Overview

overview

4

Static

static

3

ZenToolsTweaks.exe

windows10-1703-x64

4

ZenToolsTweaks.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    207s
  • max time network
    254s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    04-05-2024 01:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ZenToolsTweaks.exe

  • Size

    3.8MB

  • MD5

    26ea2e0c58710d66460cf7ce2a94645d

  • SHA1

    3dc492bef5e6086708199b61379f3b01637678e1

  • SHA256

    94036d7c26dfdb4bd21bc99e2536f1f551340c853d180b7487a09e78897d9e7b

  • SHA512

    cf5adda102ead57bc9166a60e84b80ba73db74d6115b862587d2a1b2827140e51f0987ed398df4f755e9216d4b1df6f212a486b62dad95aecfacbb46517e97f5

  • SSDEEP

    98304:xwkzQdU2ZNiroxLOWyTyt1cF/A70mH/6SwmnuMDH3QOj:xwk8m21dJ7GI0mfnjnuYHp

Score
4/10

Malware Config

Signatures

  • Drops file in Windows directory 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 4 IoCs
    evasion
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ZenToolsTweaks.exe
    "C:\Users\Admin\AppData\Local\Temp\ZenToolsTweaks.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:500
    • C:\Windows\System32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\88D7.tmp\88D8.tmp\88D9.bat C:\Users\Admin\AppData\Local\Temp\ZenToolsTweaks.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4384
      • C:\Windows\system32\mode.com
        mode con:cols=75 lines=8
        3⤵
          PID:1396
        • C:\Windows\system32\timeout.exe
          timeout /t 7 /nobreak
          3⤵
          • Delays execution with timeout.exe
          PID:4496
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4472
      • C:\Users\Admin\AppData\Local\Temp\ZenToolsTweaks.exe
        "C:\Users\Admin\AppData\Local\Temp\ZenToolsTweaks.exe"
        1⤵
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4688
        • C:\Windows\System32\cmd.exe
          "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B90A.tmp\B90B.tmp\B90C.bat C:\Users\Admin\AppData\Local\Temp\ZenToolsTweaks.exe"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2012
          • C:\Windows\system32\mode.com
            mode con:cols=75 lines=8
            3⤵
              PID:1232
            • C:\Windows\system32\timeout.exe
              timeout /t 7 /nobreak
              3⤵
              • Delays execution with timeout.exe
              PID:4932
        • C:\Windows\system32\taskmgr.exe
          "C:\Windows\system32\taskmgr.exe" /4
          1⤵
          • Drops file in Windows directory
          • Checks SCSI registry key(s)
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:2644
        • C:\Users\Admin\AppData\Local\Temp\ZenToolsTweaks.exe
          "C:\Users\Admin\AppData\Local\Temp\ZenToolsTweaks.exe"
          1⤵
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2972
          • C:\Windows\System32\cmd.exe
            "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\17B4.tmp\17B5.tmp\17B6.bat C:\Users\Admin\AppData\Local\Temp\ZenToolsTweaks.exe"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4172
            • C:\Windows\system32\mode.com
              mode con:cols=75 lines=8
              3⤵
                PID:3688
              • C:\Windows\system32\timeout.exe
                timeout /t 7 /nobreak
                3⤵
                • Delays execution with timeout.exe
                PID:1088
          • C:\Users\Admin\AppData\Local\Temp\ZenToolsTweaks.exe
            "C:\Users\Admin\AppData\Local\Temp\ZenToolsTweaks.exe"
            1⤵
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1044
            • C:\Windows\System32\cmd.exe
              "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7A66.tmp\7A67.tmp\7A68.bat C:\Users\Admin\AppData\Local\Temp\ZenToolsTweaks.exe"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:3204
              • C:\Windows\system32\mode.com
                mode con:cols=75 lines=8
                3⤵
                  PID:4228
                • C:\Windows\system32\timeout.exe
                  timeout /t 7 /nobreak
                  3⤵
                  • Delays execution with timeout.exe
                  PID:4604
            • C:\Windows\System32\NOTEPAD.EXE
              "C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\7A66.tmp\7A67.tmp\7A68.bat
              1⤵
              • Opens file in notepad (likely ransom note)
              PID:2920

