| File name: | zsu-1191325.exe |
| Full analysis: | https://app.any.run/tasks/a05ec868-0fa2-4012-96ff-582646105583 |
| Verdict: | Malicious activity |
| Analysis date: | November 29, 2023, 16:21:02 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 622E8038B5113A70124A973DBA0E6B70 |
| SHA1: | 52A5A6BEE987E8893DE83DCFFD3FB82D751A86D8 |
| SHA256: | 6AD316CE1759584BA4DB061BB46BED2A1BF188D59D8ABF9FA14C17FFE6AA61D4 |
| SSDEEP: | 98304:HOCOQXb+wG+hz8BrbKhJ7gLdrupOw+/St4ZzGcO0l58xkNYsU34/DoeoFIHf2Ar1:18B9TmoBGn5nDTVLG |
MALICIOUS
Drops the executable file immediately after the start
- zsu-1191325.exe (PID: 1988)
- zsu-1-1-9-1325.exe (PID: 824)
- msiexec.exe (PID: 1128)
- PrnInst.exe (PID: 3640)
- drvinst.exe (PID: 3428)
- ZebraFD.exe (PID: 1592)
- ZebraFD.tmp (PID: 1644)
- PrnInst.exe (PID: 3452)
Creates a writable file in the system directory
- drvinst.exe (PID: 3428)
- PrnInst.exe (PID: 3452)
- spoolsv.exe (PID: 3512)
SUSPICIOUS
Process drops legitimate windows executable
- zsu-1191325.exe (PID: 1988)
- msiexec.exe (PID: 1128)
The process creates files with name similar to system file names
- zsu-1191325.exe (PID: 1988)
- zsu-1-1-9-1325.exe (PID: 824)
Drops 7-zip archiver for unpacking
- zsu-1-1-9-1325.exe (PID: 824)
Reads the Windows owner or organization settings
- zsu-1-1-9-1325.exe (PID: 824)
- msiexec.exe (PID: 1128)
- ZebraFD.tmp (PID: 1644)
Reads the Internet Settings
- PrnUtils.exe (PID: 1660)
Executes as Windows Service
- spoolsv.exe (PID: 3512)
- VSSVC.exe (PID: 3124)
Checks Windows Trust Settings
- drvinst.exe (PID: 3428)
Creates files in the driver directory
- drvinst.exe (PID: 3428)
INFO
Checks supported languages
- zsu-1191325.exe (PID: 1988)
- zsu-1-1-9-1325.exe (PID: 824)
- msiexec.exe (PID: 1128)
- PrnUtils.exe (PID: 1660)
- PrnInst.exe (PID: 3640)
- drvinst.exe (PID: 3428)
- msiexec.exe (PID: 2432)
- wmpnscfg.exe (PID: 2488)
- drvinst.exe (PID: 2736)
- PrnInst.exe (PID: 3452)
- ZebraFD.exe (PID: 1592)
- ZebraFD.tmp (PID: 1644)
Creates files in the program directory
- zsu-1191325.exe (PID: 1988)
- zsu-1-1-9-1325.exe (PID: 824)
Reads the computer name
- zsu-1-1-9-1325.exe (PID: 824)
- msiexec.exe (PID: 1128)
- PrnInst.exe (PID: 3640)
- msiexec.exe (PID: 2432)
- PrnUtils.exe (PID: 1660)
- drvinst.exe (PID: 3428)
- PrnInst.exe (PID: 3452)
- wmpnscfg.exe (PID: 2488)
- drvinst.exe (PID: 2736)
- ZebraFD.tmp (PID: 1644)
Creates files or folders in the user directory
- zsu-1-1-9-1325.exe (PID: 824)
Create files in a temporary directory
- zsu-1-1-9-1325.exe (PID: 824)
- msiexec.exe (PID: 1128)
- PrnInst.exe (PID: 3640)
- PrnInst.exe (PID: 3452)
- ZebraFD.tmp (PID: 1644)
- ZebraFD.exe (PID: 1592)
Reads the machine GUID from the registry
- zsu-1-1-9-1325.exe (PID: 824)
- msiexec.exe (PID: 1128)
- PrnInst.exe (PID: 3640)
- drvinst.exe (PID: 3428)
- msiexec.exe (PID: 2432)
- wmpnscfg.exe (PID: 2488)
- PrnInst.exe (PID: 3452)
- drvinst.exe (PID: 2736)
Application launched itself
- msiexec.exe (PID: 1128)
Manual execution by a user
- wmpnscfg.exe (PID: 2488)
Drops the executable file immediately after the start
- spoolsv.exe (PID: 3512)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (37.3) |
| .dll | | | Win32 Dynamic Link Library (generic) (8.8) |
| .exe | | | Win32 Executable (generic) (6) |
| .exe | | | Generic Win/DOS Executable (2.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2022:07:30 01:29:47+02:00 |
| ImageFileCharacteristics: | No relocs, Executable, Large address aware, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 9 |
| CodeSize: | 197632 |
| InitializedDataSize: | 157184 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x22c58 |
| OSVersion: | 5 |
| ImageVersion: | - |
| SubsystemVersion: | 5 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.1.9.1325 |
| ProductVersionNumber: | 0.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Windows, Latin1 |
