Home  ›  Please Authenticate Again for Uninteruppted Zscaler

Please Authenticate Again for Uninteruppted Zscaler

Written By Wednesday, May 18, 2022 Add Comment Edit

Incident Response

Hazard Assessment

Remote Admission
Reads terminal service related keys (ofttimes RDP related)
Persistence
Modifies System Certificates Settings
Spawns a lot of processes
Writes data to a remote procedure
Evasive
Found a reference to a WMI query string known to be used for VM detection

MITRE ATT&CK™ Techniques Detection

This report has xxx indicators that were mapped to 18 attack techniques and 8 tactics. View all details

Indicators

Non all malicious and suspicious indicators are displayed. Go your own deject service or the total version to view all details.

  • General
    • The analysis extracted a file that was identified as malicious
      details
      2/lxxx Antivirus vendors marked dropped file "certutil.exe" as malicious (classified every bit "Trojan.Heur" with 2% detection rate)
      1/73 Antivirus vendors marked dropped file "ZSATunnel.exe" as malicious (classified every bit "Malicious_confidence_80%" with 1% detection charge per unit)
      source
      Extracted File
      relevance
      ten/10
  • Installation/Persistance
    • Writes data to a remote process
      details
      "ZSCALE~1.EXE" wrote 32 bytes to a remote process "%PROGRAMFILES%\Zscaler-Network-Adapter\bin\devcon.exe" (Handle: 416)
      "ZSCALE~1.EXE" wrote 52 bytes to a remote process "%PROGRAMFILES%\Zscaler-Network-Adapter\bin\devcon.exe" (Handle: 416)
      "ZSCALE~1.EXE" wrote 4 bytes to a remote procedure "%PROGRAMFILES%\Zscaler-Network-Adapter\bin\devcon.exe" (Handle: 416)
      "ZSCALE~1.EXE" wrote eight bytes to a remote process "%PROGRAMFILES%\Zscaler-Network-Adapter\bin\devcon.exe" (Handle: 416)
      "ZSCALE~one.EXE" wrote 32 bytes to a remote process "%PROGRAMFILES%\Zscaler-Network-Adapter\bin\devcon.exe" (Handle: 412)
      "ZSCALE~one.EXE" wrote 52 bytes to a remote process "%PROGRAMFILES%\Zscaler-Network-Adapter\bin\devcon.exe" (Handle: 412)
      "ZSCALE~1.EXE" wrote four bytes to a remote procedure "%PROGRAMFILES%\Zscaler-Network-Adapter\bin\devcon.exe" (Handle: 412)
      "ZSCALE~one.EXE" wrote eight bytes to a remote process "%PROGRAMFILES%\Zscaler-Network-Adapter\bin\devcon.exe" (Handle: 412)
      source
      API Phone call
      relevance
      6/10
      ATT&CK ID
      T1055 (Show technique in the MITRE ATT&CK™ matrix)
  • System Security
    • Modifies System Certificates Settings
      details
      "ZSASER~one.EXE" (Access blazon: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPUBLISHER\CERTIFICATES"; Central: "9D8E406F468455C282163073CFDF090A8EE0F36B")
      "ZSASER~1.EXE" (Access type: "SETVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPUBLISHER\CERTIFICATES\9D8E406F468455C282163073CFDF090A8EE0F36B"; Cardinal: "Blob")
      "ZSASER~1.EXE" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPUBLISHER\CERTIFICATES"; Key: "04794882FCD87976FD357B39A1F6B72510956E51")
      "ZSASER~one.EXE" (Admission type: "SETVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPUBLISHER\CERTIFICATES\04794882FCD87976FD357B39A1F6B72510956E51"; Primal: "Blob")
      "devcon.exe" (Access blazon: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPUBLISHER\CERTIFICATES"; Fundamental: "9D8E406F468455C282163073CFDF090A8EE0F36B")
      "devcon.exe" (Admission type: "SETVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPUBLISHER\CERTIFICATES\9D8E406F468455C282163073CFDF090A8EE0F36B"; Key: "Hulk")
      source
      Registry Access
      relevance
      eight/10
      ATT&CK ID
      T1112 (Prove technique in the MITRE ATT&CK™ matrix)
  • Unusual Characteristics
    • Spawns a lot of processes
      details
      Spawned process "msiexec.exe" with commandline "/i "C:\Zscaler-windows-1.5.2.vii-installer.msi"" (Show Procedure)
      Spawned process "Zscaler-windows-1.five.2.seven-installer.exe" with commandline "--mode unattended --strictEnforcement 0 --userDomain "" --cloudName "" --policyToken "" --deviceToken "" --reinstallDriver 0 --hideAppUIOnLaunch 0 --useLWFDriver 0 --enableFips 0" (Show Process)
      Spawned process "ZSASER~1.EXE" with commandline "-pushCert" (Prove Process)
      Spawned process "ZSCALE~ane.EXE" with commandline "/S" (Show Process)
      Spawned process "devcon.exe" with commandline "hwids ztap" (Testify Process)
      Spawned process "devcon.exe" with commandline "install "%PROGRAMFILES%\Zscaler-Network-Adapter\driver\ztap.inf" ztap" (Prove Process)
      source
      Monitored Target
      relevance
      8/10
  • Anti-Detection/Stealthyness
    • Queries kernel debugger information
      details
      "msiexec.exe" at 00059928-00002248-00000033-6023630562
      "devcon.exe" at 00068275-00000728-00000033-269990822992
      source
      API Call
      relevance
      6/x
  • Anti-Reverse Engineering
    • Looks upwards many procedures within the same disassembly stream (often used to hide usage)
      details
      Found 38 calls to GetProcAddress@KERNEL32.dll (Show Stream)
      source
      Hybrid Analysis Technology
      relevance
      10/10
  • Cryptographic Related
    • Found a cryptographic related string
      details
      "DES" (Indicator: "des"; File: "ZSAHelper.exe.112826670")
      source
      String
      relevance
      10/10
  • Environment Awareness
    • Found a reference to a WMI query string known to be used for VM detection
      details
      "SELECT * FROM Win32_NetworkAdapter WHERE ServiceName='ztap'" (Indicator: "win32_networkadapter"; File: "ZSAHelper.exe.112826670")
      "facturer, Model FROM Win32_ComputerSystem" (Indicator: "win32_computersystem"; File: "ZSATray.exe.671201178")
      "* FROM Win32_SystemDriver WHERE Name LIKE '%ztap%'" (Indicator: "win32_systemdriver"; File: "ZSATray.exe.671201178")
      source
      Cord
      relevance
      x/10
      ATT&CK ID
      T1047 (Testify technique in the MITRE ATT&CK™ matrix)
    • Reads the agile figurer proper noun
      details
      "msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\Control\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
      "ZSCALE~1.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\Command\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
      "devcon.exe" (Path: "HKLM\Organisation\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
      source
      Registry Admission
      relevance
      5/10
      ATT&CK ID
      T1012 (Show technique in the MITRE ATT&CK™ matrix)
    • Reads the cryptographic auto GUID
      details
      "msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Cardinal: "MACHINEGUID")
      "devcon.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
      source
      Registry Admission
      relevance
      10/10
      ATT&CK ID
      T1012 (Evidence technique in the MITRE ATT&CK™ matrix)
  • Full general
    • Reads configuration files
      details
      "msiexec.exe" read file "%WINDIR%\win.ini"
      "ZSCALE~i.EXE" read file "%PROGRAMFILES%\(x86)\desktop.ini"
      "ZSCALE~1.EXE" read file "%USERPROFILE%\Desktop\desktop.ini"
      source
      API Phone call
      relevance
      four/10
  • Installation/Persistance
    • Drops executable files
      details
      "ZSAHelper.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
      "nsExec.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "nssdbm3.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "zscalerchecksumverifier.exe" has type "PE32 executable (console) Intel 80386 for MS Windows"
      "sqlite3.dll" has blazon "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "ZSATray.exe" has type "PE32 executable (GUI) Intel 80386 Mono/.Net assembly for MS Windows"
      "ZSAService.exe" has blazon "PE32 executable (GUI) Intel 80386 for MS Windows"
      "certutil.exe" has blazon "PE32 executable (console) Intel 80386 for MS Windows"
