File name:	zen.installer.exe
Full analysis:	https://app.any.run/tasks/cb77b99a-0c12-43db-8794-7e34601cd871
Verdict:	Malicious activity
Analysis date:	August 26, 2024, 16:47:58
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	upx
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:	354E232749D124F20D9CA02B5858F96C
SHA1:	A9452107C186C697B0AABF3D985B72957064BB8C
SHA256:	B2FCD676174A7020B8CE221D666EE890B1262D2E3BE3D3BD7278B69BD9C8EC55
SSDEEP:	786432:XVSmTO1ry3cEr5Kx5aQNSUqWkPucvicpGynPv:FS4gs10xQQNSUqW2uc6cpGMv

.exe	\|	UPX compressed Win32 Executable (64.2)
.dll	\|	Win32 Dynamic Link Library (generic) (15.6)
.exe	\|	Win32 Executable (generic) (10.6)
.exe	\|	Generic Win/DOS Executable (4.7)
.exe	\|	DOS Executable Generic (4.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2018:08:30 22:18:33+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	69632
InitializedDataSize:	65536
UninitializedDataSize:	147456
EntryPoint:	0x34fa0
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	18.5.0.0
ProductVersionNumber:	18.5.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Mozilla
FileDescription:	Firefox
FileVersion:	18.05
InternalName:	7zS.sfx
LegalCopyright:	Mozilla
OriginalFileName:	7zS.sfx.exe
ProductName:	Firefox
ProductVersion:	18.05


(PID) Process:	(6424) setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(6424) setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(6424) setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(6424) setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(6424) setup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\TaskBarIDs
Operation:	write	Name:	C:\Program Files\Zen Browser
Value: F0DC299D809B9700
(PID) Process:	(6424) setup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\RuntimeExceptionHelperModules
Operation:	write	Name:	C:\Program Files\Zen Browser\mozwer.dll
Value: 0
(PID) Process:	(5908) regsvr32.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\InProcServer32
Operation:	write	Name:	ThreadingModel
Value: Both
(PID) Process:	(6424) setup.exe	Key:	HKEY_CLASSES_ROOT\FirefoxPDF-F0DC299D809B9700
Operation:	write	Name:	FriendlyTypeName
Value: Firefox PDF Document
(PID) Process:	(6424) setup.exe	Key:	HKEY_CLASSES_ROOT\FirefoxPDF-F0DC299D809B9700
Operation:	delete value	Name:	EditFlags
Value:
(PID) Process:	(6424) setup.exe	Key:	HKEY_CLASSES_ROOT\FirefoxPDF-F0DC299D809B9700
Operation:	write	Name:	EditFlags
Value: 2

PID	Process	Filename		Type
6752	zen.installer.exe	C:\Users\admin\AppData\Local\Temp\7zS06AB9492\core\browser\omni.ja		—
		MD5:—	SHA256:—
6752	zen.installer.exe	C:\Users\admin\AppData\Local\Temp\7zS06AB9492\core\application.ini		text
		MD5:BE1DD0C7B2CC2CA13730CBC84EB2B543	SHA256:BDC7CB8166622881E8204DC1AB53A8427EA64D5E2BA96108DDDF5DFA70DC6BC6
6752	zen.installer.exe	C:\Users\admin\AppData\Local\Temp\7zS06AB9492\core\browser\VisualElements\VisualElements_150.png		image
		MD5:273A7837B378DFFC994757FABCBE3338	SHA256:74B1EB2B2127DD1261AACB7FB922CDB0D8987495B85F2BBC5830370D1E54A4CE
6752	zen.installer.exe	C:\Users\admin\AppData\Local\Temp\7zS06AB9492\core\browser\VisualElements\PrivateBrowsing_70.png		image
		MD5:5B67016CE82086FE7D1C2D09F6C91FDD	SHA256:ED243D6267AC035C8501D9959F5D6CB74DD3CC2A8B779020AEB1734DD653C6EE
6752	zen.installer.exe	C:\Users\admin\AppData\Local\Temp\7zS06AB9492\core\freebl3.dll		executable
		MD5:5A6E10A9DD60443AAD0ACEDB27270F21	SHA256:4611A4D0BF87251BBE74939DDDB2FCDCF9C39AB58D41DD6D557B177723988712
6752	zen.installer.exe	C:\Users\admin\AppData\Local\Temp\7zS06AB9492\core\gmp-clearkey\0.1\manifest.json		binary
		MD5:CFFDADFAEEAAF0A5A78E7F9A299AA7F1	SHA256:EF47E83036753B53F59D079FEF62BFEDC749ABDBCDB0FE16F448D9920F11114C
6752	zen.installer.exe	C:\Users\admin\AppData\Local\Temp\7zS06AB9492\core\gmp-clearkey\0.1\clearkey.dll		executable
		MD5:8ED33842701CAE286FE3208D32535B8C	SHA256:C0AE0B9ACEAB639BA06CD1B070EC88438776EA6202E3B7EACE363D64C13CE5BF
6752	zen.installer.exe	C:\Users\admin\AppData\Local\Temp\7zS06AB9492\core\dependentlibs.list		text
		MD5:A515BC619743C790D426780ED4810105	SHA256:612E53338B53449BE39F2E9086E15EDC7BB3E7AA56C9D65A9D53B9EB3C3CC77D
6752	zen.installer.exe	C:\Users\admin\AppData\Local\Temp\7zS06AB9492\core\gkcodecs.dll		executable
		MD5:8D35468C91D0C512D826FE60712540A0	SHA256:E655BF9A67019B052D604DB89DD3EC1F78F8B1BBF92F32FE078B3CF1F7A3CD6C
6752	zen.installer.exe	C:\Users\admin\AppData\Local\Temp\7zS06AB9492\core\browser\features\formautofill@mozilla.org.xpi		compressed
		MD5:37C4A8C1A1014307B2EECD9D8B9819DA	SHA256:84589D8ED48BBB54806363A81CA9485AAEEB5E426FAC634FA2AA02EFE930F8EC

