File name: | Zoom_fc47cd9783102ea1.exe |
Full analysis: | https://app.any.run/tasks/8337785d-8033-41b5-93a8-c53fc54018dd |
Verdict: | Malicious activity |
Analysis date: | March 31, 2020, 09:50:42 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 4CD5E7F37416CAA1E05FE99FAB1E4866 |
SHA1: | 2E1EE725E9D7ACB9E78901F196AA33F5A6818E0E |
SHA256: | 2F88B59D5D8C728F01796550623BD5535595E723DAA97FF23C168AAD7704EFF7 |
SSDEEP: | 1536:byL/u0MfA/Y4XukDR/7EUw9VEsp/nve5LP1tnubUfW:bG/u0MfOD9SVEsiT19o |
.exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (14.2) |
.exe | | | Win32 Executable (generic) (9.7) |
.exe | | | Generic Win/DOS Executable (4.3) |
.exe | | | DOS Executable Generic (4.3) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2020:03:23 08:42:24+01:00 |
PEType: | PE32 |
LinkerVersion: | 9 |
CodeSize: | 39936 |
InitializedDataSize: | 21504 |
UninitializedDataSize: | - |
EntryPoint: | 0x1273 |
OSVersion: | 5 |
ImageVersion: | - |
SubsystemVersion: | 5 |
Subsystem: | Windows GUI |
FileVersionNumber: | 4.6.19178.323 |
ProductVersionNumber: | 4.6.19178.323 |
FileFlagsMask: | 0x003f |
FileFlags: | (none) |
FileOS: | Win32 |
ObjectFileType: | Executable application |
FileSubtype: | - |
LanguageCode: | English (U.S.) |
CharacterSet: | Windows, Latin1 |
Comments: | Zoom Opener |
CompanyName: | Zoom Video Communications, Inc. |
FileDescription: | Zoom Opener |
FileVersion: | 4,6,19178,0323 |
InternalName: | Zoom Opener |
LegalCopyright: | © Zoom Video Communications, Inc. All rights reserved. |
LegalTrademarks: | Zoom Opener |
OriginalFileName: | Zoom Opener |
ProductName: | Zoom Opener |
ProductVersion: | 4,6,19178,0323 |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 23-Mar-2020 07:42:24 |
Detected languages: |
|
Debug artifacts: |
|
Comments: | Zoom Opener |
CompanyName: | Zoom Video Communications, Inc. |
FileDescription: | Zoom Opener |
FileVersion: | 4,6,19178,0323 |
InternalName: | Zoom Opener |
LegalCopyright: | © Zoom Video Communications, Inc. All rights reserved. |
LegalTrademarks: | Zoom Opener |
OriginalFilename: | Zoom Opener |
ProductName: | Zoom Opener |
ProductVersion: | 4,6,19178,0323 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000D8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 23-Mar-2020 07:42:24 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00009ACE | 0x00009C00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.43076 |
.rdata | 0x0000B000 | 0x0000279E | 0x00002800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.58773 |
.data | 0x0000E000 | 0x0000015C | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.10191 |
.rsrc | 0x0000F000 | 0x00001F80 | 0x00002000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.01918 |
.reloc | 0x00011000 | 0x000009D8 | 0x00000A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.12697 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.44802 | 948 | UNKNOWN | English - United States | RT_VERSION |
2 | 2.21059 | 34 | UNKNOWN | English - United States | RT_GROUP_ICON |
7 | 2.95584 | 234 | UNKNOWN | English - United States | RT_STRING |
32 | 3.09147 | 432 | UNKNOWN | English - United States | RT_STRING |
33 | 3.31643 | 560 | UNKNOWN | English - United States | RT_STRING |
ADVAPI32.dll |
CRYPT32.dll |
GDI32.dll |
KERNEL32.dll |
SHELL32.dll |