      "System.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "UserInfo.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "plds4.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "devcon.exe" has type "PE32+ executable (console) x86-64 for MS Windows"
      "softokn3.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "ZSAUpdater.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
      "zscalerappupdater.exe" has blazon "PE32 executable (GUI) Intel 80386 (stripped to external PDB) for MS Windows"
      "Zscaler-Network-Adapter-Win10-1.0.2.0.exe" has blazon "PE32 executable (GUI) Intel 80386 for MS Windows Nullsoft Installer self-extracting archive"
      "smime3.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "ZSATunnel.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
      "Newtonsoft.Json.dll" has blazon "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
      "Uninstall.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows Nullsoft Installer self-extracting archive"
      source
      Extracted File
      relevance
      ten/10
    • The input sample dropped/contains a certificate file
      details
      File "zapprd.cat" is a certificate (Possessor: CN=Microsoft Windows Hardware Compatibility Publisher, OU=AOC, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US; Issuer: CN=Microsoft Windows Third Party Component CA 2014, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US; SerialNumber: 330000001766243a437ebfe05e000000000017; Valid From: 02/15/2017 20:47:25; Until: 05/09/2018 20:47:25; Fingerprints: MD5=3F:0E:34:D9:0C:4A:14:78:F1:65:7C:7A:D6:9F:75:4F; SHA1=27:2D:F8:58:5C:E8:77:85:36:52:DA:Advert:E5:0D:CC:77:11:AB:81:EB)
      File "zapprd.true cat" is a certificate (Possessor: CN=Microsoft Windows Third Party Component CA 2014, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US; Issuer: CN=Microsoft Root Document Say-so 2010, O=Microsoft Corporation, L=Redmond, ST=Washington, C=United states of america; SerialNumber: 330000000d690d5d7893d076df00000000000d; Valid From: 10/xv/2014 twenty:31:27; Until: ten/15/2029 20:41:27; Fingerprints: MD5=DC:FA:56:50:8D:FF:12:0D:93:6D:D6:27:F3:8C:A2:F9; SHA1=xix:06:DC:F6:26:29:B5:63:25:2C:82:6F:DD:87:4E:FC:EB:68:56:C6)
      File "zapprd.true cat" is a certificate (Owner: CN=GlobalSign Timestamping CA - G2, O=GlobalSign nv-sa, C=Be; Issuer: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=Be; SerialNumber: 400000000012f4ee152d7; Valid From: 04/13/2011 10:00:00; Until: 01/28/2028 12:00:00; Fingerprints: MD5=95:C7:FF:05:1A:81:D4:5B:FA:lxxx:B2:CA:4D:92:4F:A0; SHA1=C0:E4:9D:2d:7D:90:A5:CD:42:7F:02:D9:12:56:94:D5:D6:EC:5B:71)
      File "zapprd.true cat" is a certificate (Owner: CN=GlobalSign TSA for MS Authenticode - G2, O=GMO GlobalSign Pte Ltd, C=SG; Issuer: CN=GlobalSign Timestamping CA - G2, O=GlobalSign nv-sa, C=Exist; SerialNumber: 1121d699a764973ef1f8427ee919cc534114; Valid From: 05/24/2016 00:00:00; Until: 06/24/2027 00:00:00; Fingerprints: MD5=96:A1:A6:67:8C:3C:59:B9:E9:9A:29:7C:3C:65:BC:2B; SHA1=63:B8:2F:AB:61:F5:83:90:96:95:05:0B:00:24:9C:50:29:33:EC:79)
      File "zapprd.true cat" is a certificate (Possessor: CN="Zscaler, Inc.", O="Zscaler, Inc.", ST=California, L=San Jose, C=Usa; Issuer: CN=DigiCert SHA2 Assured ID Lawmaking Signing CA, OU=world wide web.digicert.com, O=DigiCert Inc, C=US; SerialNumber: de70f9c235c5ffc25a862b70b963a4d; Valid From: 02/26/2015 00:00:00; Until: 03/02/2018 12:00:00; Fingerprints: MD5=57:5B:61:6B:8C:4E:EB:twoscore:26:32:6D:9D:06:22:5B:E6; SHA1=04:79:48:82:FC:D8:79:76:FD:35:7B:39:A1:F6:B7:25:10:95:6E:51)
      File "zapprd.cat" is a certificate (Owner: CN=DigiCert SHA2 Bodacious ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US; Issuer: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=U.s.a.; SerialNumber: 409181b5fd5bb66755343b56f955008; Valid From: 10/22/2013 12:00:00; Until: x/22/2028 12:00:00; Fingerprints: MD5=B6:56:37:6C:3D:2A:CE:BB:A1:88:49:D6:04:36:1B:D5; SHA1=92:C1:58:8E:85:AF:22:01:CE:79:xv:E8:53:8B:49:2F:60:5B:80:C6)
      File "zapprd.cat" is a certificate (Owner: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US; Issuer: CN=Microsoft Code Verification Root, O=Microsoft Corporation, Fifty=Redmond, ST=Washington, C=Us; SerialNumber: 611cb28a000000000026; Valid From: 04/15/2011 19:41:37; Until: 04/fifteen/2021 19:51:37; Fingerprints: MD5=58:95:67:A6:C1:94:4D:68:F1:1F:F3:D8:65:76:09:2B; SHA1=BA:3E:A5:4D:72:C1:45:D3:7C:25:5E:1E:A4:0A:FB:C6:33:48:B9:6E)
      File "zapprd.cat" is a document (Owner: CN="Zscaler, Inc.", O="Zscaler, Inc.", L=San Jose, ST=California, C=US; Issuer: CN=DigiCert High Assurance Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US; SerialNumber: 60e24ead73a238ca782e05e9234e0c7; Valid From: 12/22/2015 00:00:00; Until: 01/04/2019 12:00:00; Fingerprints: MD5=E2:1C:3F:7A:5D:6C:7A:21:F4:2F:68:CF:16:DF:44:F7; SHA1=9D:8E:twoscore:6F:46:84:55:C2:82:16:30:73:CF:DF:09:0A:8E:E0:F3:6B)
      File "zapprd.cat" is a certificate (Owner: CN=DigiCert Loftier Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US; Issuer: CN=Microsoft Code Verification Root, O=Microsoft Corporation, 50=Redmond, ST=Washington, C=US; SerialNumber: 61204db4000000000027; Valid From: 04/15/2011 nineteen:45:33; Until: 04/15/2021 19:55:33; Fingerprints: MD5=F4:A3:8D:Be:86:38:6C:55:4D:25:F1:CE:25:57:A4:Atomic number 26; SHA1=2F:25:thirteen:AF:39:92:DB:0A:3F:79:70:9F:F8:14:3B:3F:7B:D2:D1:43)
      File "zapprd.true cat" is a certificate (Owner: CN=DigiCert High Assurance Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=U.s.; Issuer: CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US; SerialNumber: 2c4d1e58a4a680c568da3047e7e4d5f; Valid From: 02/11/2011 12:00:00; Until: 02/10/2026 12:00:00; Fingerprints: MD5=48:55:57:0C:D6:37:9F:7F:CD:1E:A1:A1:E7:9C:F3:C5; SHA1=E3:08:F8:29:DC:77:E8:0A:F1:5E:DD:41:51:EA:47:C5:93:99:AB:46)
      File "ztap.true cat" is a certificate (Owner: CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=United states of america; Issuer: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, Fifty=Durbanville, ST=Western Cape, C=ZA; SerialNumber: 7e93ebfb7cc64e59ea4b9a77d406fc3b; Valid From: 12/21/2012 00:00:00; Until: 12/30/2020 23:59:59; Fingerprints: MD5=7B:A3:69:EE:9A:BD:81:E0:FC:76:74:E9:70:9E:15:1D; SHA1=6C:07:45:3F:FD:DA:08:B8:37:07:C0:9B:82:FB:3D:xv:F3:53:36:B1)
      File "ztap.cat" is a certificate (Owner: CN=Symantec Time Stamping Services Signer - G4, O=Symantec Corporation, C=US; Issuer: CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US; SerialNumber: ecff438c8febf356e04d86a981b1a50; Valid From: 10/18/2012 00:00:00; Until: 12/29/2020 23:59:59; Fingerprints: MD5=08:32:B6:5C:C3:E3:A4:9B:C3:81:BA:95:E1:B5:87:37; SHA1=65:43:99:29:B6:79:73:EB:nineteen:2nd:6F:F2:43:E6:76:7A:DF:08:34:E4)
      File "ztap.cat" is a document (Possessor: CN="Zscaler, Inc.", O="Zscaler, Inc.", L=San Jose, ST=California, C=Usa; Issuer: CN=DigiCert Loftier Assurance Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US; SerialNumber: 60e24ead73a238ca782e05e9234e0c7; Valid From: 12/22/2015 00:00:00; Until: 01/04/2019 12:00:00; Fingerprints: MD5=E2:1C:3F:7A:5D:6C:7A:21:F4:2F:68:CF:sixteen:DF:44:F7; SHA1=9D:8E:40:6F:46:84:55:C2:82:xvi:xxx:73:CF:DF:09:0A:8E:E0:F3:6B)
      File "ztap.cat" is a document (Owner: CN=DigiCert Loftier Balls EV Root CA, OU=world wide web.digicert.com, O=DigiCert Inc, C=US; Issuer: CN=Microsoft Code Verification Root, O=Microsoft Corporation, L=Redmond, ST=Washington, C=The states; SerialNumber: 61204db4000000000027; Valid From: 04/15/2011 xix:45:33; Until: 04/fifteen/2021 19:55:33; Fingerprints: MD5=F4:A3:8D:BE:86:38:6C:55:4D:25:F1:CE:25:57:A4:FE; SHA1=2F:25:13:AF:39:92:DB:0A:3F:79:lxx:9F:F8:14:3B:3F:7B:D2:D1:43)
