analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Zoom_fc47cd9783102ea1.exe

Full analysis: https://app.any.run/tasks/8337785d-8033-41b5-93a8-c53fc54018dd
Verdict: Malicious activity
Analysis date: March 31, 2020, 09:50:42
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

4CD5E7F37416CAA1E05FE99FAB1E4866

SHA1:

2E1EE725E9D7ACB9E78901F196AA33F5A6818E0E

SHA256:

2F88B59D5D8C728F01796550623BD5535595E723DAA97FF23C168AAD7704EFF7

SSDEEP:

1536:byL/u0MfA/Y4XukDR/7EUw9VEsp/nve5LP1tnubUfW:bG/u0MfOD9SVEsiT19o

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Installer.exe (PID: 3036)
      • Installer.exe (PID: 2860)
      • Zoom.exe (PID: 2776)
      • Zoom.exe (PID: 3196)
      • Zoom.exe (PID: 3900)

    • Loads dropped or rewritten executable

      • Installer.exe (PID: 3036)
      • Zoom.exe (PID: 2776)
      • Zoom.exe (PID: 3196)
      • Zoom.exe (PID: 3900)

    • Changes settings of System certificates

      • Zoom_fc47cd9783102ea1.exe (PID: 564)

  • SUSPICIOUS

    • Reads Internet Cache Settings

      • Zoom_fc47cd9783102ea1.exe (PID: 564)

    • Creates files in the user directory

      • Zoom_fc47cd9783102ea1.exe (PID: 564)
      • Zoom.exe (PID: 2776)
      • Installer.exe (PID: 3036)
      • Zoom.exe (PID: 3196)
      • Zoom.exe (PID: 3900)

    • Executable content was dropped or overwritten

      • Zoom_fc47cd9783102ea1.exe (PID: 564)
      • Installer.exe (PID: 3036)

    • Application launched itself

      • Installer.exe (PID: 3036)
      • Zoom.exe (PID: 2776)

    • Creates a software uninstall entry

      • Installer.exe (PID: 3036)

    • Modifies the open verb of a shell class

      • Installer.exe (PID: 3036)

    • Changes IE settings (feature browser emulation)

      • Installer.exe (PID: 3036)

    • Starts application with an unusual extension

      • Zoom_fc47cd9783102ea1.exe (PID: 564)

    • Starts itself from another location

      • Zoom_fc47cd9783102ea1.exe (PID: 564)

    • Adds / modifies Windows certificates

      • Zoom_fc47cd9783102ea1.exe (PID: 564)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • Installer.exe (PID: 3036)

    • Reads settings of System Certificates

      • Installer.exe (PID: 3036)
      • Zoom_fc47cd9783102ea1.exe (PID: 564)
      • Zoom.exe (PID: 3196)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:03:23 08:42:24+01:00
PEType: PE32
LinkerVersion: 9
CodeSize: 39936
InitializedDataSize: 21504
UninitializedDataSize: -
EntryPoint: 0x1273
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 4.6.19178.323
ProductVersionNumber: 4.6.19178.323
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
Comments: Zoom Opener
CompanyName: Zoom Video Communications, Inc.
FileDescription: Zoom Opener
FileVersion: 4,6,19178,0323
InternalName: Zoom Opener
LegalCopyright: © Zoom Video Communications, Inc. All rights reserved.
LegalTrademarks: Zoom Opener
OriginalFileName: Zoom Opener
ProductName: Zoom Opener
ProductVersion: 4,6,19178,0323

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 23-Mar-2020 07:42:24
Detected languages:
  • English - United States
Debug artifacts:
  • d:\zoomcode\EP\Bin\Release\NewWebLauncher\ZoomWebLauncher.pdb
Comments: Zoom Opener
CompanyName: Zoom Video Communications, Inc.
FileDescription: Zoom Opener
FileVersion: 4,6,19178,0323
InternalName: Zoom Opener
LegalCopyright: © Zoom Video Communications, Inc. All rights reserved.
LegalTrademarks: Zoom Opener
OriginalFilename: Zoom Opener
ProductName: Zoom Opener
ProductVersion: 4,6,19178,0323

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000D8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 23-Mar-2020 07:42:24
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00009ACE
0x00009C00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.43076
.rdata
0x0000B000
0x0000279E
0x00002800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.58773
.data
0x0000E000
0x0000015C
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0.10191
.rsrc
0x0000F000
0x00001F80
0x00002000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.01918
.reloc
0x00011000
0x000009D8
0x00000A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.12697

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.44802
948
UNKNOWN
English - United States
RT_VERSION
2
2.21059
34
UNKNOWN
English - United States
RT_GROUP_ICON
7
2.95584
234
UNKNOWN
English - United States
RT_STRING
32
3.09147
432
UNKNOWN
English - United States
RT_STRING
33
3.31643
560
UNKNOWN
English - United States
RT_STRING