USER32.dll |
WINTRUST.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
564 | "C:\Users\admin\AppData\Local\Temp\Zoom_fc47cd9783102ea1.exe" | C:\Users\admin\AppData\Local\Temp\Zoom_fc47cd9783102ea1.exe | explorer.exe | ||||||||||||
User: admin Company: Zoom Video Communications, Inc. Integrity Level: MEDIUM Description: Zoom Opener Exit code: 0 Version: 4,6,19178,0323 Modules
| |||||||||||||||
3036 | "C:\Users\admin\AppData\Roaming\Zoom\ZoomDownload\Installer.exe" ZInstaller --conf.mode=silent --ipc_wnd=459340 | C:\Users\admin\AppData\Roaming\Zoom\ZoomDownload\Installer.exe | Zoom_fc47cd9783102ea1.exe | ||||||||||||
User: admin Company: Zoom Video Communications, Inc. Integrity Level: MEDIUM Description: Zoom Installer Exit code: 0 Version: 4,6,19178,0323 Modules
| |||||||||||||||
2860 | "C:\Users\admin\AppData\Roaming\Zoom\ZoomDownload\Installer.exe" /addfwexception --bin_home="C:\Users\admin\AppData\Roaming\Zoom\bin" | C:\Users\admin\AppData\Roaming\Zoom\ZoomDownload\Installer.exe | Installer.exe | ||||||||||||
User: admin Company: Zoom Video Communications, Inc. Integrity Level: HIGH Description: Zoom Installer Exit code: 0 Version: 4,6,19178,0323 Modules
| |||||||||||||||
2776 | "C:\Users\admin\AppData\Roaming\Zoom\bin\Zoom.exe" "--url=zoommtg://win.launch?action=join&browser=chrome&confid=dXNzPTQ5NDI2YWQ5LjQydDVxVElOZjZLZG52MjFBcFFHU1lEZWhTTnJTWUk1Z21xV1ZVWTBGVURid1R2SFh4VnJTSm9JWTZkRGhTdnlKU1h3MDFEWFBwNFlubTVYcVotNzV3JTNEJTNEJnRpZD01MmFhYjA4MzI5NTU0N2Q2OGQ2MDg2NmRhNGZlMmUzYg%3D%3D&confno=9310887937&mcv=0.92.11227.0929&zc=0" | C:\Users\admin\AppData\Roaming\Zoom\bin\Zoom.exe | Zoom_fc47cd9783102ea1.exe | ||||||||||||
User: admin Company: Zoom Video Communications, Inc. Integrity Level: MEDIUM Description: Zoom Version: 4,6,19178,0323 Modules
| |||||||||||||||
3368 | "C:\Users\admin\AppData\Local\Temp\zmD59A.tmp" -DAF8C715436E44649F1312698287E6A5=C:\Users\admin\AppData\Local\Temp\Zoom_fc47cd9783102ea1.exe | C:\Users\admin\AppData\Local\Temp\zmD59A.tmp | — | Zoom_fc47cd9783102ea1.exe | |||||||||||
User: admin Company: Zoom Video Communications, Inc. Integrity Level: MEDIUM Description: Zoom Opener Exit code: 0 Version: 4,6,19178,0323 Modules
| |||||||||||||||
3900 | C:\Users\admin\AppData\Roaming\Zoom\bin\Zoom.exe --action=join --runaszvideo=TRUE | C:\Users\admin\AppData\Roaming\Zoom\bin\Zoom.exe | Zoom.exe | ||||||||||||
User: admin Company: Zoom Video Communications, Inc. Integrity Level: MEDIUM Description: Zoom Version: 4,6,19178,0323 Modules
| |||||||||||||||
3196 | Zoom.exe --action=uploadFeedback | C:\Users\admin\AppData\Roaming\Zoom\bin\Zoom.exe | — | Zoom.exe | |||||||||||
User: admin Company: Zoom Video Communications, Inc. Integrity Level: MEDIUM Description: Zoom Exit code: 0 Version: 4,6,19178,0323 Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
564 | Zoom_fc47cd9783102ea1.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\QVAUXBY6.txt | — | |
MD5:— | SHA256:— | |||
564 | Zoom_fc47cd9783102ea1.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\9XYKCWRK.txt | — | |
MD5:— | SHA256:— | |||
564 | Zoom_fc47cd9783102ea1.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\29DHH92W.txt | — | |
MD5:— | SHA256:— | |||
564 | Zoom_fc47cd9783102ea1.exe | C:\Users\admin\AppData\Local\Temp\CabA5AE.tmp | — | |