      File "ztap.cat" is a certificate (Possessor: CN=DigiCert High Assurance Lawmaking Signing CA-ane, OU=www.digicert.com, O=DigiCert Inc, C=US; Issuer: CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=The states; SerialNumber: 2c4d1e58a4a680c568da3047e7e4d5f; Valid From: 02/11/2011 12:00:00; Until: 02/10/2026 12:00:00; Fingerprints: MD5=48:55:57:0C:D6:37:9F:7F:CD:1E:A1:A1:E7:9C:F3:C5; SHA1=E3:08:F8:29:DC:77:E8:0A:F1:5E:DD:41:51:EA:47:C5:93:99:AB:46)
      source
      Extracted File
      relevance
      10/ten
  • Network Related
    • Found potential IP address in binary/memory
      details
      Heuristic match: "Zscaler-windows-1.five.2.7-installer.msi"
      Heuristic match: "Zscaler-windows-1.v.2.7-installer.exe"
      Heuristic match: "2020-01-16 12:09:44.144500 #NORMAL #INFO : ZSAService App Version: one.5.2.7"
      "1.0.1.0"
      "1.5.2.seven"
      Heuristic match: "DriverVer=08/18/2015,one.0.1.0"
      Heuristic match: "DeviceDescription = "Zscaler Network Adapter one.0.1.0""
      Heuristic match: "/1.5.ii.seven"
      Heuristic match: "1.5.2.seven (200057)"
      Heuristic friction match: "ZSATray App Version: i.five.2.7"
      Heuristic lucifer: "ane.5.2.seven Feedback"
      Heuristic friction match: "aring: 1.5.two.7 And:"
      Heuristic friction match: "//1.2.iii.4/"
      Heuristic match: "%-20s - OID (case): i.2.3.4"
      Heuristic match: "OID.2.five.29.32.0"
      Heuristic friction match: "/i "C:\Zscaler-windows-one.5.2.7-installer.msi""
      source
      String
      relevance
      3/10
  • Remote Access Related
    • Contains references to WMI/WMIC
      details
      "ROOT\CIMV2" (Indicator: "root\cimv2")
      source
      Cord
      relevance
      10/10
      ATT&CK ID
      T1047 (Show technique in the MITRE ATT&CK™ matrix)
    • Reads terminal service related keys (ofttimes RDP related)
      details
      "Zscaler-windows-1.5.2.7-installer.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\Last SERVER"; Key: "TSUSERENABLED")
      source
      Registry Access
      relevance
      x/10
      ATT&CK ID
      T1076 (Show technique in the MITRE ATT&CK™ matrix)
  • Organization Destruction
    • Marks file for deletion
      details
      "%WINDIR%\SysWOW64\msiexec.exe" marked "C:\MSI65399.tmp" for deletion
      "%TEMP%\ZSAMSInstaller\Zscaler-windows-1.v.2.vii-installer.exe" marked "%TEMP%\BRF9C8.tmp" for deletion
      "%PROGRAMFILES(X86)%\Zscaler\THIRDP~ane\TAPDRI~1\ZSCALE~1.EXE" marked "C:\Users\%USERNAME%\AppData\Local\Temp\nsg321E.tmp" for deletion
      "%PROGRAMFILES(X86)%\Zscaler\THIRDP~1\TAPDRI~ane\ZSCALE~1.EXE" marked "C:\Users\%USERNAME%\AppData\Local\Temp\nsb324E.tmp" for deletion
      "%PROGRAMFILES(X86)%\Zscaler\THIRDP~ane\TAPDRI~1\ZSCALE~1.EXE" marked "C:\Users\%USERNAME%\AppData\Local\Temp\nsb324E.tmp\nsExec.dll" for deletion
      "%PROGRAMFILES(X86)%\Zscaler\THIRDP~i\TAPDRI~ane\ZSCALE~one.EXE" marked "C:\Users\%USERNAME%\AppData\Local\Temp\nsb324E.tmp\System.dll" for deletion
      "%PROGRAMFILES(X86)%\Zscaler\THIRDP~ane\TAPDRI~1\ZSCALE~1.EXE" marked "C:\Users\%USERNAME%\AppData\Local\Temp\nsb324E.tmp\UserInfo.dll" for deletion
      "%PROGRAMFILES%\Zscaler-Network-Adapter\bin\devcon.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{047865a9-8171-1dd3-e63f-5e36f701da7e}\SET55C3.tmp" for deletion
      "%PROGRAMFILES%\Zscaler-Network-Adapter\bin\devcon.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{047865a9-8171-1dd3-e63f-5e36f701da7e}\SET55F3.tmp" for deletion
      "%PROGRAMFILES%\Zscaler-Network-Adapter\bin\devcon.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{047865a9-8171-1dd3-e63f-5e36f701da7e}\SET5623.tmp" for deletion
      "%PROGRAMFILES%\Zscaler-Network-Adapter\bin\devcon.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{047865a9-8171-1dd3-e63f-5e36f701da7e}\ztap.true cat" for deletion
      "%PROGRAMFILES%\Zscaler-Network-Adapter\bin\devcon.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{047865a9-8171-1dd3-e63f-5e36f701da7e}\ztap.inf" for deletion
      "%PROGRAMFILES%\Zscaler-Network-Adapter\bin\devcon.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{047865a9-8171-1dd3-e63f-5e36f701da7e}\ztap.sys" for deletion
      "%PROGRAMFILES%\Zscaler-Network-Adapter\bin\devcon.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{047865a9-8171-1dd3-e63f-5e36f701da7e}" for deletion
      source
      API Call
      relevance
      10/10
      ATT&CK ID
      T1107 (Show technique in the MITRE ATT&CK™ matrix)
    • Opens file with deletion access rights
      details
      "msiexec.exe" opened "C:\MSI65399.tmp" with delete access
      "msiexec.exe" opened "%SAMPLEDIR%\MSI6539a.tmp" with delete access
      "Zscaler-windows-1.five.ii.7-installer.exe" opened "%TEMP%\BRF9C8.tmp" with delete access
      "ZSCALE~i.EXE" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nsg321E.tmp" with delete access
      "ZSCALE~1.EXE" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nsb324E.tmp" with delete access
      "ZSCALE~1.EXE" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nsb324E.tmp\nsExec.dll" with delete admission
      "ZSCALE~1.EXE" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nsb324E.tmp\System.dll" with delete access
      "ZSCALE~ane.EXE" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nsb324E.tmp\UserInfo.dll" with delete access
      "ZSCALE~i.EXE" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nsb324E.tmp\" with delete access
      "devcon.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{047865a9-8171-1dd3-e63f-5e36f701da7e}\SET55C3.tmp" with delete access
      "devcon.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{047865a9-8171-1dd3-e63f-5e36f701da7e}\SET55F3.tmp" with delete access
      "devcon.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{047865a9-8171-1dd3-e63f-5e36f701da7e}\SET5623.tmp" with delete access
      "devcon.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{047865a9-8171-1dd3-e63f-5e36f701da7e}\ztap.cat" with delete access
      "devcon.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{047865a9-8171-1dd3-e63f-5e36f701da7e}\ztap.inf" with delete access
      "devcon.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{047865a9-8171-1dd3-e63f-5e36f701da7e}\ztap.sys" with delete access
      "devcon.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{047865a9-8171-1dd3-e63f-5e36f701da7e}" with delete access
      source
      API Call
      relevance
      vii/10
  • Unusual Characteristics
    • Installs hooks/patches the running process
      details
      "msiexec.exe" wrote bytes "b4365e75" to virtual address "0x755F025C" (part of module "SSPICLI.DLL")
      "msiexec.exe" wrote bytes "d83a5e75" to virtual address "0x755F01FC" (part of module "SSPICLI.DLL")
      "msiexec.exe" wrote bytes "b84013f973ffe0" to virtual address "0x755E3AD8" (office of module "SSPICLI.DLL")
      "msiexec.exe" wrote bytes "d83a0200" to virtual address "0x755E4E38" (part of module "SSPICLI.DLL")
      "msiexec.exe" wrote bytes "d83a0200" to virtual accost "0x755E4D78" (office of module "SSPICLI.DLL")
      "msiexec.exe" wrote bytes "d83a5e75" to virtual address "0x755F0258" (part of module "SSPICLI.DLL")
      "msiexec.exe" wrote bytes "b4365e75" to virtual address "0x755F0278" (part of module "SSPICLI.DLL")
      "msiexec.exe" wrote bytes "b8c015f973ffe0" to virtual address "0x755E36B4" (role of module "SSPICLI.DLL")
      "msiexec.exe" wrote bytes "d83a5e75" to virtual accost "0x755F0274" (part of module "SSPICLI.DLL")
      "msiexec.exe" wrote bytes "c0dfd4771cf9d377ccf8d3770d64d57700000000c0117b7600000000fc3e7b7600000000e0137b76000000009457867725e0d477c6e0d47700000000bc6a857700000000cf317b760000000093198677000000002c327b7600000000" to virtual address "0x766F1000" (part of module "NSI.DLL")
      "msiexec.exe" wrote bytes "b83012f973ffe0" to virtual address "0x76D91368" (role of module "WS2_32.DLL")
      "msiexec.exe" wrote bytes "b4360200" to virtual address "0x755E4D68" (office of module "SSPICLI.DLL")
