zed.exe
This report is generated from a file or URL submitted to this webservice on June 13th 2019 17:56:39 (UTC) and action script Heavy Anti-Evasion
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
MITRE ATT&CK™ Techniques Detection
Additional Context
Related Sandbox Artifacts
- Associated SHA256s
- 5014b87a5185226b59b53767fa9bd975ee9170b22f90c8698585aeed530c931d
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Suspicious Indicators 9
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
- "<Input Sample>" at 00009859-00002732-00000033-77359947601
- source
- API Call
- relevance
- 6/10
-
Queries kernel debugger information
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques
- details
-
"vboxLayout" (Indicator: "vbox")
"vboxLayout1" (Indicator: "vbox")
"vboxLayout2" (Indicator: "vbox") - source
- File/Memory
- relevance
- 4/10
-
Reads the cryptographic machine GUID
- details
- "<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Possibly tries to implement anti-virtualization techniques
-
Installation/Persistance
-
Found a string that may be used as part of an injection method
- details
- "Shell_TrayWnd" (Taskbar window class may be used to inject into explorer with the SetWindowLong method)
- source
- File/Memory
- relevance
- 4/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies the open verb of a shell class
- details
- "<Input Sample>" (Path: "HKCU\ZEDFILE\SHELL\OPEN\COMMAND"; Key: "(DEFAULT)"; Value: ""C:\zed.exe" "%1"")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Found a string that may be used as part of an injection method
-
Network Related
-
Found potential IP address in binary/memory
- details
-
Heuristic match: "1.3.6.1.4.1.311.10.3.1"
Heuristic match: "1.3.6.1.4.1.32759.1.1"
Heuristic match: "1.0.195.000 [x64]" - source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Unusual Characteristics
-
Reads information about supported languages
- details
- "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
- source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
-
Hiding 2 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 10
-
Environment Awareness
-
Queries volume information
- details
- "<Input Sample>" queries volume information of "C:\" at 00009859-00002732-00000046-74106530935
- source
- API Call
- relevance
- 2/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information of an entire harddrive
- details
- "<Input Sample>" queries volume information of "C:\" at 00009859-00002732-00000046-74106530935
- source
- API Call
- relevance
- 8/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/72 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Sample shows a variety of benign indicators
- details
- The input file/all extracted files were not detected as malicious and the input file is signed with a validated certificate
- source
- Indicator Combinations
- relevance
- 10/10
-
The input sample is signed with a certificate
- details
-
The input sample is signed with a certificate issued by "C=FR, S=Rhone, L=Lyon, O=Prim'X Technologies, CN=Prim'X Technologies" (SHA1: 99:A8:18:35:89:E4:45:9F:AC:84:36:B7:7A:40:DA:B9:50:7E:5D:28: (1.2.840.113549.1.1.11); see report for more information)
The input sample is signed with a certificate issued by "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" (SHA1: 00:77:90:F6:56:1D:AD:89:B0:BC:D8:55:85:76:24:95:E3:58:F8:A5: (1.2.840.113549.1.1.11); see report for more information)
The input sample is signed with a certificate issued by "C=US, O="VeriSign
Inc.", OU=VeriSign Trust Network, OU="c 2006 VeriSign
Inc. - For authorized use only", CN=VeriSign Class 3 Public Primary Certification Authority - G5" (SHA1: 4E:B6:D5:78:49:9B:1C:CF:5F:58:1E:AD:56:BE:3D:9B:67:44:A5:E5: (sha1RSA(RSA)); see report for more information) - source
- Certificate Data
- relevance
- 10/10
- ATT&CK ID
- T1116 (Show technique in the MITRE ATT&CK™ matrix)
-
The input sample is signed with a valid certificate
- details
- The entire certificate chain of the input sample was validated successfully.
- source
- Certificate Data
- relevance
- 10/10
-
Sample shows a variety of benign indicators
-
Installation/Persistance
-
Connects to LPC ports
- details
- "<Input Sample>" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "%WINDIR%\System32\en-US\user32.dll.mui"
"<Input Sample>" touched file "%WINDIR%\System32\en-US\msctf.dll.mui"
"<Input Sample>" touched file "%WINDIR%\System32\rsaenh.dll"
"<Input Sample>" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
"<Input Sample>" touched file "%WINDIR%\Fonts\StaticCache.dat" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "https://www.zedencrypt.com"
Pattern match: "ddddd.M.yyd/M/yyyydddd"
Heuristic match: "PMWBnm.MD"
Heuristic match: "Diloloa.kI"
Pattern match: "https://www.zedencrypt.com/support/rubrique/activation/15"
Pattern match: "https://www.zedencrypt.com/formactivation"
Pattern match: "http://www.w3.org/1999/XSL/Transform"
Pattern match: "http://www.trolltech.com/company/model/"
Pattern match: "qt.nokia.com/products/licensing"
Pattern match: "http://www.trolltech.com/company/model.html"
Pattern match: "http://www.trolltech.com/qt"
Pattern match: "http://www.trolltech.com/company/model" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "<Input Sample>" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
File Details
zed.exe
- Filename
- zed.exe
- Size
- 26MiB (27293056 bytes)
- Type
- peexe 64bits executable
- Description
- PE32+ executable (GUI) x86-64, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 1bc9225a6ddc2e9edf71c1cdbf37840661802428e810594cf6aed63790e45972
- MD5
- e4c9f07f468c87c330b99fb482db58ef
- SHA1
- 9728b8c88f0a3ca45ab4779a6f3e9a28db946b24
Classification (TrID)
- 33.6% (.EXE) OS/2 Executable (generic)
- 33.1% (.EXE) Generic Win/DOS Executable
- 33.1% (.EXE) DOS Executable Generic
File Certificates
Certificate chain was successfully validated.
Download Certificate File (6.4KiB)Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
C=FR, S=Rhone, L=Lyon, O=Prim'X Technologies, CN=Prim'X Technologies | C=FR, S=Rhone, L=Lyon, O=Prim'X Technologies, CN=Prim'X Technologies Serial: 3b98e5b9ff9da39874d1a7818dd7de04 |
09/04/2017 02:00:00 09/20/2020 01:59:59 |
99:A8:18:35:89:E4:45:9F:AC:84:36:B7:7A:40:DA:B9:50:7E:5D:28: (1.2.840.113549.1.1.11) |
C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA | C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA Serial: 3d78d7f9764960b2617df4f01eca862a |
12/10/2013 02:00:00 12/10/2023 01:59:59 |
00:77:90:F6:56:1D:AD:89:B0:BC:D8:55:85:76:24:95:E3:58:F8:A5: (1.2.840.113549.1.1.11) |
C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU="c 2006 VeriSign, Inc. - For authorized use only", CN=VeriSign Class 3 Public Primary Certification Authority - G5 | C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU="c 2006 VeriSign, Inc. - For authorized use only", CN=VeriSign Class 3 Public Primary Certification Authority - G5 Serial: 18dad19e267de8bb4a2158cdcc6b3b4a |
11/08/2006 02:00:00 07/17/2036 01:59:59 |
4E:B6:D5:78:49:9B:1C:CF:5F:58:1E:AD:56:BE:3D:9B:67:44:A5:E5: (sha1RSA(RSA)) |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
- zed.exe (PID: 2732)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
No significant files were extracted.
Notifications
-
Runtime
- No static analysis parsing on sample was performed
- Not all Falcon MalQuery lookups completed in time
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-47" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)