f73a3d154a2168d215b59f6457f14dd157aa8458a1150506a2274b6bcf58fb9a

Analysis

max time kernel
146s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
25-02-2024 12:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ZEBRA_DRIVER.exe
Size

9.7MB
MD5

81845d50f4f51785366cad51743aac1c
SHA1

4a917cdc2ee2aa834d2b79b56afd949927f105d3
SHA256

f73a3d154a2168d215b59f6457f14dd157aa8458a1150506a2274b6bcf58fb9a
SHA512

cbe2d5ba382758d1c5f75e9c42e4a9c886ace8bd69890da2105eaf435e91923e707bde34c2a5165c33ff9ec294d79826863ce5ea345233aa4301b4fdf2b841b8
SSDEEP

196608:HgxUZkSoh7mH1LmK75kj7YN6ywiozawqsvDqKjwtWayJdk1VYzJL35pR:HgxUZkS2QBL6FHSwMVYzdp3

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4128	zddriver-v5-1-16-6447-installer.exe

Loads dropped DLL 3 IoCs

pid	Process
4128	zddriver-v5-1-16-6447-installer.exe
4128	zddriver-v5-1-16-6447-installer.exe
4128	zddriver-v5-1-16-6447-installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\ZEBRA_DRIVER.exe	ZEBRA_DRIVER.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\ZEBRA_DRIVER.exe\IsHostApp	ZEBRA_DRIVER.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\zddriver-v5-1-16-6447-installer.exe	zddriver-v5-1-16-6447-installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\zddriver-v5-1-16-6447-installer.exe\IsHostApp	zddriver-v5-1-16-6447-installer.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4128	zddriver-v5-1-16-6447-installer.exe
Token: SeSecurityPrivilege	4128	zddriver-v5-1-16-6447-installer.exe
Token: SeTakeOwnershipPrivilege	4128	zddriver-v5-1-16-6447-installer.exe
Token: SeLoadDriverPrivilege	4128	zddriver-v5-1-16-6447-installer.exe
Token: SeSystemProfilePrivilege	4128	zddriver-v5-1-16-6447-installer.exe
Token: SeSystemtimePrivilege	4128	zddriver-v5-1-16-6447-installer.exe
Token: SeProfSingleProcessPrivilege	4128	zddriver-v5-1-16-6447-installer.exe
Token: SeIncBasePriorityPrivilege	4128	zddriver-v5-1-16-6447-installer.exe
Token: SeCreatePagefilePrivilege	4128	zddriver-v5-1-16-6447-installer.exe
Token: SeBackupPrivilege	4128	zddriver-v5-1-16-6447-installer.exe
Token: SeRestorePrivilege	4128	zddriver-v5-1-16-6447-installer.exe
Token: SeShutdownPrivilege	4128	zddriver-v5-1-16-6447-installer.exe
Token: SeDebugPrivilege	4128	zddriver-v5-1-16-6447-installer.exe
Token: SeSystemEnvironmentPrivilege	4128	zddriver-v5-1-16-6447-installer.exe
Token: SeRemoteShutdownPrivilege	4128	zddriver-v5-1-16-6447-installer.exe
Token: SeUndockPrivilege	4128	zddriver-v5-1-16-6447-installer.exe
Token: SeManageVolumePrivilege	4128	zddriver-v5-1-16-6447-installer.exe
Token: 33	4128	zddriver-v5-1-16-6447-installer.exe
Token: 34	4128	zddriver-v5-1-16-6447-installer.exe
Token: 35	4128	zddriver-v5-1-16-6447-installer.exe
Token: 36	4128	zddriver-v5-1-16-6447-installer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1556	ZEBRA_DRIVER.exe
4128	zddriver-v5-1-16-6447-installer.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1556 wrote to memory of 4128	1556	ZEBRA_DRIVER.exe	92
PID 1556 wrote to memory of 4128	1556	ZEBRA_DRIVER.exe	92
PID 1556 wrote to memory of 4128	1556	ZEBRA_DRIVER.exe	92

C:\Users\Admin\AppData\Local\Temp\ZEBRA_DRIVER.exe
"C:\Users\Admin\AppData\Local\Temp\ZEBRA_DRIVER.exe"
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Users\Admin\AppData\Local\Temp\mia6503.tmp\zddriver-v5-1-16-6447-installer.exe
  .\zddriver-v5-1-16-6447-installer.exe /m="C:\Users\Admin\AppData\Local\Temp\ZEBRA_~1.EXE" /k=""
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mia1\mWinRunExec.dll

Filesize
397KB

MD5
c3fac02c1ebe74f105c5459089d49b25

SHA1
16e5c995c0b71f75e6770850f11bf8a0c1af3336

SHA256
dd15e01839e3277c79e6534ac0e09b113110c5562f5aa6b2fd2bbd87c3bf1fbc

SHA512
8d42311a4ad6752f79302af2557288dd67cd232a1868771a840315b1dc338816b6d8524d23b2d97bb905f0522b15a89f78c1491f1b5f4518806ccb68fc7ac8d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mia1\setuptype.dfm.miaf

Filesize
374B

MD5
8101e0cc3186c05f85b2cd484d26ae9d

SHA1
b3cf33e0784e3a6f3b3feb2b2501e0bda5932efa

SHA256
a0e750466327e92e2dcc96d72a19a7738a65ab765262df4801e6677528f14d6c

SHA512
df3692d29cdf0434806a0bcf034afe6869b0bf5c0be24f18637d373374c1e1803ac5b6d1f671ccd6e89b313e26f85657ea487a2ebaeae0b99359a66f21df910b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mia1\welcome.dfm.miaf