      "msiexec.exe" wrote bytes "7111c7007a3bc600ab8b02007f950200fc8c0200729602006cc805001ecdc3007d26c300" to virtual address "0x771307E4" (part of module "USER32.DLL")
      "msiexec.exe" wrote bytes "68130000" to virtual accost "0x76D91680" (part of module "WS2_32.DLL")
      "msiexec.exe" wrote bytes "b4360200" to virtual address "0x755E4EA4" (part of module "SSPICLI.DLL")
      "msiexec.exe" wrote bytes "b4365e75" to virtual address "0x755F01E4" (function of module "SSPICLI.DLL")
      "msiexec.exe" wrote bytes "6012f973" to virtual address "0x76B8E324" (part of module "WININET.DLL")
      "msiexec.exe" wrote bytes "d83a5e75" to virtual accost "0x755F01E0" (role of module "SSPICLI.DLL")
      "msiexec.exe" wrote bytes "b4365e75" to virtual address "0x755F0200" (part of module "SSPICLI.DLL")
      "Zscaler-windows-1.five.2.7-installer.exe" wrote bytes "c0dfd4771cf9d377ccf8d3770d64d57700000000c0117b7600000000fc3e7b7600000000e0137b76000000009457867725e0d477c6e0d47700000000bc6a857700000000cf317b760000000093198677000000002c327b7600000000" to virtual address "0x766F1000" (part of module "NSI.DLL")
      source
      Hook Detection
      relevance
      10/10
      ATT&CK ID
      T1179 (Show technique in the MITRE ATT&CK™ matrix)
    • Reads data virtually supported languages
      details
      "msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
      "Zscaler-windows-1.five.two.seven-installer.exe" (Path: "HKU\CONTROL PANEL\INTERNATIONAL"; Key: "LOCALENAME")
      "Zscaler-windows-ane.5.2.7-installer.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\Command\NLS\LOCALE"; Primal: "00000409")
      source
      Registry Access
      relevance
      three/ten
      ATT&CK ID
      T1012 (Testify technique in the MITRE ATT&CK™ matrix)
  • Hiding 4 Suspicious Indicators
    • All indicators are bachelor but in the individual webservice or standalone version
  • Anti-Reverse Engineering
    • Contains power to register a tiptop-level exception handler (often used as anti-debugging trick)
      details
      SetUnhandledExceptionFilter@KERNEL32.dll (Prove Stream)
      __crtSetUnhandledExceptionFilter@MSVCR120.dll (Show Stream)
      source
      Hybrid Assay Technology
      relevance
      1/ten
  • Surround Sensation
    • Contains ability to query machine time
      details
      GetSystemTimeAsFileTime@KERNEL32.dll (Show Stream)
      source
      Hybrid Analysis Applied science
      relevance
      1/10
      ATT&CK ID
      T1124 (Show technique in the MITRE ATT&CK™ matrix)
    • Contains power to query the machine timezone
      details
      GetTimeZoneInformation@KERNEL32.dll (Testify Stream)
      source
      Hybrid Assay Technology
      relevance
      1/10
      ATT&CK ID
      T1124 (Show technique in the MITRE ATT&CK™ matrix)
    • Contains ability to query the machine version
      details
      GetVersionExA@KERNEL32.dll (Show Stream)
      source
      Hybrid Analysis Technology
      relevance
      i/10
    • Makes a code branch decision directly after an API that is surround aware
      details
      Plant API call GetTimeZoneInformation@KERNEL32.dll directly followed by "cmp eax, FFFFFFFFh" and "je 0044AF5Dh" (Show Stream)
      Found API call GetVersionExA@KERNEL32.dll directly followed by "cmp ecx, 02h" and "je 004066F4h" (Prove Stream)
      source
      Hybrid Assay Technology
      relevance
      ten/10
    • Mayhap tries to notice the presence of a debugger
      details
      GetProcessHeap@KERNEL32.dll (Bear witness Stream)
      source
      Hybrid Analysis Technology
      relevance
      1/10
    • Queries the installation properties of user installed products
      details
      "msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INSTALLER\USERDATA\Due south-1-5-18\PRODUCTS\B3C62C7A62F5E0D4AA5587B15254E647\INSTALLPROPERTIES")
      source
      Registry Admission
      relevance
      10/x
    • Queries volume information
      details
      "msiexec.exe" queries volume information of "C:\" at 00059928-00002248-00000046-11234222739
      "msiexec.exe" queries volume information of "C:\share" at 00059928-00002248-00000046-29443313141
      "Zscaler-windows-i.5.2.7-installer.exe" queries volume information of "%TEMP%\ZSAMSInstaller\Zscaler-windows-1.5.2.7-installer.exe" at 00066853-00002836-00000046-226419810288
      "Zscaler-windows-1.5.two.7-installer.exe" queries volume data of "C:\Users\%USERNAME%\AppData\Local\Temp\ZSAMSInstaller\Zscaler-windows-1.five.ii.7-installer.exe" at 00066853-00002836-00000046-227102169990
      "Zscaler-windows-one.five.2.seven-installer.exe" queries volume information of "C:\Users\%USERNAME%\AppData\Local\Temp" at 00066853-00002836-00000046-231433930476
      "Zscaler-windows-1.5.2.vii-installer.exe" queries volume information of "C:\Users\%USERNAME%\AppData\Local\Temp" at 00066853-00002836-00000046-231442241876
      "Zscaler-windows-i.5.2.7-installer.exe" queries volume information of "C:\" at 00066853-00002836-00000046-231482634056
      "Zscaler-windows-1.5.2.7-installer.exe" queries volume information of "C:\Users" at 00066853-00002836-00000046-231486121929
      "Zscaler-windows-ane.5.two.vii-installer.exe" queries volume information of "C:\Users\%OSUSER%" at 00066853-00002836-00000046-231490085387
      "Zscaler-windows-1.v.two.7-installer.exe" queries volume information of "C:\Users\%USERNAME%\AppData" at 00066853-00002836-00000046-231495292822
      "Zscaler-windows-1.5.2.7-installer.exe" queries volume information of "C:\Users\%USERNAME%\AppData\Local" at 00066853-00002836-00000046-231501711868
      "Zscaler-windows-1.5.2.vii-installer.exe" queries book information of "C:\Users\%USERNAME%\AppData\Local\Temp" at 00066853-00002836-00000046-231509648439
      "Zscaler-windows-i.5.2.7-installer.exe" queries book data of "C:\" at 00066853-00002836-00000046-231524359190
      "Zscaler-windows-1.five.ii.7-installer.exe" queries book information of "C:\Users" at 00066853-00002836-00000046-231527188642
      "Zscaler-windows-1.5.2.7-installer.exe" queries volume information of "C:\Users\%OSUSER%" at 00066853-00002836-00000046-231531090234
      "Zscaler-windows-i.5.2.7-installer.exe" queries volume information of "C:\Users\%USERNAME%\AppData" at 00066853-00002836-00000046-231536267747
      "Zscaler-windows-1.five.2.7-installer.exe" queries volume information of "C:\Users\%USERNAME%\AppData\Local" at 00066853-00002836-00000046-231542514881
      "devcon.exe" queries volume information of "C:\Program Files\Zscaler-Network-Adapter\driver\ztap.cat" at 00068275-00000728-00000046-270467392964
      "devcon.exe" queries volume information of "C:\Program Files\Zscaler-Network-Adapter\driver\ztap.cat" at 00068275-00000728-00000046-272121408577
      "devcon.exe" queries book information of "C:\Windows\System32\DriverStore\FileRepository\ztap.inf_amd64_neutral_2fa4bcbfb1554d78\ztap.cat" at 00068275-00000728-00000046-275611029798
      source
      API Phone call
      relevance
      2/10
      ATT&CK ID
      T1120 (Testify technique in the MITRE ATT&CK™ matrix)
    • Queries volume data of an entire harddrive
      details
      "msiexec.exe" queries volume information of "C:\" at 00059928-00002248-00000046-11234222739
      "Zscaler-windows-i.five.ii.7-installer.exe" queries volume information of "C:\" at 00066853-00002836-00000046-231482634056
      "Zscaler-windows-i.v.2.7-installer.exe" queries volume information of "C:\" at 00066853-00002836-00000046-231524359190
      source
      API Call
      relevance
      8/x
      ATT&CK ID
      T1120 (Evidence technique in the MITRE ATT&CK™ matrix)
    • Reads the registry for installed applications
      details
      "ZSCALE~i.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ZSCALER-NETWORK-ADAPTER")
      source
      Registry Access
      relevance
      ten/10
      ATT&CK ID
      T1012 (Evidence technique in the MITRE ATT&CK™ matrix)
  • External Systems
    • Sample was identified as clean past Antivirus engines
