Resubmissions

02/03/2024, 23:20

240302-3bewdaac5s 8

02/03/2024, 22:47

240302-2qjx7sab3w 8

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02/03/2024, 23:20

General

  • Target

    Adware/WinZip Driver Updater/WinZip Driver Updater.exe

  • Size

    3.3MB

  • MD5

    7f2c30853e543c73398abbe67e36b39c

  • SHA1

    4a1a113b26080550ecbc5b1fdf9b83e2ebb61ae1

  • SHA256

    337d67549662e6ce2df81d926c86504d26dc68f7ea1d7a9a25ae709d414f6609

  • SHA512

    c23126b3ac0b89b7e69a055ea3839ddb24123fe5c731041de87ba8e8bcb1a294eacadd8e7987e1d3864091edc16885eee61f4dbca1e8cbef014f4271ad6cc5a5

  • SSDEEP

    49152:NuugZ81Zj5RX0j3IIwcBsCB32S5havOJjgmssQVHPrR8OnbXTQtmx1QWoG4:VicErw8sO2ysvOJjhssaPjEt3

Score
8/10

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 7 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 42 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 4 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Adware\WinZip Driver Updater\WinZip Driver Updater.exe
    "C:\Users\Admin\AppData\Local\Temp\Adware\WinZip Driver Updater\WinZip Driver Updater.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp" /SL5="$B014E,3017901,168448,C:\Users\Admin\AppData\Local\Temp\Adware\WinZip Driver Updater\WinZip Driver Updater.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2704
      • C:\Windows\SysWOW64\taskkill.exe
        "C:\Windows\system32\taskkill.exe" /f /im winzipdu.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2560
      • C:\Windows\SysWOW64\taskkill.exe
        "C:\Windows\system32\taskkill.exe" /f /im DriverUpdateHelper64.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2672
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\jscript.dll"
        3⤵
        • Modifies registry class
        PID:2452
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /delete /tn "WINZIPDU-WINZIPDUDriverUpdater" /f
        3⤵
          PID:1756
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /delete /tn "WinZipDriverUpdater" /f
          3⤵
            PID:1064
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /delete /tn "WinZipDriverUpdaterRunAtStartup" /f
            3⤵
              PID:2344
            • C:\Windows\SysWOW64\netsh.exe
              "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule "WinZipDriverUpdater"
              3⤵
              • Modifies Windows Firewall
              PID:2308
            • C:\Windows\SysWOW64\netsh.exe
              "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="WinZipDriverUpdater" dir=in action=allow program="C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe"
              3⤵
              • Modifies Windows Firewall
              PID:1752
            • C:\Windows\SysWOW64\taskkill.exe
              "C:\Windows\system32\taskkill.exe" /f /im winzipdu.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2220
            • C:\Windows\SysWOW64\taskkill.exe
              "C:\Windows\system32\taskkill.exe" /f /im DriverUpdateHelper64.exe
              3⤵
              • Kills process with taskkill
              PID:2032
            • C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe
              "C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe" -firstinstall
              3⤵
                PID:2224
          • C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe
            "C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe"
            1⤵
            • Executes dropped EXE
            PID:2528

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files (x86)\WinZip Driver Updater\eng_rcp.ini

                  Filesize

                  134KB

                  MD5

                  3472b1344ee22e7768567d73bd50c58b

                  SHA1

                  1ca4692e9e812d3e68874ccf4f958f452e733360

                  SHA256

                  86a64a91c6c3aede88969b83fd4d400a010f397f8154106e3810e5bc2c16e9a0

                  SHA512

                  5a71f2de5580f99644a860742d11074bc37597ae4f504667f9c597042d360d1fceb17047d51eb658ee7daf83a0d80d7bcf3b80299d4d0a92f27761978f3479de

                • C:\Program Files (x86)\WinZip Driver Updater\isxdl.dll

                  Filesize

                  152KB

                  MD5

                  7a1a16f150ccb9cb1731327b2e03488f

                  SHA1

                  54ccaaf593f828c09ff5e718a69e1b0d5d904d66

                  SHA256

                  ed05f590e22bc39330b9925b766b70b8213e3dd20686660021be3616e6685295

                  SHA512

                  7d1e3c857f4a7b74eb403085d0a5ded5fb89c96b3e56c1ec7dd218157d588ad64f97205066d74556409d43369c92d1193fdaf6cc3f073f0bc5a4c994f584daca

                • C:\Program Files (x86)\WinZip Driver Updater\updater\amd64Helper\difxapi.dll

                  Filesize

                  506KB

                  MD5

                  1a2e5109c2bb5c68d499e17b83acb73a

                  SHA1

                  efa15cfa23606dfc355d11580b509e768a50ddbb

                  SHA256

                  e70bbcee0d01658ccd201ebe0f0e547b9daff01b7c593a0fdd0c64e5f45d6f11

                  SHA512

                  47317d24d02c4122fe175bcd7f5b3dd8823063e7ea63f83961e40f10872642d2d6f6e6abaf5fb7630cf0e9d8cec0d112889600b14ecb8698b81597f52d54815b

                • C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe

                  Filesize

                  4.6MB

                  MD5

                  1f12fe5fac30efe7e0fd2a96c185d15a

                  SHA1

                  551a408485375013efb641625de990c1a7b22ebf

                  SHA256

                  b1c8ec4c061e7aef8a225c3cb5236be09501503a1262a18c5bef336259e666c7

                  SHA512

                  5a42fa984b1c5729418ee8522247ce362a3363d17eff9c90272921b4e69b58cdb3b1aed83d97d7919d380b3ddf7aeb3722ffe6b65ec2d77e23a5dafec9d00fec

                • C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe

                  Filesize

                  3.8MB

                  MD5

                  3d39c88bc10366c5cb0db6147c4127db

                  SHA1

                  855a5a8c73f4bc1fde921bfc76a2609b615d9683

                  SHA256

                  11f98bb0e6719f7cd0f74ee7a664947977080216d35c20c9168e794673bf6086

                  SHA512

                  01e6b397a00a19510886d9957a7c2f9b0358dc6adf9467db2461da9c7e52bac1a984ce3ec02ee218997e958851dd7e23eb93e188dc34b1a25be3bb55da66e4ac

                • C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe

                  Filesize

                  960KB

                  MD5

                  575160bfca448ca7691b65b6db22114f

                  SHA1

                  00246a4c899d239af6a77d92017439453b2036dd

                  SHA256

                  d2d5eab00af33be00ab92b8e3eef499b482f85514173f8a94938bb8e177199b7

                  SHA512

                  794a7dedd0eeb84d7de87f1f47b6442fbde1bcae77f22bd42b1fe82dfeedf997ac14b0102e4cc4b52a2e461b6bd7242408c6cd91b5237de85d621ceaa09e889b

                • \Program Files (x86)\WinZip Driver Updater\unrar.dll

                  Filesize

                  164KB

                  MD5

                  92040a0f7f7d7a3f1e12d8bb064cb3b2

                  SHA1

                  df29e79c9d91ac0ee4788156ad9ea525b8fe11d7

                  SHA256

                  7344bd44e4433a8f3034519f2b5745c0ced5b614c5c28bdc88cdc9acbbaef2c3

                  SHA512

                  ec423ba8a6c5f11f105ba3a12c62fa500ebb2b44c6ce1064381996a818856285a817d76c0c5a57c28821a492cfb59ba31d97ab585a62f08bbec68d7c91fb9408

                • \Program Files (x86)\WinZip Driver Updater\winzipdu.exe

                  Filesize

                  10.4MB

                  MD5

                  1c56989ec0655dbca8939d03eb11b45e

                  SHA1

                  e945f3b91fcc54c82a4fc21e9270fee307b953b3

                  SHA256

                  c4edcff80133994e019c0035a2334965ab727748ec94455d487d5a1055946730

                  SHA512

                  8d2693298dd0c24981840a03745a6a1d014c877c6a5cea8d67de45cd4288492a44063ba2e52cafeec12f8edadc1194e7080fd99def22235bd6bbfe4fbee9e9d8

                • \Program Files (x86)\WinZip Driver Updater\winzipdu.exe

                  Filesize

                  10.8MB

                  MD5

                  20aaea9ccea474d982b3a6e29f4b2bd2

                  SHA1

                  81537a55581b070b8e9e139dddbb0b1472f24018

                  SHA256

                  fec34e336445842b7576c8cc5b23dbb73ce81bff0c8ad3bceb34b93c3655031d

                  SHA512

                  962c299b73fd721fd1dc766e71f7a7c9782d5005ee8c4cda4d5e436442b4e45680e510893249ddc88dc991d858d505234d6422cc49c80447a519efd718d28168

                • \Program Files (x86)\WinZip Driver Updater\winzipdu.exe

                  Filesize

                  1.1MB

                  MD5

                  22906a6e571771ff39cf79dab44417a4

                  SHA1

                  16d4ae3df09afeff502f35c606a2cb3cc2e31a6f

                  SHA256

                  60eff8d6c736fba3a992925470854eae18747d14124f69116383d28bbbbf36bd

                  SHA512

                  4a5c43eea5429eee97fca0a84b814dcbbb9609e757bb250a28757baef05f64d0ea16161d74ddc5a8f168193141c152d59c09308b693472feb8887163211c2288

                • \Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp

                  Filesize

                  1.1MB

                  MD5

                  03a5ddae8f18c3390aee71cbc8571756

                  SHA1

                  902397a802c3149fca07ed6a6366cfe704998a42

                  SHA256

                  709101ba21638ab3ac941b1edf60e6a35a6422ea8cdb29acb84fe9006e997ce1

                  SHA512

                  01176428e86d85980cff42b96daa3d6d3fe9647b8f31c83cea14ebcf59b877e9c7af6d69c8a1278ecbec3ebe35d1f3ee5da8651955fb8b81c32d75f536c33da4

                • \Users\Admin\AppData\Local\Temp\is-Q0FT3.tmp\_isetup\_shfoldr.dll

                  Filesize

                  22KB

                  MD5

                  92dc6ef532fbb4a5c3201469a5b5eb63

                  SHA1

                  3e89ff837147c16b4e41c30d6c796374e0b8e62c

                  SHA256

                  9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

                  SHA512

                  9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

                • memory/2000-0-0x0000000000400000-0x0000000000433000-memory.dmp

                  Filesize

                  204KB

                • memory/2000-14-0x0000000000400000-0x0000000000433000-memory.dmp

                  Filesize

                  204KB

                • memory/2528-146-0x0000000001150000-0x0000000001188000-memory.dmp

                  Filesize

                  224KB

                • memory/2704-39-0x0000000000400000-0x000000000052E000-memory.dmp

                  Filesize

                  1.2MB

                • memory/2704-120-0x0000000000400000-0x000000000052E000-memory.dmp

                  Filesize

                  1.2MB

                • memory/2704-18-0x0000000000240000-0x0000000000241000-memory.dmp

                  Filesize

                  4KB

                • memory/2704-15-0x0000000000400000-0x000000000052E000-memory.dmp

                  Filesize

                  1.2MB

                • memory/2704-7-0x0000000000240000-0x0000000000241000-memory.dmp

                  Filesize

                  4KB