Imports

ADVAPI32.dll
CRYPT32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
WINTRUST.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
7
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start zoom_fc47cd9783102ea1.exe installer.exe installer.exe zoom.exe zmd59a.tmp no specs zoom.exe zoom.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
564"C:\Users\admin\AppData\Local\Temp\Zoom_fc47cd9783102ea1.exe" C:\Users\admin\AppData\Local\Temp\Zoom_fc47cd9783102ea1.exe
explorer.exe
User:
admin
Company:
Zoom Video Communications, Inc.
Integrity Level:
MEDIUM
Description:
Zoom Opener
Exit code:
0
Version:
4,6,19178,0323
Modules
Images
c:\users\admin\appdata\local\temp\zoom_fc47cd9783102ea1.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
3036"C:\Users\admin\AppData\Roaming\Zoom\ZoomDownload\Installer.exe" ZInstaller --conf.mode=silent --ipc_wnd=459340C:\Users\admin\AppData\Roaming\Zoom\ZoomDownload\Installer.exe
Zoom_fc47cd9783102ea1.exe
User:
admin
Company:
Zoom Video Communications, Inc.
Integrity Level:
MEDIUM
Description:
Zoom Installer
Exit code:
0
Version:
4,6,19178,0323
Modules
Images
c:\users\admin\appdata\roaming\zoom\zoomdownload\installer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\psapi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2860"C:\Users\admin\AppData\Roaming\Zoom\ZoomDownload\Installer.exe" /addfwexception --bin_home="C:\Users\admin\AppData\Roaming\Zoom\bin"C:\Users\admin\AppData\Roaming\Zoom\ZoomDownload\Installer.exe
Installer.exe
User:
admin
Company:
Zoom Video Communications, Inc.
Integrity Level:
HIGH
Description:
Zoom Installer
Exit code:
0
Version:
4,6,19178,0323
Modules
Images
c:\users\admin\appdata\roaming\zoom\zoomdownload\installer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\psapi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2776"C:\Users\admin\AppData\Roaming\Zoom\bin\Zoom.exe" "--url=zoommtg://win.launch?action=join&browser=chrome&confid=dXNzPTQ5NDI2YWQ5LjQydDVxVElOZjZLZG52MjFBcFFHU1lEZWhTTnJTWUk1Z21xV1ZVWTBGVURid1R2SFh4VnJTSm9JWTZkRGhTdnlKU1h3MDFEWFBwNFlubTVYcVotNzV3JTNEJTNEJnRpZD01MmFhYjA4MzI5NTU0N2Q2OGQ2MDg2NmRhNGZlMmUzYg%3D%3D&confno=9310887937&mcv=0.92.11227.0929&zc=0"C:\Users\admin\AppData\Roaming\Zoom\bin\Zoom.exe
Zoom_fc47cd9783102ea1.exe
User:
admin
Company:
Zoom Video Communications, Inc.
Integrity Level:
MEDIUM
Description:
Zoom
Version:
4,6,19178,0323
Modules
Images
c:\users\admin\appdata\roaming\zoom\bin\zoom.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\roaming\zoom\bin\dllsafecheck.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
3368"C:\Users\admin\AppData\Local\Temp\zmD59A.tmp" -DAF8C715436E44649F1312698287E6A5=C:\Users\admin\AppData\Local\Temp\Zoom_fc47cd9783102ea1.exeC:\Users\admin\AppData\Local\Temp\zmD59A.tmpZoom_fc47cd9783102ea1.exe
User:
admin
Company:
Zoom Video Communications, Inc.
Integrity Level:
MEDIUM
Description:
Zoom Opener
Exit code:
0
Version:
4,6,19178,0323
Modules
Images
c:\users\admin\appdata\local\temp\zmd59a.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
3900C:\Users\admin\AppData\Roaming\Zoom\bin\Zoom.exe --action=join --runaszvideo=TRUE C:\Users\admin\AppData\Roaming\Zoom\bin\Zoom.exe
Zoom.exe
User:
admin
Company:
Zoom Video Communications, Inc.
Integrity Level:
MEDIUM
Description:
Zoom
Version:
4,6,19178,0323
Modules
Images
c:\users\admin\appdata\roaming\zoom\bin\zoom.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\roaming\zoom\bin\dllsafecheck.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
3196Zoom.exe --action=uploadFeedbackC:\Users\admin\AppData\Roaming\Zoom\bin\Zoom.exeZoom.exe
User:
admin
Company:
Zoom Video Communications, Inc.
Integrity Level:
MEDIUM
Description:
Zoom
Exit code:
0
Version:
4,6,19178,0323
Modules
Images
c:\users\admin\appdata\roaming\zoom\bin\zoom.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\roaming\zoom\bin\dllsafecheck.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
Total events
6 847
Read events
1 619
Write events
0
Delete events
0