      details
      0/22 Antivirus vendors marked sample as malicious (0% detection charge per unit)
      0/threescore Antivirus vendors marked sample as malicious (0% detection rate)
      source
      External System
      relevance
      ten/ten
  • General
    • Accesses Software Policy Settings
      details
      "msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
      "msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Primal: "")
      "msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
      "msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Cardinal: "")
      "msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Cardinal: "")
      "msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Fundamental: "")
      "msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Fundamental: "")
      "msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
      "msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
      "msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Primal: "")
      "msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
      "msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Primal: "")
      "msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
      "msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
      "msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES"; Cardinal: "")
      "msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS"; Key: "")
      "msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS"; Key: "")
      "msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE"; Central: "")
      "msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CERTIFICATES"; Cardinal: "")
      "msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CRLS"; Key: "")
      source
      Registry Admission
      relevance
      ten/ten
      ATT&CK ID
      T1012 (Show technique in the MITRE ATT&CK™ matrix)
    • Accesses Organisation Certificates Settings
      details
      "msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MY"; Key: "")
      "msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
      "msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
      "msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\104C63D2546B8021DD105E9FBA5A8D78169F6B32"; Cardinal: "BLOB")
      "msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\1FB86B1168EC743154062E8C9CC5B171A4B7CCB4"; Cardinal: "Blob")
      "msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\247106A405B288A46E70A0262717162D0903E734"; Central: "BLOB")
      "msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\27AC9369FAF25207BB2627CEFACCBE4EF9C319B8"; Key: "BLOB")
      "msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\339CDD57CFD5B141169B615FF31428782D1DA639"; Primal: "Blob")
      "msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\5AEAEE3F7F2A9449CEBAFEEC68FDD184F20124A7"; Key: "Blob")
      "msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\902EF2DEEB3C5B13EA4C3D5193629309E231AE55"; Key: "Hulk")
      "msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\C86EDBC71AB05078F61ACDF3D8DC5DB61EB75FB6"; Key: "BLOB")
      "msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\E3FC0AD84F2F5A83ED6F86F567F8B14B40DCBF12"; Key: "BLOB")
      "msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\EAB040689A0D805B5D6FD654FC168CFF00B78BE3"; Key: "BLOB")
      "msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0"; Central: "BLOB")
      "msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FF67367C5CD4DE4AE18BCCE1D70FDABD7C866135"; Cardinal: "BLOB")
      "msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Primal: "")
      "msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Primal: "")
      "msiexec.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
      source
      Registry Access
      relevance
      10/ten
      ATT&CK ID
      T1112 (Show technique in the MITRE ATT&CK™ matrix)
    • Contains PDB pathways
      details
      "devcon.pdb"
      "%USERPROFILE%\Desktop\NSS\nspr\WIN954.0_DBG.OBJ\lib\ds\plds4.pdb"
      "%USERPROFILE%\Mobile\src\mobile\client\branches\release-one.5.ii\apps\windows\organization\ZSecureAgent\ZSAHelper\Release_Deploy\ZSAHelper.pdb"
      "d:\dvt\C & CPP\crypto\fciv\Release\fciv.pdb"
      "%USERPROFILE%\Mobile\src\mobile\client\branches\release-i.5.2\apps\windows\system\ZSecureAgent\ZSATray\obj\x86\Release_Deploy\ZSATray.pdb"
      "%USERPROFILE%\Desktop\NSS\nss\cmd\certutil\WIN954.0_DBG.OBJ\certutil.pdb"
      "%USERPROFILE%\Desktop\NSS\nss\lib\sqlite\WIN954.0_DBG.OBJ\sqlite3.pdb"
      source
      Cord
      relevance
      1/10
    • Contains SQL queries
      details
      "INSERT INTO %Q.%south VALUES('index',%Q,%Q,#%d,%Q);"
      "SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND proper noun!='sqlite_sequence' AND rootpage>0"
      "SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE proper noun='sqlite_sequence'"
      "SELECT 'INSERT INTO vacuum_db.' || quote(proper noun) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE proper noun=='sqlite_sequence';"
      "UPDATE "%w".%s Prepare sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;"
      "UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;"
      "UPDATE %Q.%due south SET sql = CASE WHEN blazon = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) Cease, tbl_name = %Q, proper noun = CASE WHEN type='tabular array' THEN %Q WHEN name Similar 'sqlite_autoindex%%' AND type='alphabetize' And so 'sqlite_autoindex_' || %Q || substr(name,%d+xviii) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR blazon='index' OR type='trigger');"
      source
      String
      relevance
      2/x
    • Creates a writable file in a temporary directory
      details
      "Zscaler-windows-i.5.2.7-installer.exe" created file "%TEMP%\BRF9C8.tmp"
      "ZSCALE~1.EXE" created file "%TEMP%\nsb324E.tmp\UserInfo.dll"
      "ZSCALE~one.EXE" created file "%TEMP%\nsb324E.tmp\Organization.dll"
      "ZSCALE~one.EXE" created file "%TEMP%\nsb324E.tmp\nsExec.dll"
      "devcon.exe" created file "%TEMP%\{047865a9-8171-1dd3-e63f-5e36f701da7e}\SET55C3.tmp"
      "devcon.exe" created file "%TEMP%\{047865a9-8171-1dd3-e63f-5e36f701da7e}\SET55F3.tmp"
      "devcon.exe" created file "%TEMP%\{047865a9-8171-1dd3-e63f-5e36f701da7e}\SET5623.tmp"
      source
      API Call
      relevance
      1/10
    • Creates mutants
      details
      "\Sessions\ane\BaseNamedObjects\Global\_MSIExecute"
      "Global\_MSIExecute"
      "\Sessions\1\BaseNamedObjects\GlobalitrockSingleInstanceCheck"
      "\Sessions\1\BaseNamedObjects\Global\3a886eb8-fe40-4d0a-b78b-9e0bcb683fb7"
      "Global\3a886eb8-fe40-4d0a-b78b-9e0bcb683fb7"
      source
      Created Mutant
      relevance
      3/10
    • Drops files marked as clean
      details
      Antivirus vendors marked dropped file "ZSAHelper.exe" every bit clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "nsExec.dll" as make clean (blazon is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "zapprd.inf" as clean (type is "Windows setup INFormation ASCII text with CRLF line terminators"), Antivirus vendors marked dropped file "nssdbm3.dll" as clean (blazon is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "zscalerchecksumverifier.exe" every bit make clean (type is "PE32 executable (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "ztap.inf" as clean (type is "Windows setup INFormation ASCII text"), Antivirus vendors marked dropped file "sqlite3.dll" as clean (blazon is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "ZSATray.exe" as clean (type is "PE32 executable (GUI) Intel 80386 Mono/.Net assembly for MS Windows"), Antivirus vendors marked dropped file "zapprd.cat" as clean (type is "data"), Antivirus vendors marked dropped file "ZSAService.exe" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "Organisation.dll" as make clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "UserInfo.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "plds4.dll" equally clean (blazon is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "devcon.exe" as clean (type is "PE32+ executable (console) x86-64 for MS Windows"), Antivirus vendors marked dropped file "softokn3.dll" as clean (blazon is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "ZSAUpdater.exe" every bit make clean (blazon is "PE32 executable (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "zscalerappupdater.exe" as clean (blazon is "PE32 executable (GUI) Intel 80386 (stripped to external PDB) for MS Windows")
