Overview
overview
10Static
static
10zen.win-sp...al.dll
windows10-2004-x64
5zen.win-sp...org.js
windows7-x64
3zen.win-sp...org.js
windows10-2004-x64
3zen.win-sp...org.js
windows7-x64
3zen.win-sp...org.js
windows10-2004-x64
3zen.win-sp...efs.js
windows7-x64
3zen.win-sp...efs.js
windows10-2004-x64
3zen.win-sp...l3.dll
windows10-2004-x64
1zen.win-sp...cs.dll
windows10-2004-x64
1zen.win-sp...ey.dll
windows10-2004-x64
1zen.win-sp...ts.dll
windows10-2004-x64
1zen.win-sp...bs.dll
windows10-2004-x64
1zen.win-sp...GL.dll
windows10-2004-x64
1zen.win-sp...v2.dll
windows10-2004-x64
1zen.win-sp...ec.dll
windows10-2004-x64
1zen.win-sp...il.dll
windows10-2004-x64
1zen.win-sp...ue.dll
windows10-2004-x64
1zen.win-sp...40.dll
windows7-x64
1zen.win-sp...40.dll
windows10-2004-x64
1zen.win-sp...xy.exe
windows7-x64
1zen.win-sp...xy.exe
windows10-2004-x64
1zen.win-sp...er.dll
windows10-2004-x64
1zen.win-sp...s3.dll
windows10-2004-x64
1zen.win-sp...bi.dll
windows10-2004-x64
1zen.win-sp...ts.dll
windows10-2004-x64
1zen.win-sp...er.exe
windows10-2004-x64
3zen.win-sp...er.exe
windows10-2004-x64
1zen.win-sp...ng.exe
windows10-2004-x64
1zen.win-sp...n3.dll
windows10-2004-x64
1zen.win-sp...er.exe
windows7-x64
4zen.win-sp...er.exe
windows10-2004-x64
4$PLUGINSDIR/UAC.dll
windows7-x64
3Analysis
-
max time kernel
146s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240910-en -
resource tags
arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system -
submitted
23-09-2024 19:02
Behavioral task
behavioral1
Sample
zen.win-specific\zen\AccessibleMarshal.dll
Resource
win10v2004-20240910-en
windows10-2004-x64
Behavioral task
behavioral2
Sample
zen.win-specific\zen\browser\features\[email protected]
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral3
Sample
zen.win-specific\zen\browser\features\[email protected]
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral4
Sample
zen.win-specific\zen\browser\features\[email protected]
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral5
Sample
zen.win-specific\zen\browser\features\[email protected]
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral6
Sample
zen.win-specific\zen\defaults\pref\channel-prefs.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral7
Sample
zen.win-specific\zen\defaults\pref\channel-prefs.js
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral8
Sample
zen.win-specific\zen\freebl3.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
zen.win-specific\zen\gkcodecs.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral10
Sample
zen.win-specific\zen\gmp-clearkey\0.1\clearkey.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
zen.win-specific\zen\ipcclientcerts.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral12
Sample
zen.win-specific\zen\lgpllibs.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
zen.win-specific\zen\libEGL.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral14
Sample
zen.win-specific\zen\libGLESv2.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
zen.win-specific\zen\mozavcodec.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
zen.win-specific\zen\mozavutil.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
zen.win-specific\zen\mozglue.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral18
Sample
zen.win-specific\zen\msvcp140.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral19
Sample
zen.win-specific\zen\msvcp140.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral20
Sample
zen.win-specific\zen\nmhproxy.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral21
Sample
zen.win-specific\zen\nmhproxy.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral22
Sample
zen.win-specific\zen\notificationserver.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
zen.win-specific\zen\nss3.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral24
Sample
zen.win-specific\zen\nssckbi.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
zen.win-specific\zen\osclientcerts.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral26
Sample
zen.win-specific\zen\pingsender.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
zen.win-specific\zen\plugin-container.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral28
Sample
zen.win-specific\zen\private_browsing.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
zen.win-specific\zen\softokn3.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral30
Sample
zen.win-specific\zen\uninstall\helper.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral31
Sample
zen.win-specific\zen\uninstall\helper.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral32
Sample
$PLUGINSDIR/UAC.dll
Resource
win7-20240708-en
windows7-x64
General
-
Target
zen.win-specific\zen\AccessibleMarshal.dll
-
Size
29KB
-
MD5
73fd7f799de7bf6b397c7a115aaee881
-
SHA1
e98120f3175957f46d5409635771b784bfc6f0ba
-
SHA256
f9b13f6e00fb3ee6acb4915b75867400f49d0367b2d3e330f878eb4ae583d9ae
-
SHA512
809bc8773fbac84442e120a437a431ed710d7fe96c11e4df92eda82b362845d137eb641ccf635e3fb9931887810793eb081b9a387d2373586f3524ed4541f03c
-
SSDEEP
384:PmMUbpeTLB5+Vra/vfjMdfj9ycDieIL0Ieu4ExGGmLu5w5k2mNDsSofouswa8:PmMupezvfAhjfD5I2GLyGheSoQud
Malware Config
Signatures
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Modifies registry class 25 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\ = "ISimpleDOMNode" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1814CEEB-49E2-407F-AF99-FA755A7D2607} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D68D6D0-D93D-4D08-A30D-F00DD1F45B24}\ProxyStubClsid32\ = "{1814CEEB-49E2-407F-AF99-FA755A7D2607}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D68D6D0-D93D-4D08-A30D-F00DD1F45B24}\ = "ISimpleDOMDocument" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E747BE5-2052-4265-8AF0-8ECAD7AAD1C0}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\ProxyStubClsid32\ = "{1814CEEB-49E2-407F-AF99-FA755A7D2607}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D68D6D0-D93D-4D08-A30D-F00DD1F45B24}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E747BE5-2052-4265-8AF0-8ECAD7AAD1C0} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E747BE5-2052-4265-8AF0-8ECAD7AAD1C0}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\NumMethods\ = "18" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\InProcServer32 regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Interface regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D68D6D0-D93D-4D08-A30D-F00DD1F45B24}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1814CEEB-49E2-407F-AF99-FA755A7D2607} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E747BE5-2052-4265-8AF0-8ECAD7AAD1C0}\NumMethods\ = "8" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zen.win-specific\\zen\\AccessibleMarshal.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\InProcServer32\ThreadingModel = "Both" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\ = "PSFactoryBuffer" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D68D6D0-D93D-4D08-A30D-F00DD1F45B24} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D68D6D0-D93D-4D08-A30D-F00DD1F45B24}\NumMethods\ = "9" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E747BE5-2052-4265-8AF0-8ECAD7AAD1C0}\ProxyStubClsid32\ = "{1814CEEB-49E2-407F-AF99-FA755A7D2607}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E747BE5-2052-4265-8AF0-8ECAD7AAD1C0}\ = "ISimpleDOMText" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\NumMethods regsvr32.exe