3a5f51e46b9314228955b6e42ba9cf5c37566a69a2f49acb9ad0ee8c3132ba24

Analysis

max time kernel
13s
max time network
18s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Zamzar-1.1.0.Setup.exe
Size

120.7MB
MD5

3980ea90d6a3cd78ae4043efc820876f
SHA1

e40c66343b6ed66982cc89a36c97badf3a95ded6
SHA256

3a5f51e46b9314228955b6e42ba9cf5c37566a69a2f49acb9ad0ee8c3132ba24
SHA512

7389a28392cfd8c0022e5b8955ceb3cbfa8170768fd132190e137771d0ea1d7e9bd7085208c44d4d68e34d0082e437d55658b7a9ce25eab8d8ac6b903a694f7e
SSDEEP

3145728:qtwOduAgm/T6gLxYbW/uR6SOOlo/KNVR18XD0otBEL6H8:N0r6gL0bY1qDN7otOLm8

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exeZamzar-1.1.0.Setup.exe

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\Q:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\S:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\U:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\O:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\R:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\Z:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\I:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\T:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\W:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\X:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\N:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\Y:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\K:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\M:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\V:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\L:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\P:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Loads dropped DLL 9 IoCs

Processes:

MsiExec.exe

pid	Process
1616	MsiExec.exe
1616	MsiExec.exe
1616	MsiExec.exe
1616	MsiExec.exe
1616	MsiExec.exe
1616	MsiExec.exe
1616	MsiExec.exe
1616	MsiExec.exe
1616	MsiExec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Zamzar-1.1.0.Setup.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Zamzar-1.1.0.Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Zamzar-1.1.0.Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Zamzar-1.1.0.Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Zamzar-1.1.0.Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	Zamzar-1.1.0.Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Zamzar-1.1.0.Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Zamzar-1.1.0.Setup.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

NOTEPAD.EXE

pid	Process
324	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

MsiExec.exe

pid	Process
1616	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exeZamzar-1.1.0.Setup.exe

description	pid	Process
Token: SeRestorePrivilege	1500	msiexec.exe
Token: SeTakeOwnershipPrivilege	1500	msiexec.exe
Token: SeSecurityPrivilege	1500	msiexec.exe
Token: SeCreateTokenPrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeAssignPrimaryTokenPrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeLockMemoryPrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeIncreaseQuotaPrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeMachineAccountPrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeTcbPrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeSecurityPrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeTakeOwnershipPrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeLoadDriverPrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeSystemProfilePrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeSystemtimePrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeProfSingleProcessPrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeIncBasePriorityPrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeCreatePagefilePrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeCreatePermanentPrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeBackupPrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeRestorePrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeShutdownPrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeDebugPrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeAuditPrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeSystemEnvironmentPrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeChangeNotifyPrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeRemoteShutdownPrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeUndockPrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeSyncAgentPrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeEnableDelegationPrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeManageVolumePrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeImpersonatePrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeCreateGlobalPrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeCreateTokenPrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeAssignPrimaryTokenPrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeLockMemoryPrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeIncreaseQuotaPrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeMachineAccountPrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeTcbPrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeSecurityPrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeTakeOwnershipPrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeLoadDriverPrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeSystemProfilePrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeSystemtimePrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeProfSingleProcessPrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeIncBasePriorityPrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeCreatePagefilePrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeCreatePermanentPrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeBackupPrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeRestorePrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeShutdownPrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeDebugPrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeAuditPrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeSystemEnvironmentPrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeChangeNotifyPrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeRemoteShutdownPrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeUndockPrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeSyncAgentPrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeEnableDelegationPrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeManageVolumePrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeImpersonatePrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeCreateGlobalPrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeCreateTokenPrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeAssignPrimaryTokenPrivilege	1940	Zamzar-1.1.0.Setup.exe
Token: SeLockMemoryPrivilege	1940	Zamzar-1.1.0.Setup.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Zamzar-1.1.0.Setup.exe

pid	Process
1940	Zamzar-1.1.0.Setup.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

