Overview

overview

8

Static

static

zeus 2_2.0...ir.exe

windows7_x64

8

zeus 2_2.0...ir.exe

windows10_x64

5

Analysis

  • max time kernel
    150s
  • max time network
    158s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    19-07-2020 19:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    zeus 2_2.0.9.5.vir.exe

  • Size

    178KB

  • MD5

    ab2a53cdd738d64f58f878a1d7b39355

  • SHA1

    d9bdddec5dfaa40d07b437843d95f3dbc8f7bd3d

  • SHA256

    41ea373c7a57eb0c9103d7b4edb4cc2a381f80cfff02dfe704f851ae8722853e

  • SHA512

    a8db01348fe18a94dd6edd9d1eeb67af75ffe378243dd9a2ebe15e1bac92d933ef7e6f7550165ec37808f2f9780023fa26041cbfa90832985533082e614e5f6e

Score
8/10
persistence

Malware Config

Signatures

  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Deletes itself 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs
  • Loads dropped DLL 5 IoCs
  • Executes dropped EXE 2 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1092
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1184
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1228
          • C:\Users\Admin\AppData\Local\Temp\zeus 2_2.0.9.5.vir.exe
            "C:\Users\Admin\AppData\Local\Temp\zeus 2_2.0.9.5.vir.exe"
            2⤵
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:1492
            • C:\Users\Admin\AppData\Local\Temp\zeus 2_2.0.9.5.vir.exe
              "C:\Users\Admin\AppData\Local\Temp\zeus 2_2.0.9.5.vir.exe"
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • Loads dropped DLL
              PID:1588
              • C:\Users\Admin\AppData\Roaming\Uletyw\odki.exe
                "C:\Users\Admin\AppData\Roaming\Uletyw\odki.exe"
                4⤵
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                • Executes dropped EXE
                PID:532
                • C:\Users\Admin\AppData\Roaming\Uletyw\odki.exe
                  C:\Users\Admin\AppData\Roaming\Uletyw\odki.exe
                  5⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Adds policy Run key to start application
                  • Suspicious behavior: MapViewOfSection
                  • Suspicious use of WriteProcessMemory
                  • Loads dropped DLL
                  • Executes dropped EXE
                  PID:756
                  • C:\Windows\explorer.exe
                    "C:\Windows\explorer.exe"
                    6⤵
                      PID:1480
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp9f5ba87e.bat"
                  4⤵
                  • Deletes itself
                  PID:1108
          • C:\Windows\system32\DllHost.exe
            C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
            1⤵
              PID:1892
            • C:\Windows\system32\DllHost.exe
              C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
              1⤵
                PID:1140
              • C:\Windows\system32\DllHost.exe
                C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                1⤵
                  PID:1928

                Network

                MITRE ATT&CK Matrix ATT&CK v6

                Initial Access

                Execution

                Persistence

                Registry Run Keys / Startup Folder

                1
                T1060

                Privilege Escalation

                Defense Evasion

                Modify Registry

                1
                T1112

                Credential Access

                Discovery

                Lateral Movement

                Collection

                Exfiltration

                Command and Control

                Impact

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\tmp9f5ba87e.bat
                  Download Submit
                • C:\Users\Admin\AppData\Roaming\Uletyw\odki.exe
                  Download Submit
                • C:\Users\Admin\AppData\Roaming\Uletyw\odki.exe
                  Download Submit
                • C:\Users\Admin\AppData\Roaming\Uletyw\odki.exe
                  Download Submit
                • \Users\Admin\AppData\Local\Temp\kernel32.dll
                  Download Submit
                • \Users\Admin\AppData\Local\Temp\kernel32.dll
                  Download Submit
                • \Users\Admin\AppData\Local\Temp\ntdll.dll
                  Download Submit
                • \Users\Admin\AppData\Local\Temp\ntdll.dll
                  Download Submit
                • \Users\Admin\AppData\Roaming\Uletyw\odki.exe
                  Download Submit
                • memory/532-4-0x0000000000000000-mapping.dmp
                  Download
                • memory/756-7-0x0000000000415C5E-mapping.dmp
                  Download
                • memory/1108-11-0x0000000000000000-mapping.dmp
                  Download
                • memory/1480-16-0x0000000000000000-mapping.dmp
                  Download
                • memory/1588-2-0x0000000000400000-0x000000000042B000-memory.dmp
                  Filesize

                  172KB

                  Download
                • memory/1588-0-0x0000000000400000-0x000000000042B000-memory.dmp
                  Filesize

                  172KB

                  Download
                • memory/1588-1-0x0000000000415C5E-mapping.dmp
                  Download