Analysis
-
max time kernel
115s -
max time network
122s -
platform
windows7_x64 -
resource
win7 -
submitted
19-07-2020 17:19
Static task
static1
Behavioral task
behavioral1
Sample
zeus 1_1.4.3.0.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
zeus 1_1.4.3.0.vir.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
zeus 1_1.4.3.0.vir.exe
-
Size
1015KB
-
MD5
0b758c40a26b8b3d1104838f5cf1b57f
-
SHA1
1dc9c0eff55fd416f81ee9f97df2c54960024776
-
SHA256
89e35356978b8320736b890db74c9f70f4ab89dc7343bbdfb9cd80530dd4df32
-
SHA512
746713ce93cea1c228b3157004f3d653906e2130d3b2edeba62313c00f52c0f6da25a554ef59b80c83c942e3b72d31e55fd551378b7f6decf747f08e676d27ea
Score
10/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
zeus 1_1.4.3.0.vir.exedescription pid process target process PID 1152 wrote to memory of 1660 1152 zeus 1_1.4.3.0.vir.exe zeus 1_1.4.3.0.vir.exe PID 1152 wrote to memory of 1660 1152 zeus 1_1.4.3.0.vir.exe zeus 1_1.4.3.0.vir.exe PID 1152 wrote to memory of 1660 1152 zeus 1_1.4.3.0.vir.exe zeus 1_1.4.3.0.vir.exe PID 1152 wrote to memory of 1660 1152 zeus 1_1.4.3.0.vir.exe zeus 1_1.4.3.0.vir.exe PID 1152 wrote to memory of 1660 1152 zeus 1_1.4.3.0.vir.exe zeus 1_1.4.3.0.vir.exe PID 1152 wrote to memory of 1660 1152 zeus 1_1.4.3.0.vir.exe zeus 1_1.4.3.0.vir.exe PID 1152 wrote to memory of 1660 1152 zeus 1_1.4.3.0.vir.exe zeus 1_1.4.3.0.vir.exe PID 1152 wrote to memory of 1660 1152 zeus 1_1.4.3.0.vir.exe zeus 1_1.4.3.0.vir.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
zeus 1_1.4.3.0.vir.exedescription pid process target process PID 1152 set thread context of 1660 1152 zeus 1_1.4.3.0.vir.exe zeus 1_1.4.3.0.vir.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
zeus 1_1.4.3.0.vir.exedescription pid process Token: SeDebugPrivilege 1660 zeus 1_1.4.3.0.vir.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
zeus 1_1.4.3.0.vir.exepid process 1660 zeus 1_1.4.3.0.vir.exe 1660 zeus 1_1.4.3.0.vir.exe -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
zeus 1_1.4.3.0.vir.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Windows\\print32.exe," zeus 1_1.4.3.0.vir.exe -
Drops file in Windows directory 2 IoCs
Processes:
zeus 1_1.4.3.0.vir.exedescription ioc process File opened for modification C:\Windows\print32.exe zeus 1_1.4.3.0.vir.exe File created C:\Windows\print32.exe zeus 1_1.4.3.0.vir.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\zeus 1_1.4.3.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\zeus 1_1.4.3.0.vir.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\zeus 1_1.4.3.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\zeus 1_1.4.3.0.vir.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Modifies WinLogon for persistence
- Drops file in Windows directory