msiexec.exeMsiExec.exe

description	pid	Process	procid_target
PID 1500 wrote to memory of 1616	1500	msiexec.exe	29
PID 1500 wrote to memory of 1616	1500	msiexec.exe	29
PID 1500 wrote to memory of 1616	1500	msiexec.exe	29
PID 1500 wrote to memory of 1616	1500	msiexec.exe	29
PID 1500 wrote to memory of 1616	1500	msiexec.exe	29
PID 1500 wrote to memory of 1616	1500	msiexec.exe	29
PID 1500 wrote to memory of 1616	1500	msiexec.exe	29
PID 1616 wrote to memory of 324	1616	MsiExec.exe	30
PID 1616 wrote to memory of 324	1616	MsiExec.exe	30
PID 1616 wrote to memory of 324	1616	MsiExec.exe	30
PID 1616 wrote to memory of 324	1616	MsiExec.exe	30

C:\Users\Admin\AppData\Local\Temp\Zamzar-1.1.0.Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Zamzar-1.1.0.Setup.exe"
1⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1940

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 33A0B6853C818E51B7344E9F20DF1CC7 C
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\zamzar_install.log
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1940\background

Filesize
29KB

MD5
34363136d896a1de743489e2aff7d849

SHA1
2678a41eec6d6d7f3267347f5ea2f7ca770323bb

SHA256
ae4355bc29fc0b409605faf5c69664a97a44c914e855b474b24281d17b7dcb15

SHA512
2711c50013f9b763e2eb7eed136f120dbe71b45ed0669655b07393e75f4e704877e7af473133469a012fd13d6bc50f2f715e8244395061a0067a480778759448

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1E4C.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI228E.tmp

Filesize
719KB

MD5
c9c085c00bc24802f066e5412defcf50

SHA1
557f02469f3f236097d015327d7ca77260e2aecc

SHA256
a412b642de0e94db761ebd2834dde72eed86e65fc4a580670a300015b874ba24

SHA512
a6fa1f34cd630a7509a6441be7ad060de7e039967d2ec015e27c2a643b04e0eecf53902b7173c4c2e92e3a890bd7acb6a3307d9923838f0bfc71496fb184b1de

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI22FD.tmp

Filesize
1.1MB

MD5
6bb65410717bb2c62ed92cdbc9c41652

SHA1
1f0d56a24588c0c07e878f348df6bb0c3e4f693a

SHA256
91a6c5daebe89b7d9157188a2b3fa8e47d53b4d20c29bcc244635d1943397f7b

SHA512
1a864c6d010e3d62337a2067f53e82067ab01a556edee65036658bb7dd863bf22379d16aaf6385fda23060148c68c7225610058a153420e7b125c038285ceb38

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1E6E.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1FFC.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zamzar_install.log

Filesize
39KB

MD5
a5baabc1bf38a9e463207cccf778454a

SHA1
8c9f1e88019d9efa3ec63481e792afa89426f801

SHA256
c60b3a2ccadbcb129d88b4aa8451e6d60d188623556d7560f5d9e5fa40aaa4e8

SHA512
270e6da00e5633a873d5965028b8e23d406ccc3a845d96194172db967f285e8d038f0b7d0cd7672df157c94c75e6d76294b129ba7e695e95e96d152c7f9ee61f

Download Submit
C:\Users\Admin\AppData\Roaming\Zamzar Ltd\Zamzar 1.1.0\install\x64-build.msi

Filesize
4.9MB

MD5
e12656736172ae06246b1bee4fa9a518

SHA1
744c874132bdc1a44959ee7b2e8c866c9ba859cf

SHA256
6fe4eb1a3fbe1960b5a5321d88272c29845d661335b0cc05ca23424d49c35af2

SHA512
f775019810351cb54e8799375028ec388a8d3a75913316765509a73f3ca3c5bfea2857af28c0a70437a21ceefaee829aa92e9d5493734dbc45cef6d5fa971435

Download Submit
memory/1940-0-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download