bd8b83f7dd16986237807033ff8ce00cda8d173d44a9e9f95e7a8e77877825b1

General

Target

zeusaes_2.7.4.0.vir.exe
Size

123KB
MD5

a8f7f8823f70c45c12598f1144c669f6
SHA1

4a16a33c9034d50f9175c6e81a5f9bd244728866
SHA256

bd8b83f7dd16986237807033ff8ce00cda8d173d44a9e9f95e7a8e77877825b1
SHA512

09ffcea590ccb7b9afe67d4a557e5debdb023ccc7757b9d518d882fe7849367a7074bd8b38b786b114d3d628aa8764e9d65a1314c05a5aeaa1da51c06b0f53c7

Score

8^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1504 cmd.exe

pid	process
1504	cmd.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

siloo.exe

pid	process
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe
1576	siloo.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

siloo.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\{F4237F5E-06FD-0F18-66D8-2F4FBE61476D} = "C:\\Users\\Admin\\AppData\\Roaming\\Himeew\\siloo.exe"	siloo.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\Currentversion\Run	siloo.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

zeusaes_2.7.4.0.vir.exe

description pid process

Token: SeSecurityPrivilege 676 zeusaes_2.7.4.0.vir.exe
Loads dropped DLL 2 IoCs

Processes:

zeusaes_2.7.4.0.vir.exe

pid process

676 zeusaes_2.7.4.0.vir.exe
676 zeusaes_2.7.4.0.vir.exe

description	pid	process
Token: SeSecurityPrivilege	676	zeusaes_2.7.4.0.vir.exe

pid	process
676	zeusaes_2.7.4.0.vir.exe
676	zeusaes_2.7.4.0.vir.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

zeusaes_2.7.4.0.vir.exesiloo.exe

description	pid	process	target process
PID 676 wrote to memory of 1576	676	zeusaes_2.7.4.0.vir.exe	siloo.exe
PID 676 wrote to memory of 1576	676	zeusaes_2.7.4.0.vir.exe	siloo.exe
PID 676 wrote to memory of 1576	676	zeusaes_2.7.4.0.vir.exe	siloo.exe
PID 676 wrote to memory of 1576	676	zeusaes_2.7.4.0.vir.exe	siloo.exe
PID 1576 wrote to memory of 744	1576	siloo.exe	explorer.exe
PID 1576 wrote to memory of 744	1576	siloo.exe	explorer.exe
PID 1576 wrote to memory of 744	1576	siloo.exe	explorer.exe
PID 1576 wrote to memory of 744	1576	siloo.exe	explorer.exe
PID 1576 wrote to memory of 744	1576	siloo.exe	explorer.exe
PID 1576 wrote to memory of 744	1576	siloo.exe	explorer.exe
PID 1576 wrote to memory of 744	1576	siloo.exe	explorer.exe
PID 1576 wrote to memory of 744	1576	siloo.exe	explorer.exe
PID 1576 wrote to memory of 744	1576	siloo.exe	explorer.exe
PID 1576 wrote to memory of 744	1576	siloo.exe	explorer.exe
PID 676 wrote to memory of 1504	676	zeusaes_2.7.4.0.vir.exe	cmd.exe
PID 676 wrote to memory of 1504	676	zeusaes_2.7.4.0.vir.exe	cmd.exe
PID 676 wrote to memory of 1504	676	zeusaes_2.7.4.0.vir.exe	cmd.exe
PID 676 wrote to memory of 1504	676	zeusaes_2.7.4.0.vir.exe	cmd.exe

Executes dropped EXE 1 IoCs

Processes:

siloo.exe

pid process

1576 siloo.exe

C:\Users\Admin\AppData\Local\Temp\zeusaes_2.7.4.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zeusaes_2.7.4.0.vir.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:676

C:\Users\Admin\AppData\Roaming\Himeew\siloo.exe
"C:\Users\Admin\AppData\Roaming\Himeew\siloo.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1576

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
3⤵
PID:744

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp7197664d.bat"
2⤵
- Deletes itself
PID:1504

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7197664d.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Himeew\siloo.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Himeew\siloo.exe

Download Submit
\Users\Admin\AppData\Roaming\Himeew\siloo.exe

Download Submit
\Users\Admin\AppData\Roaming\Himeew\siloo.exe

Download Submit
memory/1504-5-0x0000000000000000-mapping.dmp

Download
memory/1576-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads