 PID 3828 wrote to memory of 2392 3828 msedge.exe 95 PID 3828 wrote to memory of 2392 3828 msedge.exe 95 PID 3828 wrote to memory of 2392 3828 msedge.exe 95 PID 3828 wrote to memory of 2392 3828 msedge.exe 95 PID 3828 wrote to memory of 2392 3828 msedge.exe 95 PID 3828 wrote to memory of 2996 3828 msedge.exe 96 PID 3828 wrote to memory of 2996 3828 msedge.exe 96 PID 3828 wrote to memory of 1980 3828 msedge.exe 97 PID 3828 wrote to memory of 1980 3828 msedge.exe 97 PID 3828 wrote to memory of 1980 3828 msedge.exe 97 PID 3828 wrote to memory of 1980 3828 msedge.exe 97 PID 3828 wrote to memory of 1980 3828 msedge.exe 97 PID 3828 wrote to memory of 1980 3828 msedge.exe 97 PID 3828 wrote to memory of 1980 3828 msedge.exe 97 PID 3828 wrote to memory of 1980 3828 msedge.exe 97 PID 3828 wrote to memory of 1980 3828 msedge.exe 97 PID 3828 wrote to memory of 1980 3828 msedge.exe 97 PID 3828 wrote to memory of 1980 3828 msedge.exe 97 PID 3828 wrote to memory of 1980 3828 msedge.exe 97 PID 3828 wrote to memory of 1980 3828 msedge.exe 97 PID 3828 wrote to memory of 1980 3828 msedge.exe 97 PID 3828 wrote to memory of 1980 3828 msedge.exe 97 PID 3828 wrote to memory of 1980 3828 msedge.exe 97 PID 3828 wrote to memory of 1980 3828 msedge.exe 97 PID 3828 wrote to memory of 1980 3828 msedge.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe"C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://cswapper.freshcontacts.com/client/installfailure?client_version=62&failure_point=DetermineOutlookCompatibility&os_version=Windows 6.2 9200 64 [ ]&outlook_version=none&outlook_bitness=none&client_id={33BD350B-A417-433E-84A1-B31885DBB3D9}&error_message=&reachout=true&appid=42⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc744346f8,0x7ffc74434708,0x7ffc744347183⤵PID:212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,17597920790082972687,12494438426106769065,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:23⤵PID:2392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,17597920790082972687,12494438426106769065,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:2996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,17597920790082972687,12494438426106769065,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:83⤵PID:1980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17597920790082972687,12494438426106769065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:13⤵PID:2008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17597920790082972687,12494438426106769065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:13⤵PID:2904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17597920790082972687,12494438426106769065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:13⤵PID:2360
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4348
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:760
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5ecdc2754d7d2ae862272153aa9b9ca6e
SHA1c19bed1c6e1c998b9fa93298639ad7961339147d
SHA256a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7
SHA512cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2
-
Filesize
152B
MD52daa93382bba07cbc40af372d30ec576
SHA1c5e709dc3e2e4df2ff841fbde3e30170e7428a94
SHA2561826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30
SHA51265635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize192B
MD5448d5cd80274ebfb8a68f27d5db66eaf
SHA165f7f98adf9e413ca78f810827996dc4142c0b99
SHA256b2e13557902740b23b4f94911af76252e5d882f7220e935fb16ac44f9b4c46db
SHA5123b4d1d5f3dd14e7c4a628416a19f915081cf5bfbce352c063965ed56c38939a620a550de67e7fa155cc49d4fa39d1577d08ab1e4489bb7a452a413cb0c43c91c
-
Filesize
701B
MD53a623a9ca7555bd6fad9df33e386fa55
SHA12b1d88d17a469ca91cd77feba77049567ffb2035
SHA25665f70c7a6f21ec066906c29b50071c912e937ad9060af9b1ebdc35da156d2083
SHA51246b916d88357f52f89e30fa8b6b2b172210bd4bccae2024f60c3ca54d18c507126dbdbb3059a97ecb381a2a34a392168cfc0f1d7be4537d1336ad56142b5fa94
-
Filesize
5KB
MD547371fe5ee37b6a31d0e79d537c9436b
SHA15444814f07cdfed30ecac3988f66e857de10f503
SHA2560d1e730c54137a9e42dd3f65e3a9e03223ddc60336cc7e348c21772598201afb
SHA51295bfbedfe325b01f65381e9ac5aed023cdf76369d16dbd58b6b8d12bf6fe594bbfb4ad883849e3aa81ee40aaedbb323b978d7a8401e4d756f0b96804b5c44614
-
Filesize
6KB
MD51804e465ac4adb5ae99617c4c2619c4c
SHA126d0040d6b991145891b685a1d77ad7eab569b7d
SHA256899df73f14140c09b1e6a90433cc77b501ae1ca6076720c576c2de64c4d793fc
SHA5129d0867d5137dc1096c575ef803bcd17529ded4e12411893ce12d942e3a10138dbe6eb9b416da3dd8aae53ef0359116d654e4d04ae3b40a6846cd6ac3ab81c0e6
-
Filesize
11KB
MD5838d9f11e8b21fa0e7b083698841a868
SHA1c3162f97ed0812849d5ef6fbc9ff20e517555186
SHA256565313662b395e41bfb728c8acfbb85053eb0d50a59432cf40e20b76e0b34b2e
SHA51259b888148d6fc48f7dc618700537eb8a9ca07065eaed528da06fbd1ad9f32644ef4da64bc771af24f4cc26af0038f9ddb72695e9ee43f3eb73229364e7bd3ef6
-
Filesize
5KB
MD52e2412281a205ed8d53aafb3ef770a2d
SHA13cae4138e8226866236cf34f8fb00dafb0954d97
SHA256db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00
SHA5126d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219
-
Filesize
14KB
MD5a5f8399a743ab7f9c88c645c35b1ebb5
SHA1168f3c158913b0367bf79fa413357fbe97018191
SHA256dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
SHA512824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f