MD5:— | SHA256:— | |||
564 | Zoom_fc47cd9783102ea1.exe | C:\Users\admin\AppData\Local\Temp\TarA5AF.tmp | — | |
MD5:— | SHA256:— | |||
564 | Zoom_fc47cd9783102ea1.exe | C:\Users\admin\AppData\Roaming\Zoom\ZoomDownload\Zoom.msi | — | |
MD5:— | SHA256:— | |||
3036 | Installer.exe | C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\crashrpt_lang.ini | text | |
MD5:3BE1F13A7A5C5490D4669F3051CC5572 | SHA256:9F124594495B209908D79CECADD63EE55D2282D763212C0FCD0930A5F858CA8C | |||
564 | Zoom_fc47cd9783102ea1.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8828F39C7C0CE9A14B25C7EB321181BA_BD8B98368542C3BBAE3413A0EF3BB623 | binary | |
MD5:9C377E5DFDF949DB08D92E65CDD2CA27 | SHA256:DCE8C5A80C792FBB29871D8A65C895C813F903796368F624B1F76AD9AC8B4836 | |||
564 | Zoom_fc47cd9783102ea1.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FA0F92EA40DC353FF9E95B9F7D06EAF_02A7BB8D663AB0A2D3E0CE44422ED38B | binary | |
MD5:55B0651A491CFA5FE3687C11CB7BF019 | SHA256:891CC26C803E55637658BE8E8B960AA6E9493D9DAB46284F397F982FFA09E55D | |||
564 | Zoom_fc47cd9783102ea1.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FA0F92EA40DC353FF9E95B9F7D06EAF_02A7BB8D663AB0A2D3E0CE44422ED38B | der | |
MD5:40F4184FF90450C409B8FD0A8202B6AA | SHA256:EEE7FDBC8ACA96CAA8EA86CE14EF0B2F23A0BBA59A6E653B9A1ED81F3F2EF477 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
564 | Zoom_fc47cd9783102ea1.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAyO4MkNaokViAQGHuJB%2Ba8%3D | US | der | 471 b | whitelisted |
564 | Zoom_fc47cd9783102ea1.exe | GET | 200 | 23.37.43.27:80 | http://s.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEGMYDTj7gJd4qdA1oxYY%2BEA%3D | NL | der | 1.71 Kb | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
564 | Zoom_fc47cd9783102ea1.exe | 23.37.43.27:80 | s.symcd.com | Akamai Technologies, Inc. | NL | whitelisted |
564 | Zoom_fc47cd9783102ea1.exe | 52.202.62.238:443 | launcher.zoom.us | Amazon.com, Inc. | US | unknown |
564 | Zoom_fc47cd9783102ea1.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2776 | Zoom.exe | 3.235.71.135:443 | zoom.us | — | US | suspicious |
2776 | Zoom.exe | 173.231.81.230:3478 | — | Affiniti, LLC | US | unknown |
— | — | 173.231.81.231:3478 | — | Affiniti, LLC | US | unknown |
564 | Zoom_fc47cd9783102ea1.exe | 143.204.98.49:443 | d11yldzmag5yn.cloudfront.net | — | US | suspicious |
— | — | 173.231.81.231:3479 | — | Affiniti, LLC | US | unknown |
3900 | Zoom.exe | 3.235.71.132:443 | www3.zoom.us | — | US | unknown |
Domain | IP | Reputation |
---|---|---|
launcher.zoom.us |
| whitelisted |
d11yldzmag5yn.cloudfront.net |
| whitelisted |
s.symcd.com |
| shared |
ocsp.digicert.com |
| whitelisted |
zoom.us |
| whitelisted |
www3.zoom.us |
| whitelisted |
Process | Message |
---|---|
Installer.exe | [ProductPathHelper::RecursiveRemoveDirA] Path is: |
Installer.exe | C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src |
Installer.exe | |
Installer.exe | [ProductPathHelper::RecursiveRemoveDirA] Path is: |
Installer.exe | C:\Users\admin\AppData\Roaming\Zoom\uninstall |
Installer.exe | |
Installer.exe | [ProductPathHelper::RecursiveRemoveDirA] Path is: |
Installer.exe | C:\Users\admin\AppData\Roaming\Zoom\bin |
Installer.exe | |
Installer.exe | [CZoomProductPathHelper::RecursiveRemoveDirA] Path is: |