Analysis
-
max time kernel
151s -
max time network
158s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
19-07-2020 19:42
Static task
static1
Behavioral task
behavioral1
Sample
zeusaes_2.7.4.0.vir.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
zeusaes_2.7.4.0.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
zeusaes_2.7.4.0.vir.exe
-
Size
123KB
-
MD5
a8f7f8823f70c45c12598f1144c669f6
-
SHA1
4a16a33c9034d50f9175c6e81a5f9bd244728866
-
SHA256
bd8b83f7dd16986237807033ff8ce00cda8d173d44a9e9f95e7a8e77877825b1
-
SHA512
09ffcea590ccb7b9afe67d4a557e5debdb023ccc7757b9d518d882fe7849367a7074bd8b38b786b114d3d628aa8764e9d65a1314c05a5aeaa1da51c06b0f53c7
Score
8/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1504 cmd.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
siloo.exepid process 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe 1576 siloo.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
siloo.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\{F4237F5E-06FD-0F18-66D8-2F4FBE61476D} = "C:\\Users\\Admin\\AppData\\Roaming\\Himeew\\siloo.exe" siloo.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\Currentversion\Run siloo.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
zeusaes_2.7.4.0.vir.exedescription pid process Token: SeSecurityPrivilege 676 zeusaes_2.7.4.0.vir.exe -
Loads dropped DLL 2 IoCs
Processes:
zeusaes_2.7.4.0.vir.exepid process 676 zeusaes_2.7.4.0.vir.exe 676 zeusaes_2.7.4.0.vir.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
zeusaes_2.7.4.0.vir.exesiloo.exedescription pid process target process PID 676 wrote to memory of 1576 676 zeusaes_2.7.4.0.vir.exe siloo.exe PID 676 wrote to memory of 1576 676 zeusaes_2.7.4.0.vir.exe siloo.exe PID 676 wrote to memory of 1576 676 zeusaes_2.7.4.0.vir.exe siloo.exe PID 676 wrote to memory of 1576 676 zeusaes_2.7.4.0.vir.exe siloo.exe PID 1576 wrote to memory of 744 1576 siloo.exe explorer.exe PID 1576 wrote to memory of 744 1576 siloo.exe explorer.exe PID 1576 wrote to memory of 744 1576 siloo.exe explorer.exe PID 1576 wrote to memory of 744 1576 siloo.exe explorer.exe PID 1576 wrote to memory of 744 1576 siloo.exe explorer.exe PID 1576 wrote to memory of 744 1576 siloo.exe explorer.exe PID 1576 wrote to memory of 744 1576 siloo.exe explorer.exe PID 1576 wrote to memory of 744 1576 siloo.exe explorer.exe PID 1576 wrote to memory of 744 1576 siloo.exe explorer.exe PID 1576 wrote to memory of 744 1576 siloo.exe explorer.exe PID 676 wrote to memory of 1504 676 zeusaes_2.7.4.0.vir.exe cmd.exe PID 676 wrote to memory of 1504 676 zeusaes_2.7.4.0.vir.exe cmd.exe PID 676 wrote to memory of 1504 676 zeusaes_2.7.4.0.vir.exe cmd.exe PID 676 wrote to memory of 1504 676 zeusaes_2.7.4.0.vir.exe cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
siloo.exepid process 1576 siloo.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\zeusaes_2.7.4.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\zeusaes_2.7.4.0.vir.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Himeew\siloo.exe"C:\Users\Admin\AppData\Roaming\Himeew\siloo.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp7197664d.bat"2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp7197664d.bat
-
C:\Users\Admin\AppData\Roaming\Himeew\siloo.exe
-
C:\Users\Admin\AppData\Roaming\Himeew\siloo.exe
-
\Users\Admin\AppData\Roaming\Himeew\siloo.exe
-
\Users\Admin\AppData\Roaming\Himeew\siloo.exe
-
memory/1504-5-0x0000000000000000-mapping.dmp
-
memory/1576-2-0x0000000000000000-mapping.dmp