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	101	34.107.243.93:443	https://push.services.mozilla.com/	unknown	—	—	—
—	—	GET	200	34.149.100.209:443	https://firefox.settings.services.mozilla.com/v1/buckets/monitor/collections/changes/changeset?collection=fingerprinting-protection-overrides&bucket=main&_expected=0	unknown	binary	261 b	—
—	—	GET	301	142.250.185.129:443	https://s2.googleusercontent.com/s2/favicons?domain_url=https://www.wikipedia.org/	unknown	html	339 b	—
—	—	GET	200	34.149.100.209:443	https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/fingerprinting-protection-overrides/changeset?_expected=1715008862535	unknown	binary	32.1 Kb	—
—	—	GET	301	142.250.185.129:443	https://s2.googleusercontent.com/s2/favicons?domain_url=https://translate.google.com/	unknown	html	342 b	—
—	—	GET	200	35.190.72.216:443	https://location.services.mozilla.com/v1/country?key=no-mozilla-api-key	unknown	binary	47 b	—
—	—	GET	301	142.250.185.129:443	https://s2.googleusercontent.com/s2/favicons?domain_url=https://m.twitter.com/	unknown	html	335 b	—
—	—	GET	308	76.76.21.22:443	https://zen-browser.app/welcome/	unknown	html	150 b	—
—	—	GET	200	34.149.100.209:443	https://firefox.settings.services.mozilla.com/v1/	unknown	binary	939 b	—
—	—	GET	301	142.250.185.129:443	https://s2.googleusercontent.com/s2/favicons?domain_url=https://todoist.com/	unknown	html	333 b	—

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	51.124.78.146:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	192.168.100.255:138	—	—	—	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
2384	zen.exe	35.190.72.216:443	location.services.mozilla.com	GOOGLE	US	whitelisted
2384	zen.exe	34.149.100.209:443	firefox.settings.services.mozilla.com	GOOGLE	US	whitelisted
2384	zen.exe	142.250.185.129:443	s2.googleusercontent.com	GOOGLE	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 40.127.240.158 51.104.136.2	whitelisted
google.com	142.250.186.110	whitelisted
location.services.mozilla.com	35.190.72.216	whitelisted
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	unknown
firefox.settings.services.mozilla.com	34.149.100.209	whitelisted
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	whitelisted
s2.googleusercontent.com	142.250.185.129	whitelisted
googlehosted.l.googleusercontent.com	142.250.185.129 2a00:1450:4001:810::2001	whitelisted
zen-browser.app	76.76.21.93 76.76.21.241	malicious
shavar.services.mozilla.com	44.226.249.47 44.239.24.213 54.71.162.254	whitelisted

General Info

zen.installer.exe

354E232749D124F20D9CA02B5858F96C

A9452107C186C697B0AABF3D985B72957064BB8C

B2FCD676174A7020B8CE221D666EE890B1262D2E3BE3D3BD7278B69BD9C8EC55

786432:XVSmTO1ry3cEr5Kx5aQNSUqWkPucvicpGynPv:FS4gs10xQQNSUqW2uc6cpGMv

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Registers / Runs the DLL via REGSVR32.EXE

SUSPICIOUS

Process drops legitimate windows executable

Drops the executable file immediately after the start

The process creates files with name similar to system file names

The process drops C-runtime libraries

Reads the date of Windows installation

Application launched itself

Executable content was dropped or overwritten

Malware-specific behavior (creating "System.dll" in Temp)

Reads security settings of Internet Explorer

Creates a software uninstall entry

Creates/Modifies COM task schedule object

Searches for installed software

Loads DLL from Mozilla Firefox

The process executes via Task Scheduler

INFO

Create files in a temporary directory

Reads the computer name

Process checks computer location settings

Checks supported languages

Process checks whether UAC notifications are on

Creates files in the program directory

UPX packer has been detected

Reads CPU info

Creates files or folders in the user directory

Reads Microsoft Office registry keys

Checks proxy server information

Reads the machine GUID from the registry

Application launched itself

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests