89e35356978b8320736b890db74c9f70f4ab89dc7343bbdfb9cd80530dd4df32

Analysis

max time kernel
115s
max time network
122s
platform
windows7_x64
resource
win7
submitted
19-07-2020 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

zeus 1_1.4.3.0.vir.exe
Size

1015KB
MD5

0b758c40a26b8b3d1104838f5cf1b57f
SHA1

1dc9c0eff55fd416f81ee9f97df2c54960024776
SHA256

89e35356978b8320736b890db74c9f70f4ab89dc7343bbdfb9cd80530dd4df32
SHA512

746713ce93cea1c228b3157004f3d653906e2130d3b2edeba62313c00f52c0f6da25a554ef59b80c83c942e3b72d31e55fd551378b7f6decf747f08e676d27ea

Score

10^/10

persistence

Malware Config

Signatures

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

zeus 1_1.4.3.0.vir.exe

description	pid	process	target process
PID 1152 wrote to memory of 1660	1152	zeus 1_1.4.3.0.vir.exe	zeus 1_1.4.3.0.vir.exe
PID 1152 wrote to memory of 1660	1152	zeus 1_1.4.3.0.vir.exe	zeus 1_1.4.3.0.vir.exe
PID 1152 wrote to memory of 1660	1152	zeus 1_1.4.3.0.vir.exe	zeus 1_1.4.3.0.vir.exe
PID 1152 wrote to memory of 1660	1152	zeus 1_1.4.3.0.vir.exe	zeus 1_1.4.3.0.vir.exe
PID 1152 wrote to memory of 1660	1152	zeus 1_1.4.3.0.vir.exe	zeus 1_1.4.3.0.vir.exe
PID 1152 wrote to memory of 1660	1152	zeus 1_1.4.3.0.vir.exe	zeus 1_1.4.3.0.vir.exe
PID 1152 wrote to memory of 1660	1152	zeus 1_1.4.3.0.vir.exe	zeus 1_1.4.3.0.vir.exe
PID 1152 wrote to memory of 1660	1152	zeus 1_1.4.3.0.vir.exe	zeus 1_1.4.3.0.vir.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

zeus 1_1.4.3.0.vir.exe

description pid process target process

PID 1152 set thread context of 1660 1152 zeus 1_1.4.3.0.vir.exe zeus 1_1.4.3.0.vir.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

zeus 1_1.4.3.0.vir.exe

description pid process

Token: SeDebugPrivilege 1660 zeus 1_1.4.3.0.vir.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

zeus 1_1.4.3.0.vir.exe

pid process

1660 zeus 1_1.4.3.0.vir.exe
1660 zeus 1_1.4.3.0.vir.exe

description	pid	process	target process
PID 1152 set thread context of 1660	1152	zeus 1_1.4.3.0.vir.exe	zeus 1_1.4.3.0.vir.exe

description	pid	process
Token: SeDebugPrivilege	1660	zeus 1_1.4.3.0.vir.exe

pid	process
1660	zeus 1_1.4.3.0.vir.exe
1660	zeus 1_1.4.3.0.vir.exe

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

zeus 1_1.4.3.0.vir.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Windows\\print32.exe,"	zeus 1_1.4.3.0.vir.exe

Drops file in Windows directory 2 IoCs

Processes:

zeus 1_1.4.3.0.vir.exe

description	ioc	process
File opened for modification	C:\Windows\print32.exe	zeus 1_1.4.3.0.vir.exe
File created	C:\Windows\print32.exe	zeus 1_1.4.3.0.vir.exe

C:\Users\Admin\AppData\Local\Temp\zeus 1_1.4.3.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zeus 1_1.4.3.0.vir.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1152

C:\Users\Admin\AppData\Local\Temp\zeus 1_1.4.3.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zeus 1_1.4.3.0.vir.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Modifies WinLogon for persistence
- Drops file in Windows directory
PID:1660

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1660-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1660-1-0x0000000000404F3F-mapping.dmp

Download
memory/1660-2-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download