Overview

overview

4

Static

static

1

ZoomInstallerFull.exe

windows10-2004-x64

4

Analysis

  • max time kernel
    126s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-11-2023 17:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ZoomInstallerFull.exe

  • Size

    69.8MB

  • MD5

    92f71d362d7313cc02fd22c485d9ccde

  • SHA1

    aedd681f78c2f1147fa975032898077dc51dba39

  • SHA256

    5f1814c5be81f291eed598852289fe171fac88645e47c78078dbcb800e1b59d6

  • SHA512

    b3ec4477504d70f63e793144eaca664b5e81b4866872181c65234601d7d49add870dd67713c90fd8b0bb65c6a62205509a80253bbfd114ce745b0dfb4e66e11b

  • SSDEEP

    1572864:BwzPJaxV90isM7Mw6yWjmsrf7AQ3Vg+IlXL4QrpZi+nb:BwzMlMVjmsbsgS+mXLHnlb

Score
4/10
discovery

Malware Config

Signatures

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:544
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2708
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2708.0.279467312\512590288" -parentBuildID 20221007134813 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ad2652c-76a3-45bf-94b6-08b2bf252ac6} 2708 "\\.\pipe\gecko-crash-server-pipe.2708" 1972 23d7f6dcb58 gpu
        3⤵
          PID:4920
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2708.1.1052407712\385158669" -parentBuildID 20221007134813 -prefsHandle 2352 -prefMapHandle 2348 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {12199af0-8c79-4cb3-a1a0-4ebfacae17eb} 2708 "\\.\pipe\gecko-crash-server-pipe.2708" 2364 23d75874058 socket
          3⤵
            PID:1460
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2708.2.1955049241\1361737200" -childID 1 -isForBrowser -prefsHandle 2848 -prefMapHandle 2996 -prefsLen 21012 -prefMapSize 232675 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {77e18c45-34a2-435d-a659-bfaebfb10408} 2708 "\\.\pipe\gecko-crash-server-pipe.2708" 1416 23d0646b658 tab
            3⤵
              PID:824
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2708.3.221837191\1491260261" -childID 2 -isForBrowser -prefsHandle 3516 -prefMapHandle 3512 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {11d9766d-d81d-4ce1-89cc-ef034cbf8cc8} 2708 "\\.\pipe\gecko-crash-server-pipe.2708" 1008 23d0492de58 tab
              3⤵
                PID:336
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2708.4.1039145316\2131506496" -childID 3 -isForBrowser -prefsHandle 3812 -prefMapHandle 3788 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79f9a33d-0cf7-4ae8-be89-ed253bd817b7} 2708 "\\.\pipe\gecko-crash-server-pipe.2708" 3832 23d75865b58 tab
                3⤵
                  PID:4744
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2708.5.1461070906\1675152583" -childID 4 -isForBrowser -prefsHandle 4848 -prefMapHandle 4836 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {252bcbea-f068-4d6f-bd5c-cf43da647ffa} 2708 "\\.\pipe\gecko-crash-server-pipe.2708" 4860 23d064ca758 tab
                  3⤵
                    PID:636
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2708.6.713041385\1640133025" -childID 5 -isForBrowser -prefsHandle 4872 -prefMapHandle 4864 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {db81c60b-e030-4057-8bae-466994e485fd} 2708 "\\.\pipe\gecko-crash-server-pipe.2708" 4888 23d07bd8658 tab
                    3⤵
                      PID:2696
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2708.7.1549625112\246707599" -childID 6 -isForBrowser -prefsHandle 4836 -prefMapHandle 5144 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42eb8807-d24b-4f1e-9cfb-d4170fca4e96} 2708 "\\.\pipe\gecko-crash-server-pipe.2708" 5228 23d0762d258 tab
                      3⤵
                        PID:5204
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2708.8.1775898577\1266821228" -childID 7 -isForBrowser -prefsHandle 4608 -prefMapHandle 4732 -prefsLen 26921 -prefMapSize 232675 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b90a119e-7927-4e9e-9002-8f2a2abab3e8} 2708 "\\.\pipe\gecko-crash-server-pipe.2708" 3080 23d0762f358 tab
                        3⤵
                          PID:5520
                    • C:\Users\Admin\AppData\Local\Temp\ZoomInstallerFull.exe
                      "C:\Users\Admin\AppData\Local\Temp\ZoomInstallerFull.exe"
                      1⤵
                        PID:5368
                        • C:\Users\Admin\AppData\Local\Temp\7zS8F42B738\Installer.exe
                          .\Installer.exe
                          2⤵
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          PID:5428

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\04pqhkp3.default-release\activity-stream.discovery_stream.json.tmp
                        Filesize