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\51383089-4f45-4483-b401-12a2f1b1194f.tmp
              Filesize

              88KB

              MD5

              2cc86b681f2cd1d9f095584fd3153a61

              SHA1

              2a0ac7262fb88908a453bc125c5c3fc72b8d490e

              SHA256

              d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

              SHA512

              14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\88D7.tmp\88D8.tmp\88D9.bat
              Filesize

              9KB

              MD5

              cf95b78c6d19d554b4d790d97a296cc6

              SHA1

              e28fbb5120be27ed14c759171fbc6d8f763c6a64

              SHA256

              b17600cab0bd6aa952b228cfb7809dce11276cfc8b1956e3abac45d0bfa25d8a

              SHA512

              2b5f067be99fab6cf0ebeaaabbf06aebbf788ca9f1c098b8357965ee54dac126b7854c54305573129c1d62449da963865e52964beaf7f3496699e190a5668796

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\AdobeSFX.log
              Filesize

              1KB

              MD5

              c08635cfaaf8f0a89d9e48e32ebccc57

              SHA1

              26328a1823897ae5dd4a127ecd28e1837d9c6914

              SHA256

              c34ed56a2352fc26f87cb1884d61d471e8d887ad9df32bd22112f1286072930a

              SHA512

              990068903d77adb62b93dec39acf66856f2ee907e623da12cf6fc25b1502e7ced1077554fc3cfb886c1582c11c7bd47620282a17c681ad1abb60fa1b0360c845

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.log
              Filesize

              13KB

              MD5

              1f2237b4c449dfe2e6fe4a22e7c6b8cd

              SHA1

              398f38effd141547ef744e94d41037300bb30a96

              SHA256

              633172f866676596b5ed015b49665531e1cd662406cb9762eaf7ec8b34c036f8

              SHA512

              3f6d3691c89308208a23136c4cb0b265f942ae0b3752d8bf98fa98630fb07b734bd65c7ef2f06d22c3589022d22d6186255a3278dc7dbdd1e68230d31ba03451

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\KZOWYSNI-20240404-1224.log
              Filesize

              58KB

              MD5

              46fc2a604a3aa3925041fa9b00250ac3

              SHA1

              6b6ded0944462a0db5049bc548c4b0bd44e03eac

              SHA256

              d41515c591a616896f1cf500a0bead0fe579f03b7e2a9d9f63c4eb68644015b9

              SHA512

              3cda93345093f6ee4a89d2a1ff5c80a018cf144eb686bacbaa74b393bb8e655b1e6f60522380312710dc98871a7e357ba7c5ee1a546d50bdabe7c39f7976779d

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\KZOWYSNI-20240404-1224a.log
              Filesize

              181KB

              MD5

              b7b821b42c4faa13a5bba4424408f13b

              SHA1

              f230aacb38885afa9e19b3416edb17c695a2f380

              SHA256

              f894d6a49f967b3a6793698689b6b53289d7c6ba2205a41f9221419b8d5fd903

              SHA512

              12968d24ec89197b09934f2bc1f667fde74d4d167cbf817ce8175593a02509e635c46e50c494cc4316ffc2540b5c18d69dc4279cb219d4f228b8efed218c041d

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240404_122001708.html
              Filesize

              1005KB

              MD5

              3729aa47d72da7c2816c60d266c05b13

              SHA1

              453690398239ded2beb3d3fa34757c1e4e82c8db

              SHA256

              e47a22b2307665b9d25785e2e82e14603c328f62312c52c3e0c73edc7508e271

              SHA512

              0d158256778f0bdcaabd547df5b744299e42abec942bd9b2ea8270bb45117583128433e118e0878fd7fea4952cd4e59c0c71d4fd8262ca71ce91710bd5970e50