      source
      Extracted File
      relevance
      x/10
    • Loads rich edit control libraries
      details
      "msiexec.exe" loaded module "%WINDIR%\SysWOW64\riched20.dll" at 733B0000
      source
      Loaded Module
      ATT&CK ID
      T1179 (Bear witness technique in the MITRE ATT&CK™ matrix)
    • Overview of unique CLSIDs touched in registry
      details
      "msiexec.exe" touched "Msi install server" (Path: "HKCU\WOW6432NODE\CLSID\{000C101C-0000-0000-C000-000000000046}")
      "msiexec.exe" touched "PSFactoryBuffer" (Path: "HKCU\WOW6432NODE\CLSID\{000C103E-0000-0000-C000-000000000046}")
      "msiexec.exe" touched "Microsoft Windows Installer Message RPC" (Path: "HKCU\CLSID\{000C101D-0000-0000-C000-000000000046}\DLLVERSION")
      "ZSCALE~1.EXE" touched "Estimator" (Path: "HKCR\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\SHELLFOLDER")
      "ZSCALE~1.EXE" touched "Retention Mapped Cache Mgr" (Path: "HKCR\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}")
      source
      Registry Access
      relevance
      iii/10
    • Process launched with changed environment
      details
      Procedure "Zscaler-windows-i.v.2.7-installer.exe" (Show Procedure) was launched with modified environment variables: "CommonProgramFiles, Path, PROCESSOR_ARCHITECTURE, ProgramFiles"
      Process "Zscaler-windows-1.5.2.vii-installer.exe" (Show Procedure) was launched with missing environment variables: "PROCESSOR_ARCHITEW6432, PROMPT, VXDIR"
      Process "ZSASER~1.EXE" (Show Process) was launched with new surroundings variables: "PROCESSOR_ARCHITEW6432="AMD64", LC_NUMERIC="C", HOME="C:\Users\HAPUBWS""
      Process "ZSASER~1.EXE" (Show Process) was launched with modified environment variables: "CommonProgramFiles, PROCESSOR_ARCHITECTURE, ProgramFiles"
      source
      Monitored Target
      relevance
      x/x
    • Reads Windows Trust Settings
      details
      "msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Central: "Country")
      "devcon.exe" (Path: "HKU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "Country")
      source
      Registry Access
      relevance
      5/ten
      ATT&CK ID
      T1012 (Show technique in the MITRE ATT&CK™ matrix)
    • Scanning for window names
      details
      "msiexec.exe" searching for form "Shell_TrayWnd"
      source
      API Call
      relevance
      x/10
      ATT&CK ID
      T1010 (Show technique in the MITRE ATT&CK™ matrix)
    • Spawns new processes
      details
      Spawned procedure "Zscaler-windows-ane.5.2.7-installer.exe" with commandline "--mode unattended --strictEnforcement 0 --userDomain "" --cloudN ..." (Show Procedure)
      Spawned procedure "ZSASER~1.EXE" with commandline "-pushCert" (Testify Procedure)
      Spawned process "ZSCALE~1.EXE" with commandline "/S" (Testify Process)
      Spawned procedure "devcon.exe" with commandline "hwids ztap" (Evidence Procedure)
      Spawned procedure "devcon.exe" with commandline "install "%PROGRAMFILES%\Zscaler-Network-Adapter\driver\ztap.inf" ..." (Show Procedure)
      source
      Monitored Target
      relevance
      3/10
    • Spawns new processes that are not known child processes
      details
      Spawned process "Zscaler-windows-1.v.2.7-installer.exe" with commandline "--manner unattended --strictEnforcement 0 --userDomain "" --cloudN ..." (Show Procedure)
      Spawned process "ZSASER~1.EXE" with commandline "-pushCert" (Testify Process)
      Spawned process "ZSCALE~1.EXE" with commandline "/South" (Show Procedure)
      Spawned process "devcon.exe" with commandline "hwids ztap" (Bear witness Process)
      Spawned procedure "devcon.exe" with commandline "install "%PROGRAMFILES%\Zscaler-Network-Adapter\driver\ztap.inf" ..." (Show Process)
      source
      Monitored Target
      relevance
      3/x
    • The input sample is signed with a certificate
      details
      The input sample is signed with a certificate issued by "C=US, S=California, Fifty=San Jose, O="Zscaler
      Inc.", CN="Zscaler
      Inc."" (SHA1: 83:Fe:2A:35:86:D4:83:FD:75:C0:B0:AB:DB:89:69:7A:56:AD:0B:41: (1.ii.840.113549.i.1.11); meet report for more than data)
      The input sample is signed with a document issued past "C=U.s.a., O=DigiCert Inc, OU=world wide web.digicert.com, CN=DigiCert SHA2 Assured ID Code Signing CA" (SHA1: 92:C1:58:8E:85:AF:22:01:CE:79:15:E8:53:8B:49:2F:sixty:5B:fourscore:C6: (i.ii.840.113549.i.1.11); run into written report for more information)
      The input sample is signed with a certificate issued by "C=US, O=DigiCert Inc, OU=world wide web.digicert.com, CN=DigiCert Assured ID Root CA" (SHA1: 05:63:B8:63:0D:62:D7:5A:BB:C8:AB:1E:4B:DF:B5:A8:99:B2:4D:43: (sha1RSA(RSA)); encounter study for more data)
      source
      Certificate Data
      relevance
      10/ten
      ATT&CK ID
      T1116 (Show technique in the MITRE ATT&CK™ matrix)
    • The input sample is signed with a valid certificate
      details
      The entire document concatenation of the input sample was validated successfully.
      source
      Certificate Data
      relevance
      10/10
  • Installation/Persistance
    • Connects to LPC ports
      details
      "msiexec.exe" connecting to "\ThemeApiPort"
      "Zscaler-windows-1.5.2.7-installer.exe" connecting to "\ThemeApiPort"
      "ZSCALE~1.EXE" connecting to "\ThemeApiPort"
      source
      API Call
      relevance
      ane/10
    • Dropped files
      details
      "zapprd.cat" has type "data"
      "ZSAHelper.exe" has blazon "PE32 executable (GUI) Intel 80386 for MS Windows"
      "nsExec.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "zapprd.inf" has type "Windows setup INFormation ASCII text with CRLF line terminators"
      "nssdbm3.dll" has blazon "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "zscalerchecksumverifier.exe" has type "PE32 executable (console) Intel 80386 for MS Windows"
      "ztap.inf" has type "Windows setup INFormation ASCII text"
      "sqlite3.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "ZSATray.exe" has type "PE32 executable (GUI) Intel 80386 Mono/.Net associates for MS Windows"
      "ZSAService.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
      "certutil.exe" has blazon "PE32 executable (console) Intel 80386 for MS Windows"
      "Organisation.dll" has blazon "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "UserInfo.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "plds4.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "devcon.exe" has type "PE32+ executable (console) x86-64 for MS Windows"
      "softokn3.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      source
      Extracted File
      relevance
      3/10
    • Found a string that may be used as part of an injection method
      details
      "Shell_TrayWnd" (Taskbar window form may be used to inject into explorer with the SetWindowLong method)
      source
      String
      relevance
      four/10
      ATT&CK ID
      T1055 (Show technique in the MITRE ATT&CK™ matrix)
    • Monitors specific registry key for changes
      details
      "msiexec.exe" monitors "\REGISTRY\MACHINE\System\ControlSet001\Command\NetworkProvider\HwOrder" (Filter: 4; Subtree: 2350592)
