Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/03/2024, 23:20
Behavioral task
behavioral1
Sample
Adware/Reimage Repair/ReimageRepair.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Adware/Reimage Repair/ReimageRepair.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Adware/WinZip Driver Updater/WinZip Driver Updater.exe
Resource
win7-20240221-en
General
-
Target
Adware/WinZip Driver Updater/WinZip Driver Updater.exe
-
Size
3.3MB
-
MD5
7f2c30853e543c73398abbe67e36b39c
-
SHA1
4a1a113b26080550ecbc5b1fdf9b83e2ebb61ae1
-
SHA256
337d67549662e6ce2df81d926c86504d26dc68f7ea1d7a9a25ae709d414f6609
-
SHA512
c23126b3ac0b89b7e69a055ea3839ddb24123fe5c731041de87ba8e8bcb1a294eacadd8e7987e1d3864091edc16885eee61f4dbca1e8cbef014f4271ad6cc5a5
-
SSDEEP
49152:NuugZ81Zj5RX0j3IIwcBsCB32S5havOJjgmssQVHPrR8OnbXTQtmx1QWoG4:VicErw8sO2ysvOJjhssaPjEt3
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 1752 netsh.exe 2308 netsh.exe -
Executes dropped EXE 2 IoCs
pid Process 2704 WinZip Driver Updater.tmp 2528 winzipdu.exe -
Loads dropped DLL 7 IoCs
pid Process 2000 WinZip Driver Updater.exe 2704 WinZip Driver Updater.tmp 2704 WinZip Driver Updater.tmp 2704 WinZip Driver Updater.tmp 2704 WinZip Driver Updater.tmp 2704 WinZip Driver Updater.tmp 2704 WinZip Driver Updater.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 42 IoCs
description ioc Process File created C:\Program Files (x86)\WinZip Driver Updater\is-EK7VH.tmp WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\is-FFMUL.tmp WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\is-8R1MF.tmp WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\is-C2PGU.tmp WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\updater\extract\is-DA494.tmp WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\updater\extract\is-3VASK.tmp WinZip Driver Updater.tmp File opened for modification C:\Program Files (x86)\WinZip Driver Updater\updater\amd64Helper\difxapi.dll WinZip Driver Updater.tmp File opened for modification C:\Program Files (x86)\WinZip Driver Updater\updater\extract\7z.dll WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\is-CHV0L.tmp WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\updater\amd64Helper\is-RPVD9.tmp WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\updater\extract\is-AFUNO.tmp WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\is-DDVH8.tmp WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\is-NI1OQ.tmp WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\is-J284O.tmp WinZip Driver Updater.tmp File opened for modification C:\Program Files (x86)\WinZip Driver Updater\isxdl.dll WinZip Driver Updater.tmp File opened for modification C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\is-76I0D.tmp WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\unins000.msg WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\updater\extract\is-SVTKC.tmp WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\is-PCHR2.tmp WinZip Driver Updater.tmp File opened for modification C:\Program Files (x86)\WinZip Driver Updater\difxapi.dll WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\unins000.dat WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\is-TNHAP.tmp WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\is-9PAAI.tmp WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\is-GELD7.tmp WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\is-8OOQP.tmp WinZip Driver Updater.tmp File opened for modification C:\Program Files (x86)\WinZip Driver Updater\unins000.dat WinZip Driver Updater.tmp File opened for modification C:\Program Files (x86)\WinZip Driver Updater\unrar.dll WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\updater\extract\is-NB1CH.tmp WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\updater\amd64Helper\is-NOO59.tmp WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\is-HP8PQ.tmp WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\is-FS436.tmp WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\is-D0KGI.tmp WinZip Driver Updater.tmp File opened for modification C:\Program Files (x86)\WinZip Driver Updater\updater\amd64Helper\DriverUpdateHelper64.exe WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\is-K46MB.tmp WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\is-OTBV9.tmp WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\is-54E0A.tmp WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\updater\amd64Helper\is-5H4HJ.tmp WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\updater\extract\is-KKKI5.tmp WinZip Driver Updater.tmp File opened for modification C:\Program Files (x86)\WinZip Driver Updater\difxapi64.dll WinZip Driver Updater.tmp File opened for modification C:\Program Files (x86)\WinZip Driver Updater\updater\extract\7z.exe WinZip Driver Updater.tmp File created C:\Program Files (x86)\WinZip Driver Updater\is-G2MDN.tmp WinZip Driver Updater.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 4 IoCs
pid Process 2560 taskkill.exe 2672 taskkill.exe 2220 taskkill.exe 2032 taskkill.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\ = "JScript Language" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\SysWow64\\jscript.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{0AEE2A92-BCBB-11D0-8C72-00C04FC2B085} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\INPROCSERVER32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A3-9847-11CF-8F20-00805F2CD064} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\CLSID regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\ = "JScript Compact Profile (ECMA 327)" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\OLEScript regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\ = "JScript Language Authoring" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\ = "JScript Language Authoring" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\OLEScript regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\ = "JScript Language" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\CLSID regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32\ = "C:\\Windows\\SysWow64\\jscript.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\ProgID\ = "JScript.Compact" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\ = "JScript Language" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A3-9847-11CF-8F20-00805F2CD064} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\OLESCRIPT regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\ = "JScript Language" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\SysWow64\\jscript.dll" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\INPROCSERVER32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\CLSID regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\OLEScript regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JScript\OLEScript regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\ = "JScript Language" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JScript\ = "JScript Language" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\OLESCRIPT regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\ = "JScript Language Encoding" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\OLESCRIPT regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\OLESCRIPT regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064} regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2704 WinZip Driver Updater.tmp 2704 WinZip Driver Updater.tmp -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2704 WinZip Driver Updater.tmp -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2560 taskkill.exe Token: SeDebugPrivilege 2672 taskkill.exe Token: SeDebugPrivilege 2220 taskkill.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2704 WinZip Driver Updater.tmp -
Suspicious use of WriteProcessMemory 50 IoCs