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\WiseRegistryCleaner.exe
              Filesize

              3.9MB

              MD5

              dc881e0e08b420524dfbc5cd5c9be228

              SHA1

              2d0b33e59a8a6bf7821fb1a63d82e34105ec8913

              SHA256

              c35496bfd79447cadeeb343605365611b039a6c01947c4c8d8c8ac3d8eb72e90

              SHA512

              b6843f18ba993b841f7e5aab4def66eafdc1ec5295b394a26b2b1add17d5d77dbd243047be07477ddf69da416295d0b538500f0c5564c11601b399bd627bfb14

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\aria-debug-4428.log
              Filesize

              470B

              MD5

              1325fe8e4e3cee0b39386e5a4fa6bd6e

              SHA1

              8fe132e98cd3bb1e03a01bcf1a5cb25123a27cae

              SHA256

              8d729a7f9338c47211de4ecbb9320a05ffb719764433274c8328acf846b0ecb4

              SHA512

              8b2fd7b5fd43f8434c83b0188a0475f01460e4365d01b5a45bff9059b470e90b04b7ffdd2b5e3922a437994123548e9654c68b29e1f543038c3654c365235f6a

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
              Filesize

              6KB

              MD5

              f0a9ec1eff302d75ed70035efd0d1956

              SHA1

              c33fb768681d8515a561e182ed3eb57a5810a200

              SHA256

              ecede95920e4b1c29e1933c70c902155b1b40925749194dbce4f1bd989748fd0

              SHA512

              7a795cb5c925453cd640843bb82aca85c4df06a687de2c6481d1df70784cf657ea57bcb3c07571fd723705eb9e9f173c2625d9866b01d12563b66c057b263369

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt
              Filesize

              1KB

              MD5

              35c0af191b3a25bbca8ec9e20ddab445

              SHA1

              c1c32f48d0a027eed9d97187f88527b0ce9020a1

              SHA256

              66b6e74ad282e3399c0fb9930c75919d524d21846bd215f61d861a275ff6795e

              SHA512

              6853c09ba0e21a75d45b051468fab1ad741591ca90966e92e8baccd6264eb4401e6de54fe4db62403fd2cf1fdb5fac2f55e914baa67d46b0bcce299f5a3948f2

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\dd_SetupUtility.txt
              Filesize

              2KB

              MD5

              bc37be8f9dc53449b86eb93f55aadffe

              SHA1

              017d283d526145ba4335f77d0de5cf5441261b2e

              SHA256

              1220c0e826d26925891e8257ea4f6b7bad95b143de91eed8560c2a1ab9e878d7

              SHA512

              cb7a309c28314054980c0bb1024806fab79f6a8c74beee0377425abde6663d7675f6548568abc872a7273e53c523f8be06f708d4fe9710a0854e22d695dcc41f

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI7F48.txt
              Filesize

              425KB

              MD5

              1240a32174e546ef5cfb3bded5b859ae

              SHA1

              2768c197af219663c760fb84ea08fe1b70fd1175

              SHA256

              c5011882b5d443fbb4190c7f9e770c314f7624e7926238c2f4766fe25bbf5730

              SHA512

              0e82d8cfb4f9d349d31b5eb5d81e433ea6d86af289f53e9882079655e754fe6bc081b077e369622da2b5e5103db006e7eab74f8046e1f4aad3acf55567b41bc4

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI7F69.txt
              Filesize

              415KB

              MD5

              ee0aaf4b66e2aa786b28174ca4c3ecd0

              SHA1

              b5d6565870446252c470b77791e47364bacdd88b

              SHA256

              f1fce4684f155d367977befa843977ca1201125807ffa5207b28a7e3ef188c47

              SHA512

              0c81b7f11ab9817a6b900c8b5ed1cde20283fa0dde6df54a2897dc8cd797a5ae4140d6aaa4a254c17670dfa618344f9c9af0051e633b0e0c17efc1f84a9b88de