      "msiexec.exe" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\crypt32" (Filter: 4; Subtree: 13499648)
      "msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates" (Filter: v; Subtree: 13492993)
      "msiexec.exe" monitors "\REGISTRY\Car\SOFTWARE\Microsoft\EnterpriseCertificates\Root" (Filter: five; Subtree: 13499649)
      "msiexec.exe" monitors "\REGISTRY\USER\South-1-5-21-686412048-2446563785-1323799475-1001\Software\Microsoft\SystemCertificates\Root" (Filter: 5; Subtree: 13499649)
      "msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT" (Filter: 5; Subtree: 13499649)
      "msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot" (Filter: 5; Subtree: 13499649)
      "msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot" (Filter: 5; Subtree: 13499649)
      "msiexec.exe" monitors "\REGISTRY\USER\South-1-5-21-686412048-2446563785-1323799475-1001\Software\Microsoft\SystemCertificates\SmartCardRoot" (Filter: v; Subtree: 13499649)
      "msiexec.exe" monitors "\REGISTRY\USER\S-1-v-21-686412048-2446563785-1323799475-1001\Software\Microsoft\SystemCertificates\trust" (Filter: 5; Subtree: 13499649)
      "msiexec.exe" monitors "\REGISTRY\USER\S-1-five-21-686412048-2446563785-1323799475-1001\Software\Policies\Microsoft\SystemCertificates" (Filter: five; Subtree: 13492993)
      "msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust" (Filter: 5; Subtree: 13499649)
      "msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust" (Filter: five; Subtree: 13499649)
      "msiexec.exe" monitors "\REGISTRY\USER\Southward-1-v-21-686412048-2446563785-1323799475-1001\Software\Microsoft\SystemCertificates\CA" (Filter: 5; Subtree: 13499649)
      "msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA" (Filter: 5; Subtree: 13499649)
      "msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA" (Filter: 5; Subtree: 13499649)
      "msiexec.exe" monitors "\REGISTRY\USER\S-1-5-21-686412048-2446563785-1323799475-1001\Software\Microsoft\SystemCertificates\Disallowed" (Filter: 5; Subtree: 13499649)
      "msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed" (Filter: v; Subtree: 13499649)
      "msiexec.exe" monitors "\REGISTRY\Automobile\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed" (Filter: 5; Subtree: 13499649)
      "msiexec.exe" monitors "\REGISTRY\USER\Due south-i-five-21-686412048-2446563785-1323799475-1001\Software\Microsoft\SystemCertificates\TrustedPeople" (Filter: 5; Subtree: 13499649)
      source
      API Telephone call
      relevance
      4/10
      ATT&CK ID
      T1012 (Prove technique in the MITRE ATT&CK™ matrix)
    • Opens the MountPointManager (often used to detect boosted infection locations)
      details
      "msiexec.exe" opened "\Device\MountPointManager"
      source
      API Call
      relevance
      5/10
    • Scans for the windows taskbar (may be used for explorer injection)
      details
      "msiexec.exe" searching for class "Shell_TrayWnd"
      source
      API Phone call
      relevance
      10/10
      ATT&CK ID
      T1055 (Show technique in the MITRE ATT&CK™ matrix)
    • Touches files in the Windows directory
      details
      "msiexec.exe" touched file "C:\Windows\AppPatch\sysmain.sdb"
      "msiexec.exe" touched file "C:\Windows\SysWOW64\msiexec.exe"
      "msiexec.exe" touched file "C:\Windows\AppPatch\AcLayers.dll"
      "msiexec.exe" touched file "C:\Windows\AppPatch\AcGenral.dll"
      "msiexec.exe" touched file "C:\Windows\SysWOW64\en-US\msiexec.exe.mui"
      "msiexec.exe" touched file "C:\Windows\SysWOW64\rsaenh.dll"
      "msiexec.exe" touched file "C:\Windows\SysWOW64\msimsg.dll"
      "msiexec.exe" touched file "C:\Windows\SysWOW64\en-US\msimsg.dll.mui"
      "msiexec.exe" touched file "C:\Windows\SysWOW64\en-US\msctf.dll.mui"
      "msiexec.exe" touched file "C:\Windows\Fonts\StaticCache.dat"
      "msiexec.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
      "msiexec.exe" touched file "C:\Windows\SysWOW64\en-Us\KernelBase.dll.mui"
      "msiexec.exe" touched file "C:\Windows\SysWOW64\en-Us\winhttp.dll.mui"
      "msiexec.exe" touched file "C:\Windows\AppPatch\msimain.sdb"
      "msiexec.exe" touched file "C:\Windows\SysWOW64\sxs.dll"
      "msiexec.exe" touched file "C:\Windows\SysWOW64\en-U.s.a.\sxs.dll.mui"
      "msiexec.exe" touched file "%ALLUSERSPROFILE%\Microsoft\Windows\Templates"
      source
      API Call
      relevance
      7/x
  • Network Related
    • Found potential URL in binary/retentivity
      details
      Heuristic friction match: "7pG/$one thousand.ng"
      Heuristic match: ",Pe[A67.bM"
      Pattern match: "I7.RLH/\;h"
      Heuristic friction match: "http-2.seven.9.tm"
      Blueprint friction match: "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAZIaysoMCjJf9E"
      Pattern match: "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVN"
      Heuristic lucifer: "ztap.cat"
      Heuristic match: "CatalogDB: i:09:58 PM ane/sixteen/2020: DONE Calculation Catalog File (16ms): oem11.CAT"
      Design friction match: "http://www.mozilla.org/MPL/"
      Heuristic match: "CatalogFile=zapprd.cat"
      Heuristic match: "CatalogFile = ztap.cat"
      Pattern match: "https://authsp.dev.zpath.net/auth/v2/login"
      Design match: "https://mobile.{0}.cyberspace/ZSALicenseAgreement.html"
      Blueprint friction match: "http://www.w3.org/2001/XMLSchema-case"
      source
      String
      relevance
      10/ten
  • Organization Security
    • Creates or modifies windows services
      details
      "msiexec.exe" (Access blazon: "CREATE"; Path: "HKLM\System\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS")
      "devcon.exe" (Access blazon: "CREATE"; Path: "HKLM\Arrangement\CONTROLSET001\SERVICES")
      source
      Registry Admission
      relevance
      10/10
      ATT&CK ID
      T1112 (Show technique in the MITRE ATT&CK™ matrix)
    • Modifies Software Policy Settings
      details
      "msiexec.exe" (Admission type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
      "msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
      "msiexec.exe" (Admission blazon: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
      "msiexec.exe" (Admission type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
      "msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
      "msiexec.exe" (Access blazon: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
      "msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
      "msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
      "msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
      "msiexec.exe" (Access blazon: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
      "msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
      "msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
      "msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
      "msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
      "msiexec.exe" (Admission blazon: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES")
      "msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS")
      "msiexec.exe" (Admission type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS")
      "msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE")
      "msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CERTIFICATES")
      "msiexec.exe" (Access blazon: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CRLS")
      source
      Registry Admission
      relevance
      10/x
      ATT&CK ID
      T1112 (Testify technique in the MITRE ATT&CK™ matrix)
    • Opens the Kernel Security Device Driver (KsecDD) of Windows
      details
      "msiexec.exe" opened "\Device\KsecDD"
      "ZSCALE~1.EXE" opened "\Device\KsecDD"
      "devcon.exe" opened "\Device\KsecDD"
      source
      API Call
      relevance
      10/10
      ATT&CK ID
      T1215 (Show technique in the MITRE ATT&CK™ matrix)