description pid Process procid_target PID 2000 wrote to memory of 2704 2000 WinZip Driver Updater.exe 28 PID 2000 wrote to memory of 2704 2000 WinZip Driver Updater.exe 28 PID 2000 wrote to memory of 2704 2000 WinZip Driver Updater.exe 28 PID 2000 wrote to memory of 2704 2000 WinZip Driver Updater.exe 28 PID 2000 wrote to memory of 2704 2000 WinZip Driver Updater.exe 28 PID 2000 wrote to memory of 2704 2000 WinZip Driver Updater.exe 28 PID 2000 wrote to memory of 2704 2000 WinZip Driver Updater.exe 28 PID 2704 wrote to memory of 2560 2704 WinZip Driver Updater.tmp 29 PID 2704 wrote to memory of 2560 2704 WinZip Driver Updater.tmp 29 PID 2704 wrote to memory of 2560 2704 WinZip Driver Updater.tmp 29 PID 2704 wrote to memory of 2560 2704 WinZip Driver Updater.tmp 29 PID 2704 wrote to memory of 2672 2704 WinZip Driver Updater.tmp 32 PID 2704 wrote to memory of 2672 2704 WinZip Driver Updater.tmp 32 PID 2704 wrote to memory of 2672 2704 WinZip Driver Updater.tmp 32 PID 2704 wrote to memory of 2672 2704 WinZip Driver Updater.tmp 32 PID 2704 wrote to memory of 2452 2704 WinZip Driver Updater.tmp 34 PID 2704 wrote to memory of 2452 2704 WinZip Driver Updater.tmp 34 PID 2704 wrote to memory of 2452 2704 WinZip Driver Updater.tmp 34 PID 2704 wrote to memory of 2452 2704 WinZip Driver Updater.tmp 34 PID 2704 wrote to memory of 2452 2704 WinZip Driver Updater.tmp 34 PID 2704 wrote to memory of 2452 2704 WinZip Driver Updater.tmp 34 PID 2704 wrote to memory of 2452 2704 WinZip Driver Updater.tmp 34 PID 2704 wrote to memory of 1756 2704 WinZip Driver Updater.tmp 38 PID 2704 wrote to memory of 1756 2704 WinZip Driver Updater.tmp 38 PID 2704 wrote to memory of 1756 2704 WinZip Driver Updater.tmp 38 PID 2704 wrote to memory of 1756 2704 WinZip Driver Updater.tmp 38 PID 2704 wrote to memory of 1064 2704 WinZip Driver Updater.tmp 39 PID 2704 wrote to memory of 1064 2704 WinZip Driver Updater.tmp 39 PID 2704 wrote to memory of 1064 2704 WinZip Driver Updater.tmp 39 PID 2704 wrote to memory of 1064 2704 WinZip Driver Updater.tmp 39 PID 2704 wrote to memory of 2344 2704 WinZip Driver Updater.tmp 41 PID 2704 wrote to memory of 2344 2704 WinZip Driver Updater.tmp 41 PID 2704 wrote to memory of 2344 2704 WinZip Driver Updater.tmp 41 PID 2704 wrote to memory of 2344 2704 WinZip Driver Updater.tmp 41 PID 2704 wrote to memory of 2308 2704 WinZip Driver Updater.tmp 43 PID 2704 wrote to memory of 2308 2704 WinZip Driver Updater.tmp 43 PID 2704 wrote to memory of 2308 2704 WinZip Driver Updater.tmp 43 PID 2704 wrote to memory of 2308 2704 WinZip Driver Updater.tmp 43 PID 2704 wrote to memory of 1752 2704 WinZip Driver Updater.tmp 46 PID 2704 wrote to memory of 1752 2704 WinZip Driver Updater.tmp 46 PID 2704 wrote to memory of 1752 2704 WinZip Driver Updater.tmp 46 PID 2704 wrote to memory of 1752 2704 WinZip Driver Updater.tmp 46 PID 2704 wrote to memory of 2220 2704 WinZip Driver Updater.tmp 47 PID 2704 wrote to memory of 2220 2704 WinZip Driver Updater.tmp 47 PID 2704 wrote to memory of 2220 2704 WinZip Driver Updater.tmp 47 PID 2704 wrote to memory of 2220 2704 WinZip Driver Updater.tmp 47 PID 2704 wrote to memory of 2032 2704 WinZip Driver Updater.tmp 51 PID 2704 wrote to memory of 2032 2704 WinZip Driver Updater.tmp 51 PID 2704 wrote to memory of 2032 2704 WinZip Driver Updater.tmp 51 PID 2704 wrote to memory of 2032 2704 WinZip Driver Updater.tmp 51
Processes
-
C:\Users\Admin\AppData\Local\Temp\Adware\WinZip Driver Updater\WinZip Driver Updater.exe"C:\Users\Admin\AppData\Local\Temp\Adware\WinZip Driver Updater\WinZip Driver Updater.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp"C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp" /SL5="$B014E,3017901,168448,C:\Users\Admin\AppData\Local\Temp\Adware\WinZip Driver Updater\WinZip Driver Updater.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\system32\taskkill.exe" /f /im winzipdu.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2560
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\system32\taskkill.exe" /f /im DriverUpdateHelper64.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\jscript.dll"3⤵
- Modifies registry class
PID:2452
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /tn "WINZIPDU-WINZIPDUDriverUpdater" /f3⤵PID:1756
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /tn "WinZipDriverUpdater" /f3⤵PID:1064
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /tn "WinZipDriverUpdaterRunAtStartup" /f3⤵PID:2344
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall delete rule "WinZipDriverUpdater"3⤵
- Modifies Windows Firewall
PID:2308
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="WinZipDriverUpdater" dir=in action=allow program="C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe"3⤵
- Modifies Windows Firewall
PID:1752
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\system32\taskkill.exe" /f /im winzipdu.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2220
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\system32\taskkill.exe" /f /im DriverUpdateHelper64.exe3⤵
- Kills process with taskkill
PID:2032
-
-
C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe"C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe" -firstinstall3⤵PID:2224
-
-
-
C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe"C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe"1⤵
- Executes dropped EXE
PID:2528
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD53472b1344ee22e7768567d73bd50c58b
SHA11ca4692e9e812d3e68874ccf4f958f452e733360
SHA25686a64a91c6c3aede88969b83fd4d400a010f397f8154106e3810e5bc2c16e9a0
SHA5125a71f2de5580f99644a860742d11074bc37597ae4f504667f9c597042d360d1fceb17047d51eb658ee7daf83a0d80d7bcf3b80299d4d0a92f27761978f3479de
-
Filesize
152KB
MD57a1a16f150ccb9cb1731327b2e03488f
SHA154ccaaf593f828c09ff5e718a69e1b0d5d904d66
SHA256ed05f590e22bc39330b9925b766b70b8213e3dd20686660021be3616e6685295
SHA5127d1e3c857f4a7b74eb403085d0a5ded5fb89c96b3e56c1ec7dd218157d588ad64f97205066d74556409d43369c92d1193fdaf6cc3f073f0bc5a4c994f584daca
-
Filesize
506KB
MD51a2e5109c2bb5c68d499e17b83acb73a
SHA1efa15cfa23606dfc355d11580b509e768a50ddbb
SHA256e70bbcee0d01658ccd201ebe0f0e547b9daff01b7c593a0fdd0c64e5f45d6f11
SHA51247317d24d02c4122fe175bcd7f5b3dd8823063e7ea63f83961e40f10872642d2d6f6e6abaf5fb7630cf0e9d8cec0d112889600b14ecb8698b81597f52d54815b
-
Filesize
4.6MB
MD51f12fe5fac30efe7e0fd2a96c185d15a
SHA1551a408485375013efb641625de990c1a7b22ebf
SHA256b1c8ec4c061e7aef8a225c3cb5236be09501503a1262a18c5bef336259e666c7
SHA5125a42fa984b1c5729418ee8522247ce362a3363d17eff9c90272921b4e69b58cdb3b1aed83d97d7919d380b3ddf7aeb3722ffe6b65ec2d77e23a5dafec9d00fec
-
Filesize
3.8MB
MD53d39c88bc10366c5cb0db6147c4127db
SHA1855a5a8c73f4bc1fde921bfc76a2609b615d9683
SHA25611f98bb0e6719f7cd0f74ee7a664947977080216d35c20c9168e794673bf6086
SHA51201e6b397a00a19510886d9957a7c2f9b0358dc6adf9467db2461da9c7e52bac1a984ce3ec02ee218997e958851dd7e23eb93e188dc34b1a25be3bb55da66e4ac
-
Filesize
960KB
MD5575160bfca448ca7691b65b6db22114f
SHA100246a4c899d239af6a77d92017439453b2036dd
SHA256d2d5eab00af33be00ab92b8e3eef499b482f85514173f8a94938bb8e177199b7
SHA512794a7dedd0eeb84d7de87f1f47b6442fbde1bcae77f22bd42b1fe82dfeedf997ac14b0102e4cc4b52a2e461b6bd7242408c6cd91b5237de85d621ceaa09e889b
-
Filesize
164KB
MD592040a0f7f7d7a3f1e12d8bb064cb3b2
SHA1df29e79c9d91ac0ee4788156ad9ea525b8fe11d7
SHA2567344bd44e4433a8f3034519f2b5745c0ced5b614c5c28bdc88cdc9acbbaef2c3
SHA512ec423ba8a6c5f11f105ba3a12c62fa500ebb2b44c6ce1064381996a818856285a817d76c0c5a57c28821a492cfb59ba31d97ab585a62f08bbec68d7c91fb9408
-
Filesize
10.4MB
MD51c56989ec0655dbca8939d03eb11b45e
SHA1e945f3b91fcc54c82a4fc21e9270fee307b953b3
SHA256c4edcff80133994e019c0035a2334965ab727748ec94455d487d5a1055946730
SHA5128d2693298dd0c24981840a03745a6a1d014c877c6a5cea8d67de45cd4288492a44063ba2e52cafeec12f8edadc1194e7080fd99def22235bd6bbfe4fbee9e9d8
-
Filesize
10.8MB
MD520aaea9ccea474d982b3a6e29f4b2bd2
SHA181537a55581b070b8e9e139dddbb0b1472f24018
SHA256fec34e336445842b7576c8cc5b23dbb73ce81bff0c8ad3bceb34b93c3655031d
SHA512962c299b73fd721fd1dc766e71f7a7c9782d5005ee8c4cda4d5e436442b4e45680e510893249ddc88dc991d858d505234d6422cc49c80447a519efd718d28168
-
Filesize
1.1MB
MD522906a6e571771ff39cf79dab44417a4
SHA116d4ae3df09afeff502f35c606a2cb3cc2e31a6f
SHA25660eff8d6c736fba3a992925470854eae18747d14124f69116383d28bbbbf36bd
SHA5124a5c43eea5429eee97fca0a84b814dcbbb9609e757bb250a28757baef05f64d0ea16161d74ddc5a8f168193141c152d59c09308b693472feb8887163211c2288
-
Filesize
1.1MB
MD503a5ddae8f18c3390aee71cbc8571756
SHA1902397a802c3149fca07ed6a6366cfe704998a42
SHA256709101ba21638ab3ac941b1edf60e6a35a6422ea8cdb29acb84fe9006e997ce1
SHA51201176428e86d85980cff42b96daa3d6d3fe9647b8f31c83cea14ebcf59b877e9c7af6d69c8a1278ecbec3ebe35d1f3ee5da8651955fb8b81c32d75f536c33da4
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3