| Comments: | This installation was built with InstallAware: http://www.installaware.com |
| CompanyName: | Zebra Technologies |
| FileDescription: | Zebra Setup Utilities Installation |
| FileVersion: | 1.1.9.1325 |
| LegalCopyright: | ZEBRA and the stylized Zebra head are trademarks of Zebra Technologies Corporation, registered in many jurisdictions worldwide. All other trademarks are the property of their respective owners. ©2022 Zebra Technologies Corporation and/or its affiliates. All rights reserved |
| ProductName: | Zebra Setup Utilities |
| ProductVersion: | 1.1.9.1325 |
Total processes
61
Monitored processes
17
Malicious processes
7
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 824 | .\zsu-1-1-9-1325.exe /m="C:\Users\admin\AppData\Local\Temp\ZSU-11~1.EXE" /k="" | C:\ProgramData\mia1B11.tmp\zsu-1-1-9-1325.exe | — | zsu-1191325.exe | |||||||||||
User: admin Company: Zebra Technologies Integrity Level: HIGH Description: Zebra Setup Utilities Installation Exit code: 0 Version: 1.1.9.1325 Modules
| |||||||||||||||
| 1128 | C:\Windows\system32\msiexec.exe /V | C:\Windows\System32\msiexec.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1592 | "C:\Program Files\Zebra Technologies\Zebra Setup Utilities\Driver\ZBRN\..\ZebraFD.exe" /LANG=en | C:\Program Files\Zebra Technologies\Zebra Setup Utilities\Driver\ZebraFD.exe | — | PrnInst.exe | |||||||||||
User: admin Company: Zebra Technologies Corporation Integrity Level: HIGH Description: Exit code: 0 Version: 3.5.1.13410 Modules
| |||||||||||||||
| 1644 | "C:\Users\admin\AppData\Local\Temp\is-DJJLF.tmp\ZebraFD.tmp" /SL5="$20332,3600494,61952,C:\Program Files\Zebra Technologies\Zebra Setup Utilities\Driver\ZebraFD.exe" /LANG=en | C:\Users\admin\AppData\Local\Temp\is-DJJLF.tmp\ZebraFD.tmp | — | ZebraFD.exe | |||||||||||
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.52.0.0 Modules
| |||||||||||||||
| 1660 | "C:\Program Files\Zebra Technologies\Zebra Setup Utilities\App\PrnUtils.exe" | C:\Program Files\Zebra Technologies\Zebra Setup Utilities\App\PrnUtils.exe | — | zsu-1-1-9-1325.exe | |||||||||||
User: admin Company: Zebra Technologies Corporation Integrity Level: HIGH Description: Zebra Simple Setup Utility Exit code: 0 Version: 1.1.9.1324 Modules
| |||||||||||||||
| 1988 | "C:\Users\admin\AppData\Local\Temp\zsu-1191325.exe" | C:\Users\admin\AppData\Local\Temp\zsu-1191325.exe | explorer.exe | ||||||||||||
User: admin Company: Zebra Technologies Integrity Level: HIGH Description: Zebra Setup Utilities Installation Exit code: 0 Version: 1.1.9.1325 Modules
| |||||||||||||||
| 2100 | C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding | C:\Windows\System32\rundll32.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2432 | C:\Windows\system32\MsiExec.exe -Embedding 81D08924295418817147C927DCDB5E51 | C:\Windows\System32\msiexec.exe | — | msiexec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2488 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2736 | DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{187cea70-00b8-0beb-f9b9-187ee11ef665}\ZBRN.inf" "0" "6ea1d8b47" "000004C4" "WinSta0\Default" "00000548" "208" "C:\Program Files\Zebra Technologies\Zebra Setup Utilities\Driver\ZBRN" | C:\Windows\System32\drvinst.exe | — | svchost.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
10 071
Read events
9 869
Write events
188
Delete events
14
Modification events
| (PID) Process: | (1128) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings |
| Operation: | write | Name: | StringCacheGeneration |
Value: 383 | |||
| (PID) Process: | (1128) msiexec.exe | Key: | HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\17F\52C64B7E |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (1128) msiexec.exe | Key: | HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\17F |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (824) zsu-1-1-9-1325.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer |
| Operation: | write | Name: | GlobalAssocChangedCounter |
Value: 115 | |||
| (PID) Process: | (1128) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts |
| Operation: | delete value | Name: | C:\Config.Msi\1ca0a0.rbs |
Value: 31072992 | |||
| (PID) Process: | (1128) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts |
| Operation: | delete value | Name: | C:\Config.Msi\1ca0a0.rbsLow |
Value: 803380368 | |||
| (PID) Process: | (1128) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (1128) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (1128) msiexec.exe | Key: | HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete value | Name: | Sequence |
Value: 1 | |||
| (PID) Process: | (1128) msiexec.exe | Key: | HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete value | Name: | SessionHash |
Value: 7054DDDB65E30F73EB17E35514B38288EE8F5545295587523CA3FBB4F956AA9F | |||
Executable files
4 482
Suspicious files
85
Text files
1 521
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1988 | zsu-1191325.exe | C:\ProgramData\mia1B11.tmp\data\zsu-1-1-9-1325.msi | executable | |
MD5:709799667B1272541C56B39762194181 | SHA256:25EC3E427DFBBEBA200233C07012C7BDC08DE78C635836CEC15FC5D196E61E6F | |||
| 1988 | zsu-1191325.exe | C:\ProgramData\mia1B11.tmp\zsu-1-1-9-1325.msi | executable | |
MD5:709799667B1272541C56B39762194181 | SHA256:25EC3E427DFBBEBA200233C07012C7BDC08DE78C635836CEC15FC5D196E61E6F | |||
| 1988 | zsu-1191325.exe | C:\ProgramData\mia1B11.tmp\data\OFFLINE\9DFA037B\1653EC00\About.bmp | image | |
MD5:B68DC6433CE92629987DE971DF350E5B | SHA256:B9B3C707BCAF83BB8FE817E859CB8FA9FC941FC0C89B44D1FE1898718FC7F89B | |||
| 1988 | zsu-1191325.exe | C:\ProgramData\mia1B11.tmp\data\OFFLINE\9DFA037B\1653EC00\prnutils.chm | binary | |
MD5:008753AC945918530DBCAD9E483EB394 | SHA256:D8FA4F2D116E8F7D7A57B3F86E60AE2FBC6A50C8EC54597DDCAD18660EA14553 | |||
| 1988 | zsu-1191325.exe | C:\ProgramData\mia1B11.tmp\data\OFFLINE\9DFA037B\1653EC00\icon.ico | image | |
MD5:7A249B98A44B30FFB030B8CA868A9BFB | SHA256:3E4A789ADBD26DFA0C4921D72710AE7EE304D482F5C389299EB69E0A1D859470 | |||
| 1988 | zsu-1191325.exe | C:\ProgramData\mia1B11.tmp\data\OFFLINE\1E7B3AEE\6B71268F\notices.html | html | |
MD5:CE23A057BB8AC69C6045F9801CE0A997 | SHA256:853F45CA0A1781484032D99F827541B7A936DCB193253D61C8A4042865E6D98E | |||
| 1988 | zsu-1191325.exe | C:\ProgramData\mia1B11.tmp\data\OFFLINE\1E7B3AEE\6B71268F\DFP3.vbs | text | |
MD5:A1BB6ADB107AAC70D6B51FA7925D9104 | SHA256:BF16B8D0B5D3C9DDF486EBB272AA7AC209C3BE4135D3271F559EBCCC79F63E55 | |||
| 1988 | zsu-1191325.exe | C:\ProgramData\mia1B11.tmp\data\OFFLINE\1E7B3AEE\6B71268F\EULA.pdf | ||
MD5:EDE201CD561CB5C524EF18B0073ED100 | SHA256:5960FB1A21A4AE7824896FBDB8B3E288D01C3979FECD08EFD1134BB5B1F42B08 | |||
| 1988 | zsu-1191325.exe | C:\ProgramData\mia1B11.tmp\data\OFFLINE\1E7B3AEE\6B71268F\StatMonSetup.exe | executable | |
MD5:7928649A4645F957FE39D834BCE8095B | SHA256:D22F3964FE629FA42BD211EF75E9F3524532F507331BD33069B725BE6AC42935 | |||
| 1988 | zsu-1191325.exe | C:\ProgramData\mia1B11.tmp\data\OFFLINE\9DFA037B\1653EC00\PrnUtils.exe | executable | |
MD5:E9A3D5C3C436DD3512374EAB052355ED | SHA256:9C0627CB134BACE9CA03084D6B3CBBDC1E68C300B8D686630263444CBE5EB3CE | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
5
DNS requests
1
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1080 | svchost.exe | GET | 200 | 184.24.77.194:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?b257947f6e02507e | unknown | compressed | 4.66 Kb | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | unknown |
2588 | svchost.exe | 239.255.255.250:1900 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
1080 | svchost.exe | 184.24.77.194:80 | ctldl.windowsupdate.com | Akamai International B.V. | DE | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
ctldl.windowsupdate.com |
| whitelisted |