Modification events

No data
Executable files
89
Suspicious files
23
Text files
16
Unknown types
5

Dropped files

PID
Process
Filename
Type
564Zoom_fc47cd9783102ea1.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\QVAUXBY6.txt
MD5:
SHA256:
564Zoom_fc47cd9783102ea1.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\9XYKCWRK.txt
MD5:
SHA256:
564Zoom_fc47cd9783102ea1.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\29DHH92W.txt
MD5:
SHA256:
564Zoom_fc47cd9783102ea1.exeC:\Users\admin\AppData\Local\Temp\CabA5AE.tmp
MD5:
SHA256:
564Zoom_fc47cd9783102ea1.exeC:\Users\admin\AppData\Local\Temp\TarA5AF.tmp
MD5:
SHA256:
564Zoom_fc47cd9783102ea1.exeC:\Users\admin\AppData\Roaming\Zoom\ZoomDownload\Zoom.msi
MD5:
SHA256:
3036Installer.exeC:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\crashrpt_lang.initext
MD5:3BE1F13A7A5C5490D4669F3051CC5572
SHA256:9F124594495B209908D79CECADD63EE55D2282D763212C0FCD0930A5F858CA8C
564Zoom_fc47cd9783102ea1.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8828F39C7C0CE9A14B25C7EB321181BA_BD8B98368542C3BBAE3413A0EF3BB623binary
MD5:9C377E5DFDF949DB08D92E65CDD2CA27
SHA256:DCE8C5A80C792FBB29871D8A65C895C813F903796368F624B1F76AD9AC8B4836
564Zoom_fc47cd9783102ea1.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FA0F92EA40DC353FF9E95B9F7D06EAF_02A7BB8D663AB0A2D3E0CE44422ED38Bbinary
MD5:55B0651A491CFA5FE3687C11CB7BF019
SHA256:891CC26C803E55637658BE8E8B960AA6E9493D9DAB46284F397F982FFA09E55D
564Zoom_fc47cd9783102ea1.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FA0F92EA40DC353FF9E95B9F7D06EAF_02A7BB8D663AB0A2D3E0CE44422ED38Bder
MD5:40F4184FF90450C409B8FD0A8202B6AA
SHA256:EEE7FDBC8ACA96CAA8EA86CE14EF0B2F23A0BBA59A6E653B9A1ED81F3F2EF477
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
13
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
564
Zoom_fc47cd9783102ea1.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAyO4MkNaokViAQGHuJB%2Ba8%3D
US
der
471 b
whitelisted
564
Zoom_fc47cd9783102ea1.exe
GET
200
23.37.43.27:80
http://s.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEGMYDTj7gJd4qdA1oxYY%2BEA%3D
NL
der
1.71 Kb
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
564
Zoom_fc47cd9783102ea1.exe
23.37.43.27:80
s.symcd.com
Akamai Technologies, Inc.
NL
whitelisted
564
Zoom_fc47cd9783102ea1.exe
52.202.62.238:443
launcher.zoom.us
Amazon.com, Inc.
US
unknown
564
Zoom_fc47cd9783102ea1.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2776
Zoom.exe
3.235.71.135:443
zoom.us
US
suspicious
2776
Zoom.exe
173.231.81.230:3478
Affiniti, LLC
US
unknown
173.231.81.231:3478
Affiniti, LLC
US
unknown
564
Zoom_fc47cd9783102ea1.exe
143.204.98.49:443
d11yldzmag5yn.cloudfront.net
US
suspicious
173.231.81.231:3479
Affiniti, LLC
US
unknown
3900
Zoom.exe
3.235.71.132:443
www3.zoom.us
US
unknown

DNS requests

Domain
IP
Reputation
launcher.zoom.us
  • 52.202.62.238
whitelisted
d11yldzmag5yn.cloudfront.net
  • 143.204.98.49
  • 143.204.98.13
  • 143.204.98.206
  • 143.204.98.126
whitelisted
s.symcd.com
  • 23.37.43.27
shared
ocsp.digicert.com
  • 93.184.220.29
whitelisted
zoom.us
  • 18.205.93.255
  • 3.235.71.135
whitelisted
www3.zoom.us
  • 3.235.71.132
whitelisted

Threats

No threats detected
Process
Message
Installer.exe
[ProductPathHelper::RecursiveRemoveDirA] Path is:
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src
Installer.exe
Installer.exe
[ProductPathHelper::RecursiveRemoveDirA] Path is:
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\uninstall
Installer.exe
Installer.exe
[ProductPathHelper::RecursiveRemoveDirA] Path is:
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin
Installer.exe
Installer.exe
[CZoomProductPathHelper::RecursiveRemoveDirA] Path is:
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Zoom_fc47cd9783102ea1.exe