Analysis
-
max time kernel
151s -
max time network
69s -
platform
windows7_x64 -
resource
win7 -
submitted
19-07-2020 16:47
Static task
static1
Behavioral task
behavioral1
Sample
zeusaes_2.8.3.0.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
zeusaes_2.8.3.0.vir.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
zeusaes_2.8.3.0.vir.exe
-
Size
164KB
-
MD5
f4b21e3e1840535dead3921f1a13f48e
-
SHA1
ea1d50ffb0609ca1771d825cedce7660a18a0116
-
SHA256
667795f9640513adce74413e89dfe6b668060bc5ccfda64f825d329cc450e183
-
SHA512
b111d8dcc0bb12ed2386f8769dc3d64094cfb6ee1ed661a7f460dbed4bf2cc699a70114beb19493855f993ebc4fb73e353ea6897ad8973b3c6d715e83d2d20e6
Score
8/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
zeusaes_2.8.3.0.vir.exedescription pid process Token: SeSecurityPrivilege 672 zeusaes_2.8.3.0.vir.exe -
Loads dropped DLL 2 IoCs
Processes:
zeusaes_2.8.3.0.vir.exepid process 672 zeusaes_2.8.3.0.vir.exe 672 zeusaes_2.8.3.0.vir.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
zeusaes_2.8.3.0.vir.execahu.exedescription pid process target process PID 672 wrote to memory of 1620 672 zeusaes_2.8.3.0.vir.exe cahu.exe PID 672 wrote to memory of 1620 672 zeusaes_2.8.3.0.vir.exe cahu.exe PID 672 wrote to memory of 1620 672 zeusaes_2.8.3.0.vir.exe cahu.exe PID 672 wrote to memory of 1620 672 zeusaes_2.8.3.0.vir.exe cahu.exe PID 1620 wrote to memory of 748 1620 cahu.exe explorer.exe PID 1620 wrote to memory of 748 1620 cahu.exe explorer.exe PID 1620 wrote to memory of 748 1620 cahu.exe explorer.exe PID 1620 wrote to memory of 748 1620 cahu.exe explorer.exe PID 1620 wrote to memory of 748 1620 cahu.exe explorer.exe PID 1620 wrote to memory of 748 1620 cahu.exe explorer.exe PID 1620 wrote to memory of 748 1620 cahu.exe explorer.exe PID 1620 wrote to memory of 748 1620 cahu.exe explorer.exe PID 1620 wrote to memory of 748 1620 cahu.exe explorer.exe PID 1620 wrote to memory of 748 1620 cahu.exe explorer.exe PID 672 wrote to memory of 1048 672 zeusaes_2.8.3.0.vir.exe cmd.exe PID 672 wrote to memory of 1048 672 zeusaes_2.8.3.0.vir.exe cmd.exe PID 672 wrote to memory of 1048 672 zeusaes_2.8.3.0.vir.exe cmd.exe PID 672 wrote to memory of 1048 672 zeusaes_2.8.3.0.vir.exe cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
cahu.exepid process 1620 cahu.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1048 cmd.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
cahu.exepid process 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe 1620 cahu.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
cahu.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\Currentversion\Run cahu.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\{9BE9E2D9-55BA-CAEA-0578-05D439CD84A1} = "C:\\Users\\Admin\\AppData\\Roaming\\Itlizu\\cahu.exe" cahu.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\zeusaes_2.8.3.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\zeusaes_2.8.3.0.vir.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Itlizu\cahu.exe"C:\Users\Admin\AppData\Roaming\Itlizu\cahu.exe"2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpbd09080f.bat"2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpbd09080f.bat
-
C:\Users\Admin\AppData\Roaming\Itlizu\cahu.exe
-
C:\Users\Admin\AppData\Roaming\Itlizu\cahu.exe
-
\Users\Admin\AppData\Roaming\Itlizu\cahu.exe
-
\Users\Admin\AppData\Roaming\Itlizu\cahu.exe
-
memory/1048-5-0x0000000000000000-mapping.dmp
-
memory/1620-2-0x0000000000000000-mapping.dmp