f3dfbacb9f780941ad25c4e5cfe7bd87e5593b5e6a6f83b3ba81eeca14721914

Analysis

max time kernel
67s
max time network
71s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2023 11:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7FAR - ZModeler 3.1.2 (build 1123)/ZModeler3.exe
Size

2.1MB
MD5

ba9c3b1175816bccc94569cecafcc56a
SHA1

76d2efe2e2e2707b1d6c6b07df46378c7fdc87f7
SHA256

6d077be498b6fe479f1e436dc9fe6ab340953fd73b8f48542a450778289f7cf9
SHA512

5096213f5549f6df818a7ec87be2117d2a1dcef5880b7222c3a400a3102196acc61b77a5325838b98322b329fc01069dfdc1664a4fc460dbc506989313062c35
SSDEEP

49152:8RbCzUWavtaGk/aDtDFzfaupR1g6pyItvY2v3Q:8AUWavhDjXpLtQ2v3

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

ZModeler3.exe

pid	Process
2152	ZModeler3.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

Processes:

ZModeler3.exe

pid	Process
2152	ZModeler3.exe
2152	ZModeler3.exe
2152	ZModeler3.exe
2152	ZModeler3.exe
2152	ZModeler3.exe
2152	ZModeler3.exe
2152	ZModeler3.exe

Modifies registry class 10 IoCs

Processes:

ZModeler3.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.z3d\ = "ZModeler3.scene"	ZModeler3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZModeler3.scene	ZModeler3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZModeler3.scene\DefaultIcon	ZModeler3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ZModeler3.scene\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7FAR - ZModeler 3.1.2 (build 1123)\\ZModeler3.exe, 1"	ZModeler3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZModeler3.scene\shell\open	ZModeler3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.z3d	ZModeler3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ZModeler3.scene\ = ".z3d scene"	ZModeler3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZModeler3.scene\shell\open\command	ZModeler3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZModeler3.scene\shell	ZModeler3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ZModeler3.scene\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7FAR - ZModeler 3.1.2 (build 1123)\\ZModeler3.exe \"%1\""	ZModeler3.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ZModeler3.exe

description	pid	Process
Token: SeBackupPrivilege	2152	ZModeler3.exe
Token: SeSecurityPrivilege	2152	ZModeler3.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

ZModeler3.exe

pid	Process
2152	ZModeler3.exe
2152	ZModeler3.exe
2152	ZModeler3.exe

C:\Users\Admin\AppData\Local\Temp\7FAR - ZModeler 3.1.2 (build 1123)\ZModeler3.exe
"C:\Users\Admin\AppData\Local\Temp\7FAR - ZModeler 3.1.2 (build 1123)\ZModeler3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2152

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7FAR - ZModeler 3.1.2 (build 1123)\Shared\codelib.dynamic

Filesize
31KB

MD5
f3c753590f2c18c9e9c42120b81862fd

SHA1
f77fe92d2346977de861aa73d621e6cebe97761c

SHA256
92ad238fee98cf64c51f27f3ba6075b89e68bfd796376d2fefaadc7698f60716

SHA512
70948f7cb32a50c074fdd2e8601c4b1cac40daa0d793c0415efaaf71028dea3309a741ed43de53254f9d3ade0bbfb7e4822982daa14fbbadae502ea9ec3f79c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7FAR - ZModeler 3.1.2 (build 1123)\Shared\codelib.zmx

Filesize
31KB

MD5
8d898ad0308a3a8aed8e1e38ce52da99

SHA1
cf6bb12a0d8239feb6af0e90480f2bdd21da8127

SHA256
72474b77d1a0550868643410c4900951fb72dbace8bfc2eb219941a34138cf5d

SHA512
83456e842c0163da689ed56d74d73f29bb085036a988281a31c8f6458c43eae95c7104b0a10747292b3f8c16eb48366e7d7ae8dc53525502b68d45b0a64426d8

Download Submit
memory/2152-133-0x0000000000DE0000-0x0000000001430000-memory.dmp

Filesize
6.3MB

Download
memory/2152-134-0x0000000002FA0000-0x0000000002FA1000-memory.dmp

Filesize
4KB

Download
memory/2152-135-0x0000000000DE0000-0x0000000001430000-memory.dmp

Filesize
6.3MB

Download
memory/2152-136-0x0000000000DE0000-0x0000000001430000-memory.dmp

Filesize
6.3MB

Download
memory/2152-151-0x0000000000DE0000-0x0000000001430000-memory.dmp

Filesize
6.3MB

Download
memory/2152-152-0x0000000000DE0000-0x0000000001430000-memory.dmp

Filesize
6.3MB

Download
memory/2152-153-0x0000000000DE0000-0x0000000001430000-memory.dmp

Filesize
6.3MB

Download
memory/2152-154-0x0000000000DE0000-0x0000000001430000-memory.dmp

Filesize
6.3MB

Download
memory/2152-155-0x0000000000DE0000-0x0000000001430000-memory.dmp

Filesize
6.3MB

Download