8ce802db4332aa44b344c03f9a0ade9e67614ced48c31b73b0c66510fd4aa31b

General

Target

zeus 1_1.3.3.0.vir.exe
Size

160KB
MD5

cb6e711560e0a64d7bf387e55cf40437
SHA1

43e952c6403f0af82e9862dc4990676c35dd56e0
SHA256

8ce802db4332aa44b344c03f9a0ade9e67614ced48c31b73b0c66510fd4aa31b
SHA512

e3e3d981561c7b26522726c2652426aa813ab44176ac8b1f82064628b8f4c81b9d707d1bbee5f1a0b032c359c9a773791f62d817afe0b25a6d38ac33c6c79b2f

Score

10^/10

persistence

Malware Config

Signatures

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

zeus 1_1.3.3.0.vir.exe

description	pid	process	target process
PID 1164 wrote to memory of 1328	1164	zeus 1_1.3.3.0.vir.exe	zeus 1_1.3.3.0.vir.exe
PID 1164 wrote to memory of 1328	1164	zeus 1_1.3.3.0.vir.exe	zeus 1_1.3.3.0.vir.exe
PID 1164 wrote to memory of 1328	1164	zeus 1_1.3.3.0.vir.exe	zeus 1_1.3.3.0.vir.exe
PID 1164 wrote to memory of 1328	1164	zeus 1_1.3.3.0.vir.exe	zeus 1_1.3.3.0.vir.exe
PID 1164 wrote to memory of 1328	1164	zeus 1_1.3.3.0.vir.exe	zeus 1_1.3.3.0.vir.exe
PID 1164 wrote to memory of 1328	1164	zeus 1_1.3.3.0.vir.exe	zeus 1_1.3.3.0.vir.exe
PID 1164 wrote to memory of 1328	1164	zeus 1_1.3.3.0.vir.exe	zeus 1_1.3.3.0.vir.exe
PID 1164 wrote to memory of 1328	1164	zeus 1_1.3.3.0.vir.exe	zeus 1_1.3.3.0.vir.exe
PID 1164 wrote to memory of 1328	1164	zeus 1_1.3.3.0.vir.exe	zeus 1_1.3.3.0.vir.exe
PID 1164 wrote to memory of 1328	1164	zeus 1_1.3.3.0.vir.exe	zeus 1_1.3.3.0.vir.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

zeus 1_1.3.3.0.vir.exe

description pid process target process

PID 1164 set thread context of 1328 1164 zeus 1_1.3.3.0.vir.exe zeus 1_1.3.3.0.vir.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

zeus 1_1.3.3.0.vir.exe

pid process

1328 zeus 1_1.3.3.0.vir.exe
1328 zeus 1_1.3.3.0.vir.exe

description	pid	process	target process
PID 1164 set thread context of 1328	1164	zeus 1_1.3.3.0.vir.exe	zeus 1_1.3.3.0.vir.exe

pid	process
1328	zeus 1_1.3.3.0.vir.exe
1328	zeus 1_1.3.3.0.vir.exe

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

zeus 1_1.3.3.0.vir.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "userinit.exe,C:\\Windows\\system32\\sdra64.exe,"	zeus 1_1.3.3.0.vir.exe

Drops file in System32 directory 2 IoCs

Processes:

zeus 1_1.3.3.0.vir.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\sdra64.exe	zeus 1_1.3.3.0.vir.exe
File created	C:\Windows\SysWOW64\sdra64.exe	zeus 1_1.3.3.0.vir.exe

C:\Users\Admin\AppData\Local\Temp\zeus 1_1.3.3.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zeus 1_1.3.3.0.vir.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1164

C:\Users\Admin\AppData\Local\Temp\zeus 1_1.3.3.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zeus 1_1.3.3.0.vir.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:1328

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1328-0-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1328-1-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1328-2-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1328-4-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1328-5-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1328-6-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1328-7-0x000000000040422E-mapping.dmp

Download
memory/1328-8-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads