a96982e8c7c60161303db9df2235268a7be9a2dac2fd5fdd12ba317cd7259cb0

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
01-08-2023 03:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

zoom_44113424.exe
Size

4.9MB
MD5

3490dc6fe080b01509ae7adf52d6f3d0
SHA1

84ed7d674daa4b8fc5db1f40c2d22b052c678672
SHA256

a96982e8c7c60161303db9df2235268a7be9a2dac2fd5fdd12ba317cd7259cb0
SHA512

cedf06cd7313e20b291a45f09e937aeed3d53f4eb9d0f666a62c4b493686fb5702297ffdd36e66afe6a2ed16028354301edeede8170dcb269a4ad1d4341ed750
SSDEEP

98304:Z4s9s38iiFAIc5t94qs4DwpzFgfLS6GdiGTKH12n++8aKIJzDqW5f:Z4on+IfXxK9GYGOVgl/K6DP

Score

8^/10

bootkit persistence

Malware Config

Signatures

Downloads MZ/PE file
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

zoom_44113424.exe

description ioc process

File opened for modification \??\PhysicalDrive0 zoom_44113424.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	zoom_44113424.exe

Drops file in Program Files directory 2 IoCs

Processes:

zoom_44113424.exe

description	ioc	process
File created	C:\Program Files (x86)\Ludashi\{2D9E162B-23F8-4eea-9A08-B406823D8F4D}.tf	zoom_44113424.exe
File created	C:\Program Files (x86)\Ludashi\{8C427AAD-1AB3-4416-875D-AA7F8C7B839E}.tf	zoom_44113424.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

zoom_44113424.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	zoom_44113424.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	zoom_44113424.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	zoom_44113424.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

zoom_44113424.exe

pid process

4380 zoom_44113424.exe
4380 zoom_44113424.exe
4380 zoom_44113424.exe
4380 zoom_44113424.exe
4380 zoom_44113424.exe
4380 zoom_44113424.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

zoom_44113424.exe

pid	process
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

zoom_44113424.exe

pid	process
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe
4380	zoom_44113424.exe

C:\Users\Admin\AppData\Local\Temp\zoom_44113424.exe
"C:\Users\Admin\AppData\Local\Temp\zoom_44113424.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4380-134-0x0000000002EC0000-0x0000000002EC1000-memory.dmp

Filesize
4KB

Download
memory/4380-133-0x0000000002EA0000-0x0000000002EA1000-memory.dmp

Filesize
4KB

Download
memory/4380-135-0x0000000000050000-0x00000000008DA000-memory.dmp

Filesize
8.5MB

Download
memory/4380-136-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

Filesize
4KB

Download
memory/4380-137-0x0000000002F00000-0x0000000002F01000-memory.dmp

Filesize
4KB

Download
memory/4380-139-0x0000000003030000-0x0000000003031000-memory.dmp

Filesize
4KB

Download
memory/4380-138-0x0000000002F10000-0x0000000002F11000-memory.dmp

Filesize
4KB

Download
memory/4380-143-0x0000000000050000-0x00000000008DA000-memory.dmp

Filesize
8.5MB

Download
memory/4380-144-0x0000000000050000-0x00000000008DA000-memory.dmp

Filesize
8.5MB

Download
memory/4380-145-0x0000000000050000-0x00000000008DA000-memory.dmp

Filesize
8.5MB

Download
memory/4380-146-0x0000000000050000-0x00000000008DA000-memory.dmp

Filesize
8.5MB

Download
memory/4380-147-0x0000000077B10000-0x0000000077B20000-memory.dmp

Filesize
64KB

Download
memory/4380-148-0x0000000077C42000-0x0000000077C43000-memory.dmp

Filesize
4KB

Download
memory/4380-149-0x0000000077B10000-0x0000000077B20000-memory.dmp

Filesize
64KB

Download
memory/4380-150-0x0000000000050000-0x00000000008DA000-memory.dmp

Filesize
8.5MB

Download
memory/4380-151-0x0000000000050000-0x00000000008DA000-memory.dmp

Filesize
8.5MB

Download
memory/4380-152-0x0000000000050000-0x00000000008DA000-memory.dmp

Filesize
8.5MB

Download
memory/4380-153-0x0000000000050000-0x00000000008DA000-memory.dmp

Filesize
8.5MB

Download
memory/4380-154-0x0000000000050000-0x00000000008DA000-memory.dmp

Filesize
8.5MB

Download
memory/4380-155-0x0000000000050000-0x00000000008DA000-memory.dmp

Filesize
8.5MB

Download
memory/4380-156-0x0000000000050000-0x00000000008DA000-memory.dmp

Filesize
8.5MB

Download
memory/4380-158-0x0000000000050000-0x00000000008DA000-memory.dmp

Filesize
8.5MB

Download
memory/4380-159-0x0000000000050000-0x00000000008DA000-memory.dmp

Filesize
8.5MB

Download
memory/4380-160-0x0000000000050000-0x00000000008DA000-memory.dmp

Filesize
8.5MB

Download
memory/4380-161-0x0000000000050000-0x00000000008DA000-memory.dmp

Filesize
8.5MB

Download
memory/4380-162-0x0000000000050000-0x00000000008DA000-memory.dmp

Filesize
8.5MB

Download
memory/4380-163-0x0000000000050000-0x00000000008DA000-memory.dmp

Filesize
8.5MB

Download
memory/4380-164-0x0000000000050000-0x00000000008DA000-memory.dmp

Filesize
8.5MB

Download
memory/4380-170-0x0000000000050000-0x00000000008DA000-memory.dmp

Filesize
8.5MB

Download
memory/4380-171-0x0000000000050000-0x00000000008DA000-memory.dmp

Filesize
8.5MB

Download
memory/4380-172-0x0000000000050000-0x00000000008DA000-memory.dmp

Filesize
8.5MB

Download
memory/4380-173-0x0000000000050000-0x00000000008DA000-memory.dmp

Filesize
8.5MB

Download
memory/4380-174-0x0000000000050000-0x00000000008DA000-memory.dmp

Filesize
8.5MB

Download
memory/4380-175-0x0000000000050000-0x00000000008DA000-memory.dmp

Filesize
8.5MB

Download
memory/4380-176-0x0000000000050000-0x00000000008DA000-memory.dmp

Filesize
8.5MB

Download
memory/4380-177-0x0000000000050000-0x00000000008DA000-memory.dmp

Filesize
8.5MB

Download
memory/4380-178-0x0000000000050000-0x00000000008DA000-memory.dmp

Filesize
8.5MB

Download
memory/4380-179-0x0000000000050000-0x00000000008DA000-memory.dmp

Filesize
8.5MB

Download
memory/4380-180-0x0000000000050000-0x00000000008DA000-memory.dmp

Filesize
8.5MB

Download
memory/4380-181-0x0000000000050000-0x00000000008DA000-memory.dmp

Filesize
8.5MB

Download
memory/4380-182-0x0000000000050000-0x00000000008DA000-memory.dmp

Filesize
8.5MB

Download
memory/4380-183-0x0000000000050000-0x00000000008DA000-memory.dmp

Filesize
8.5MB

Download
memory/4380-184-0x0000000000050000-0x00000000008DA000-memory.dmp

Filesize
8.5MB

Download
memory/4380-185-0x0000000000050000-0x00000000008DA000-memory.dmp

Filesize
8.5MB

Download
memory/4380-186-0x0000000000050000-0x00000000008DA000-memory.dmp

Filesize
8.5MB

Download
memory/4380-187-0x0000000000050000-0x00000000008DA000-memory.dmp

Filesize
8.5MB

Download
memory/4380-188-0x0000000000050000-0x00000000008DA000-memory.dmp

Filesize
8.5MB

Download
memory/4380-189-0x0000000000050000-0x00000000008DA000-memory.dmp

Filesize
8.5MB

Download
memory/4380-190-0x0000000077C42000-0x0000000077C43000-memory.dmp

Filesize
4KB

Download
memory/4380-191-0x0000000000050000-0x00000000008DA000-memory.dmp

Filesize
8.5MB

Download
memory/4380-193-0x0000000000050000-0x00000000008DA000-memory.dmp

Filesize
8.5MB

Download
memory/4380-192-0x0000000000050000-0x00000000008DA000-memory.dmp

Filesize
8.5MB

Download
memory/4380-194-0x0000000000050000-0x00000000008DA000-memory.dmp

Filesize
8.5MB

Download
memory/4380-195-0x0000000000050000-0x00000000008DA000-memory.dmp

Filesize
8.5MB

Download
memory/4380-196-0x0000000000050000-0x00000000008DA000-memory.dmp

Filesize
8.5MB

Download
memory/4380-197-0x0000000000050000-0x00000000008DA000-memory.dmp

Filesize
8.5MB

Download
memory/4380-198-0x0000000000050000-0x00000000008DA000-memory.dmp

Filesize
8.5MB

Download
memory/4380-199-0x0000000000050000-0x00000000008DA000-memory.dmp

Filesize
8.5MB

Download