Filesize
5B

MD5
3bab25a3e651a9e4a00473d2257b99f9

SHA1
1419458f2696be8daeade77ddad380cd0c871fdb

SHA256
f01a374e9c81e3db89b3a42940c4d6a5447684986a1296e42bf13f196eed6295

SHA512
ae8dc1129b7a81ba70c9512a94a3e9ccd8c159f1817e309198c2babaf5bcb3f7e97f43b54ea4937cbea468bb5a62328fc0c01982aa1b883d8fd6d2e2c58090ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\mia6503.tmp\data\OFFLINE\FF875643\3FEC3A74\BA105SL1.BA0

Filesize
571B

MD5
65636d2cd3ba0ee7d6a7eb7116a451f9

SHA1
ba19ed02b9b12565017dfe29edcea972293a51a6

SHA256
f13f624e4440df9bc1badefd04fd37d5068f734ef6fa288bd717c1cb17d7d25d

SHA512
332b1736da54c9fbc5bc700464397a1adbbe6c20a78712576ad239f4d4a1303ed90c5fd0887be78df88b803edd7de5fec11b454bd1ce2c302dfb071c51d4091b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mia6503.tmp\mia.lib

Filesize
106KB

MD5
b0142c10b300f9efb7f08c5a2daeba12

SHA1
5c951cb20b8dff306ca3bad5fa5751fc7aa02e6f

SHA256
c5389790fd686feeb3bc7c5413cde641b2c79a25679f798dd83082660e34acc8

SHA512
9a5796ddf0b9fd61b11d24a958fad4d9f395fe94863cde5db82081e1f122bf48e5b32edb5a9a632d7f28c0d96503322f4086d9569b4943f946eec9ee821e29f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\mia6503.tmp\mia.lib

Filesize
569KB

MD5
266ae92c560bd6174daefa24e612d63c

SHA1
a1eaf7ac518a106b833788e04b4b74c2ae7e4000

SHA256
5c4ab12e5e2ebe9a412b013c49f2a28afc7d9051009ff0ac6ce6c36f1d3d3968

SHA512
ef839dff9a43b5192933d53f77240833d345fa0f4b80079c3ed4da5da0d91749ea3f3f6c111405119a9aba7745c4fde65fabf5aaa1578e7fd82eb6711d2cf2d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mia6503.tmp\zddriver-v5-1-16-6447-installer.exe

Filesize
3.2MB

MD5
d67c783fbe94bad2e07af0c9946b8c1c

SHA1
026f79601930b1ac53a4b8d3306a7f45db6f25db

SHA256
aa398f9a3195ee4555a38dabffe60e40e1acc1001f23dd239fb0f8fe30d6b891

SHA512
e4292cb7e6ac23e622aed658ca98ec14d01c39932c4d0a720ed0540abe7fee16c93abd8b99d8ec3b24b92c3c841809dd7605a677241fc1ca890bfb8221a79886

Download Submit
C:\Users\Admin\AppData\Local\Temp\mia6503.tmp\zddriver-v5-1-16-6447-installer.exe

Filesize
3.4MB

MD5
78f04df92fc41ee8c4f5b161e61cb9e5

SHA1
e04a8327fa16564364f1b51ecac89c7d4919683d

SHA256
ca4753d0d38fcce29355c3db6521953e734235aecf0edc0001ec7faf20bf9446

SHA512
e2f4af28a0ed743585710867133af66feb53c250dbf56a845939133dffb1a0864849a4c94bf4596f79b9923d4817b351e9ab1e5d61ea646e0d509ff7c3786432

Download Submit
C:\Users\Admin\AppData\Local\Temp\mia6503.tmp\zddriver-v5-1-16-6447-installer.msi

Filesize
352KB

MD5
52d95389e49a1ca5a50c90062c7b42e1

SHA1
35665e36bef0ec5a662d8e01eab4b02669c4d44b

SHA256
699223f595578b4a578596912ae6792f447bb6fab29c4b7ce63ab8484be6f2a8

SHA512
d64cdd590d3184f141fd245d29cea0c5d61090f0762b1b306e284257bd58e8890c8071de8cd5d5edb5d311677caeaa4027234a4742727d1a5d5f0be05078a6ec

Download Submit
\??\z:\zddriver-v5-1-16-6447-installer.res

Filesize
3.7MB

MD5
bf07e0fdc6bc1fa570176421ace5692e

SHA1
6ae203b07622d1450fbd4d8e1b7f9729ac5e7e4d

SHA256
d519c44bd1217963a67da9f161f79d26a5bbafe2057896b091d9bf60f53f7007

SHA512
aca689490f1056dd80948694a0563d35be52d4df1b2c8abd4e0ede76067ea91b637835c69d0c68d955aae1f2b79dc24d0b000e66a42af11bece0e2d9d6b04a01

Download Submit
memory/4128-1062-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/4128-1168-0x0000000005740000-0x00000000057AD000-memory.dmp

Filesize
436KB

Download
memory/4128-1171-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/4128-1172-0x0000000000400000-0x00000000007AF000-memory.dmp

Filesize
3.7MB

Download
memory/4128-1174-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download