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI7F48.txt
              Filesize

              11KB

              MD5

              95c41d924d491cd8ad863980680a9505

              SHA1

              70a465d373e23f7c9b477ea0e3291f2cdb2922f1

              SHA256

              35e72a1b4ae537c18c48f77078bc48b0afaac24288a1fed78aa3cd54016c8a9b

              SHA512

              de16b1bc82a299ef3d127fbafeb74fab66a2ffe41de0e9647c35a1b36342bf27a6ff2104241be0c49fb770929490de41842a3c3d9732409fa9b42c3e08a9c1d7

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI7F69.txt
              Filesize

              11KB

              MD5

              e379c26e899768036f4db41ac326e8af

              SHA1

              f238e5786e3a43db09c74b3d201727c6d84200d2

              SHA256

              ad68daba3ec2680eadbf17fdbb3124816468e8fdb5ebb4d8ff6a35a5cdce96be

              SHA512

              de8da73e9321f42dcb0ed3f1f096fe2bf45ed8eb384856a4c8748d0368b4617da7031f10910c5957e7fd098c6f0c11804c011b6e0f9afce840948c8e51f55d0c

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\jawshtml.html
              Filesize

              13B

              MD5

              b2a4bc176e9f29b0c439ef9a53a62a1a

              SHA1

              1ae520cbbf7e14af867232784194366b3d1c3f34

              SHA256

              7b4f72a40bd21934680f085afe8a30bf85acff1a8365af43102025c4ccf52b73

              SHA512

              e04b85d8d45d43479abbbe34f57265b64d1d325753ec3d2ecadb5f83fa5822b1d999b39571801ca39fa32e4a0a7caab073ccd003007e5b86dac7b1c892a5de3f

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\jusched.log
              Filesize

              153KB

              MD5

              bccb11f2f3bfaebbf0a75ecf76f79c45

              SHA1

              b247ce0ce2ee29bfb6f037293ce6935ea0d24298

              SHA256

              94dfa7550e0a6b6723ce3775b5cd95f8731f3859124efb02cf641174ad1cc8ce

              SHA512

              f9b1b97207f15522dd120cc1e3ea9f823a01269c45560e9a815ab7e4a695c3a1e82e809189c65011f92287a9df1f4e070af9329c37aac6e8fab1dd249b51630b

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\tmp97C6.tmp
              Filesize

              17.0MB

              MD5

              ab4df4168f941f5679eb7119ad5173d9

              SHA1

              318ef17a1e36e7d6ebec03bb05598991a2fb0cd3

              SHA256

              416a897d88bae305d497c15f33b500882e744e8c8aba47d7613071ff38e5d90f

              SHA512

              71bcd157a57f8b68cb0d51e1beeeb270be43043516d7de1f0f9914202cbf5011aa65b79c9d7f1eb20e2da052be005000fb3759d79430c8f60fc8333b107c3a27

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\wct305D.tmp
              Filesize

              63KB

              MD5

              e516a60bc980095e8d156b1a99ab5eee

              SHA1

              238e243ffc12d4e012fd020c9822703109b987f6

              SHA256

              543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7

              SHA512

              9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\wmsetup.log
              Filesize

              685B

              MD5

              4ba083f24c3b189b885db27abb5464aa

              SHA1

              7376e5a61ea9523a63bb87540338b0d0d3c53ac7

              SHA256

              8b51ed74661c5fb4108a249b16d3dfe0620264d41a48da38e7e06182f67ac570

              SHA512

              cbc20e4d0d4847e1152cafe7c750a18f811a09e331d299df9f14f9a2a40bb7fc2fa9c0c0924c7e429eaa30f8af0057ce9e04cb93347de6bdd006663e9bd4623d

              Download Submit