f1d9c87c7e97db85d31c56b62f33ae71a2869281cf054a1b4f1ce0d891e84f44

Analysis

max time kernel
102s
max time network
105s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-01-2023 09:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Zoom_Commercial_setup.exe
Size

550KB
MD5

b7af9364e54e733684f2b5ef4bdd550a
SHA1

0b4a2b89d5373e6e13395753786154e90e803387
SHA256

37e06231dbbfd682fed877eece815fc8f383f05396495468805d75c94a802e6e
SHA512

15aafec28acb2862168ee073bd7dc7ea766463e677399f2d6da200f7db9a342c4e8db6f9237e12174fa4c99acf3d3279f686bb11e8a12adc53072492ef828c48
SSDEEP

6144:7nx1IH1z1RRu8HAx08JgSRxEguHjseJ1Rb/:shvRu8g3dbEjHjselb/

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1940	_gpj.Scr

Loads dropped DLL 1 IoCs

pid	Process
1708	Zoom_Commercial_setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1940	_gpj.Scr

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2004	DllHost.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 1940	1708	Zoom_Commercial_setup.exe	28
PID 1708 wrote to memory of 1940	1708	Zoom_Commercial_setup.exe	28
PID 1708 wrote to memory of 1940	1708	Zoom_Commercial_setup.exe	28
PID 1708 wrote to memory of 1940	1708	Zoom_Commercial_setup.exe	28
PID 1708 wrote to memory of 1940	1708	Zoom_Commercial_setup.exe	28
PID 1708 wrote to memory of 1940	1708	Zoom_Commercial_setup.exe	28
PID 1708 wrote to memory of 1940	1708	Zoom_Commercial_setup.exe	28

C:\Users\Admin\AppData\Local\Temp\Zoom_Commercial_setup.exe
"C:\Users\Admin\AppData\Local\Temp\Zoom_Commercial_setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\AppData\Local\Temp\_gpj.Scr
  "C:\Users\Admin\AppData\Local\Temp\_gpj.Scr" /S
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1940

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_gpj.Scr

Filesize
350.0MB

MD5
d53d10043ba87eeed33d98d04e3d7520

SHA1
d18c487cca17fbe2b58530bedd7d5fa0665c4def

SHA256
1300c6ff5d21a761a13fec4954a2c86cc64ae07d510c9cf53af377a61597da9a

SHA512
359673bbe112456621eae9068ec6dabf346609eab68356bfa06a93192a31404bef3e0f86dd1296929d5d5e59bb8bb93dda4c19747697ed9b4dc6f0791f5dec3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_gpj.Scr

Filesize
350.0MB

MD5
d53d10043ba87eeed33d98d04e3d7520

SHA1
d18c487cca17fbe2b58530bedd7d5fa0665c4def

SHA256
1300c6ff5d21a761a13fec4954a2c86cc64ae07d510c9cf53af377a61597da9a

SHA512
359673bbe112456621eae9068ec6dabf346609eab68356bfa06a93192a31404bef3e0f86dd1296929d5d5e59bb8bb93dda4c19747697ed9b4dc6f0791f5dec3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\photo_2023-01-03_13-28-2243422343434.jpg

Filesize
62KB

MD5
fcdecb12b2ed8e155c907e4c859b8a6c

SHA1
3b2c3d28a9fff01ac0a06687d1754e9bd4b8959b

SHA256
f2a763febed5e90674696122977187ed1b08a428d5ba972ad963c535cce9189e

SHA512
9b312ac4e51497eb17f12b26f1e4598459cbfeeb5298e0c4086b6d209ef02739709d39d2b5f0577afa2baaa450cc19089776643abaee450bb1da52aee3a5bda1

Download Submit
\Users\Admin\AppData\Local\Temp\_gpj.Scr

Filesize
350.0MB

MD5
d53d10043ba87eeed33d98d04e3d7520

SHA1
d18c487cca17fbe2b58530bedd7d5fa0665c4def

SHA256
1300c6ff5d21a761a13fec4954a2c86cc64ae07d510c9cf53af377a61597da9a

SHA512
359673bbe112456621eae9068ec6dabf346609eab68356bfa06a93192a31404bef3e0f86dd1296929d5d5e59bb8bb93dda4c19747697ed9b4dc6f0791f5dec3b

Download Submit
memory/1708-54-0x0000000076121000-0x0000000076123000-memory.dmp

Filesize
8KB

Download
memory/1940-60-0x0000000000240000-0x0000000000248000-memory.dmp

Filesize
32KB

Download