                        22KB

                        MD5

                        300bcaef27eb49cd30e135f22a9f1098

                        SHA1

                        83fc42ae6692b7e0256885d595bb66f40077068f

                        SHA256

                        a58d6722918362625ad8db7c49a37f6d1c2282cb6aa7e9ab50d1d554920379c2

                        SHA512

                        8eefe7a03a93dd3c5b5156052f647d85c62e291a79ac2d3c286183805877f71d9f3b3da57fb1b3e1ddfc888ed20816190b8e47d9367e46b937eb67ca47249204

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\7zS8F42B738\Installer.exe
                        Filesize

                        980KB

                        MD5

                        ae0d1ff002d0a318b8a2bca129430317

                        SHA1

                        1d551465186fcd80ff7f13c7374a9d58a572e810

                        SHA256

                        467eca3e4954a1cff55f4d84c22336165114610927150d43de6cefeae29070c1

                        SHA512

                        acbbe5e19336cb700cf3d30a5e6151dd4ae3d0eec896b9f7442ee56bf0c87a79ac26b739a3fcd9a40dfede983e28e5e1efc7b29a17f8dca16894e51e0bd1d508

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\7zS8F42B738\ZoomFull_Sip.CAB
                        Filesize

                        69.2MB

                        MD5

                        89f23011b20ce78a4dc682c59e1bbbba

                        SHA1

                        c1c4945613e8409eaf02fff1e1351e59512384bc

                        SHA256

                        bfd18f1d18ccff5743918f58dab890fd037812f856d385f0884eec4e11d02632

                        SHA512

                        2a806653cb2f42ef03a5d61bc335538d6871c811281af7041635cf876ff0ccb9feca95db6298d6c633b90d7bc2d524a815203fbe995863825767a33528fabb3b

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\04pqhkp3.default-release\prefs-1.js
                        Filesize

                        6KB

                        MD5

                        603b7bf85609af6873cac584632c53d8

                        SHA1

                        d5bc69122a54e9baa2c7e8b1bb99cb440e13fd99

                        SHA256

                        86b6a697953b50cb63a06c423d1c8ebce1aedb644ee9df36741362c50023bee1

                        SHA512

                        c83be2941ec34efc75eb86a158612413870d7948a63c67776551388af42621e3903f07b0761247381d2c41fe6ac702cca57eb6e62aadbac8d9cf5d3257cf7e11

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\04pqhkp3.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        1KB

                        MD5

                        465eaad12480247981fd75be3cad3ef9

                        SHA1

                        792fc9143d24dc8e075db7deaf0a4cf4e8ec81e3

                        SHA256

                        d0daddbf69fa5d92814e031f66257b80881be0505efe520e13e485325d319720

                        SHA512

                        7209ff97a07c74845601782aef4ba993128b30bad5f1e151e67c8a608275821743af1239ce7cc88139e8671bc87f2f1db3fa89a419b9b2455c128f63521aa1f1

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\04pqhkp3.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        3KB

                        MD5

                        22d087cc00cd7d2c403192aae4977387

                        SHA1

                        d4e80f182921402cb223c2a6d674d50d6f8ee7a2

                        SHA256

                        ac3e330ded9dbffaa5abed8cab121d4194e0f783884ca1f022ef31623312163f

                        SHA512

                        80a07b41eef3067f7ebce028df95820fc75bb5357c1adb637d7d7f6d7cb2275d3cd892f3b9ba42a81871e2a675917a56f64961e1f5246f71c2591f28c8f89091

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\04pqhkp3.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        1KB

                        MD5

                        fb7a8917e3de8b9ff8e2945823e7a040

                        SHA1

                        68517469036463877d4ce4f8c063e836aff47f70

                        SHA256

                        4b2ce4591b3100017e00809c91f97b86c3ac005508dd677526174dfe44592758

                        SHA512

                        03ed6a59becd3447bf66798aa77d90d2f78fd9115323425d27bf00faae12e558ee97cd8248697fd3bd9f0cfb58e85330efb79618df85a805830bafb0fb0b7638

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\04pqhkp3.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        4KB

                        MD5

                        26b2cecdecbe4a9d54a445485604645f

                        SHA1

                        af3c3b2d064a0bf2710e8615348a9d59ef395938

                        SHA256

                        bc8baff36c57fff9551e135118aeea496c922bb743384f09ddb569c092fe688c

                        SHA512

                        eba86b61a20f5077c9e274298c4499caa14c79c60d2394f453f8856c9aff9bbd1864f060586f2cb5a84192a55115da0ad070a0940bfe1f84ab65b2aafe07cc9b

                        Download Submit