File Details

All Details:

Zscaler-windows-1.five.two.vii-installer.msi

Filename
Zscaler-windows-1.5.2.7-installer.msi
Size
26MiB (26865664 bytes)
Blazon
msi information
Description
Composite Document File V2 Document, Little Endian, Bone: Windows, Version 6.ane, MSI Installer, Lawmaking page: 1252, Title: Installation Database, Subject area: Zscaler, Author: Zscaler Inc., Keywords: Installer, Comments: Zscaler Application is a trademark of Zscaler Inc., Template: Intel;1033, Revision Number: {CC126FC6-DA48-4AD4-A692-A2CFE45CE7B9}, Create Fourth dimension/Date: Wed Aug 28 18:47:xl 2019, Last Saved Time/Appointment: Wed Aug 28 18:47:40 2019, Number of Pages: 200, Number of Words: 2, Name of Creating Awarding: Window
Architecture
WINDOWS
SHA256
16dcace33ad4ef152fcc9a1dca4246b264bb60dce7ee0f9c6fbfdae35964c539 Copy SHA256 to clipboard

Classification (TrID)

  • 89.6% (.MSI) Microsoft Windows Installer
  • 8.7% (.MSP) Windows Installer Patch
  • 1.v% (.) Generic OLE2 / Multistream Compound File

Screenshots

Loading content, please wait...

Hybrid Analysis

Tip: Click an analysed process below to view more details.

Analysed 6 processes in total (System Resource Monitor).

Network Assay

DNS Requests

No relevant DNS requests were made.

HTTP Traffic

No relevant HTTP requests were made.

Extracted Files

Displaying 51 extracted file(s). The remaining 49 file(s) are available in the full version and XML/JSON reports.

    • Uninstall.exe
    • devcon.exe
    • zdevcon.exe
    • Organization.dll
    • UserInfo.dll
    • nsExec.dll
    • ztap.cat
    • ztap.inf
    • ZSAHelper.exe
    • zapprd.inf
    • nssdbm3.dll
    • zscalerchecksumverifier.exe
    • sqlite3.dll
    • ZSATray.exe
    • zapprd.true cat
    • ZSAService.exe
    • plds4.dll
    • softokn3.dll
    • ZSAUpdater.exe
    • zscalerappupdater.exe
    • Zscaler-Network-Adapter-Win10-i.0.2.0.exe
    • smime3.dll
    • Newtonsoft.Json.dll
    • npcap-0.99-r7-oem.exe
    • Zscaler-Network-Adapter-1.0.1.0.exe
    • plc4.dll
    • ZSAAuth.dll
    • freebl3.dll
    • pacparser.dll
    • nspr4.dll
    • nssutil3.dll
    • Zscaler-Network-Adapter-one.0.2.0.exe
    • desktop.ini
      Size
      Unknown (0 bytes)
      Blazon
      empty
      Runtime Procedure
      ZSCALE~1.EXE (PID: 3612)
    • ZSAService_2020-01-sixteen-12-09-44.128875.log
    • 42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
    • 66AE3BFDF94A732B262342AD2154B86E_9C58356502791513C8DAB18B8944F00E
    • icon.ico
    • license.txt
    • BRF9C8.tmp
    • SET55C3.tmp
    • SET55F3.tmp
    • SET5623.tmp
    • ztap.sys
    • ztap.PNF
    • zapprd.cat
    • Zscaler.lnk
      Size
      2KiB (2074 bytes)
      Type
      lnk
      Description
      MS Windows shortcut, Particular id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Thu Jan 16 12:09:37 2020, mtime=Wednesday Aug 28 18:45:32 2019, atime=Midweek Aug 28 eighteen:45:32 2019, length=3287984, window=hibernate
      MD5
      965fc99afa64cf423218844d3e31478b Copy MD5 to clipboard
      SHA1
      baf54e252621ab49b7c32e505560accef28b29b4 Copy SHA1 to clipboard
      SHA256
      fe203ea506803cfa345602b60cee6cbde5ad4f988d04c317287b7db4927c3b75 Copy SHA256 to clipboard
    • Uninstall Zscaler.lnk
      Size
      two.1KiB (2143 bytes)
      Blazon
      lnk
      Clarification
      MS Windows shortcut, Item id list present, Points to a file or directory, Has Clarification string, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Thu Jan sixteen 12:09:xl 2020, mtime=Thu Jan 16 12:09:40 2020, atime=Thu Jan 16 12:09:40 2020, length=0, window=hide
      MD5
      2954209ccd1f6f2d3180147911aea029 Copy MD5 to clipboard
      SHA1
      241e058748aef821f6b58dbc8868bb185dc27d77 Copy SHA1 to clipboard
      SHA256
      f36ebabaef9a4ce56ab7ebcb0e3cf5a66534657677f44a671fe23ba4ab6c350f Copy SHA256 to clipboard
    • ZSALogger.dll
    • nss3.dll

Notifications

  • Network whitenoise filtering was applied
  • Not all IP/URL string resources were checked online
  • Not all sources for indicator ID "api-11" are available in the report
  • Not all sources for indicator ID "api-12" are available in the report
  • Not all sources for indicator ID "api-31" are available in the study
  • Not all sources for indicator ID "api-4" are available in the written report
  • Not all sources for indicator ID "api-55" are bachelor in the written report
  • Not all sources for indicator ID "binary-0" are bachelor in the report
  • Non all sources for indicator ID "binary-one" are available in the report
  • Not all sources for indicator ID "binary-16" are available in the study
  • Non all sources for indicator ID "hooks-8" are available in the report
  • Non all sources for indicator ID "registry-17" are available in the report
  • Not all sources for indicator ID "registry-xviii" are available in the study
  • Non all sources for indicator ID "registry-19" are available in the report
  • Not all strings are visible in the report, because the maximum number of strings was reached (5000)
  • Some low-level information is subconscious, equally this is simply a slim written report

davyinare1949.blogspot.com

Source: https://www.hybrid-analysis.com/sample/16dcace33ad4ef152fcc9a1dca4246b264bb60dce7ee0f9c6fbfdae35964c539/5e205f8f24cee04010223762

0 Response to "Please Authenticate Again for Uninteruppted Zscaler"

Post a Comment

Subscribe to: Post Comments (Atom)

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel