1f1ad9c1f639326946f39129cb9ff5015669a0a3dd9e21db07163fb48cb6b709

Analysis

max time kernel
594s
max time network
456s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
03/05/2024, 17:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ZenStudio.exe
Size

19.6MB
MD5

1fae469528fcc28ec48eb939b39f8a69
SHA1

21f3642dbc8a5b7bd60cd285490f119aacdaa1a8
SHA256

49e2e48406ae2b43df1e04c20c2fd13b9b25d7d16eb07bfe268f471ee755208c
SHA512

16eb03db6c71770be6b142949f1eaee6ffd5839543d781b8870455cde089db643538c3ed12c2e03da43ec1e4a71ed0454343e23915a2ead9dcb0ff09432f17c1
SSDEEP

393216:vM13RE6vuMqY6WIm9FzFfKTIX8g2JnniEMbvJBvoFzENUZM2Ez05Ts:vM13BmS7FYniEGRliNFE8s

Score

1^/10

Malware Config

Signatures

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZenStudio\shell\open	ZenStudio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ZenStudio\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ZenStudio.exe \"%1\""	ZenStudio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZenStudio	ZenStudio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ZenStudio\ = "URL: Zen Studio Protocol"	ZenStudio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ZenStudio\URL PROTOCOL	ZenStudio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZenStudio\shell\open\command	ZenStudio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZenStudio\shell	ZenStudio.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe
3980	ZenStudio.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3980	ZenStudio.exe

C:\Users\Admin\AppData\Local\Temp\ZenStudio.exe
"C:\Users\Admin\AppData\Local\Temp\ZenStudio.exe"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3980

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3980-0-0x00000000745DE000-0x00000000745DF000-memory.dmp

Filesize
4KB

Download
memory/3980-1-0x0000000000EE0000-0x0000000002276000-memory.dmp

Filesize
19.6MB

Download
memory/3980-2-0x00000000745D0000-0x0000000074D81000-memory.dmp

Filesize
7.7MB

Download
memory/3980-3-0x000000000E300000-0x000000000F498000-memory.dmp

Filesize
17.6MB

Download
memory/3980-4-0x0000000008540000-0x0000000008652000-memory.dmp

Filesize
1.1MB

Download
memory/3980-5-0x0000000006EB0000-0x0000000006F16000-memory.dmp

Filesize
408KB

Download
memory/3980-6-0x0000000008E20000-0x0000000008E76000-memory.dmp

Filesize
344KB

Download
memory/3980-8-0x0000000009760000-0x000000000978A000-memory.dmp

Filesize
168KB

Download
memory/3980-7-0x0000000009740000-0x000000000975C000-memory.dmp

Filesize
112KB

Download
memory/3980-14-0x0000000007280000-0x000000000728E000-memory.dmp

Filesize
56KB

Download
memory/3980-17-0x00000000075C0000-0x00000000075F2000-memory.dmp

Filesize
200KB

Download
memory/3980-18-0x00000000075F0000-0x0000000007600000-memory.dmp

Filesize
64KB

Download
memory/3980-19-0x00000000745D0000-0x0000000074D81000-memory.dmp

Filesize
7.7MB

Download
memory/3980-20-0x0000000007DB0000-0x0000000007DB8000-memory.dmp

Filesize
32KB

Download
memory/3980-21-0x0000000007E20000-0x0000000007E58000-memory.dmp

Filesize
224KB

Download
memory/3980-22-0x0000000007DF0000-0x0000000007DFE000-memory.dmp

Filesize
56KB

Download
memory/3980-23-0x000000000C8B0000-0x000000000CE56000-memory.dmp

Filesize
5.6MB

Download
memory/3980-24-0x0000000007F40000-0x0000000007FD2000-memory.dmp

Filesize
584KB

Download
memory/3980-25-0x00000000745D0000-0x0000000074D81000-memory.dmp

Filesize
7.7MB

Download
memory/3980-26-0x0000000009E40000-0x000000000A1A0000-memory.dmp

Filesize
3.4MB

Download
memory/3980-27-0x000000000C300000-0x000000000C5FE000-memory.dmp

Filesize
3.0MB

Download
memory/3980-28-0x0000000007FE0000-0x0000000007FE8000-memory.dmp

Filesize
32KB

Download
memory/3980-29-0x0000000008010000-0x0000000008086000-memory.dmp

Filesize
472KB

Download
memory/3980-30-0x000000000C840000-0x000000000C848000-memory.dmp

Filesize
32KB

Download
memory/3980-31-0x00000000745DE000-0x00000000745DF000-memory.dmp

Filesize
4KB

Download
memory/3980-32-0x00000000745D0000-0x0000000074D81000-memory.dmp

Filesize
7.7MB

Download
memory/3980-33-0x00000000745D0000-0x0000000074D81000-memory.dmp

Filesize
7.7MB

Download
memory/3980-34-0x00000000745D0000-0x0000000074D81000-memory.dmp

Filesize
7.7MB

Download