Analysis
-
max time kernel
112s -
max time network
118s -
platform
windows7_x64 -
resource
win7 -
submitted
19-07-2020 19:27
Static task
static1
Behavioral task
behavioral1
Sample
zeus 1_1.3.3.0.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
zeus 1_1.3.3.0.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
zeus 1_1.3.3.0.vir.exe
-
Size
160KB
-
MD5
cb6e711560e0a64d7bf387e55cf40437
-
SHA1
43e952c6403f0af82e9862dc4990676c35dd56e0
-
SHA256
8ce802db4332aa44b344c03f9a0ade9e67614ced48c31b73b0c66510fd4aa31b
-
SHA512
e3e3d981561c7b26522726c2652426aa813ab44176ac8b1f82064628b8f4c81b9d707d1bbee5f1a0b032c359c9a773791f62d817afe0b25a6d38ac33c6c79b2f
Score
10/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
zeus 1_1.3.3.0.vir.exedescription pid process target process PID 1164 wrote to memory of 1328 1164 zeus 1_1.3.3.0.vir.exe zeus 1_1.3.3.0.vir.exe PID 1164 wrote to memory of 1328 1164 zeus 1_1.3.3.0.vir.exe zeus 1_1.3.3.0.vir.exe PID 1164 wrote to memory of 1328 1164 zeus 1_1.3.3.0.vir.exe zeus 1_1.3.3.0.vir.exe PID 1164 wrote to memory of 1328 1164 zeus 1_1.3.3.0.vir.exe zeus 1_1.3.3.0.vir.exe PID 1164 wrote to memory of 1328 1164 zeus 1_1.3.3.0.vir.exe zeus 1_1.3.3.0.vir.exe PID 1164 wrote to memory of 1328 1164 zeus 1_1.3.3.0.vir.exe zeus 1_1.3.3.0.vir.exe PID 1164 wrote to memory of 1328 1164 zeus 1_1.3.3.0.vir.exe zeus 1_1.3.3.0.vir.exe PID 1164 wrote to memory of 1328 1164 zeus 1_1.3.3.0.vir.exe zeus 1_1.3.3.0.vir.exe PID 1164 wrote to memory of 1328 1164 zeus 1_1.3.3.0.vir.exe zeus 1_1.3.3.0.vir.exe PID 1164 wrote to memory of 1328 1164 zeus 1_1.3.3.0.vir.exe zeus 1_1.3.3.0.vir.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
zeus 1_1.3.3.0.vir.exedescription pid process target process PID 1164 set thread context of 1328 1164 zeus 1_1.3.3.0.vir.exe zeus 1_1.3.3.0.vir.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
zeus 1_1.3.3.0.vir.exepid process 1328 zeus 1_1.3.3.0.vir.exe 1328 zeus 1_1.3.3.0.vir.exe -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
zeus 1_1.3.3.0.vir.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "userinit.exe,C:\\Windows\\system32\\sdra64.exe," zeus 1_1.3.3.0.vir.exe -
Drops file in System32 directory 2 IoCs
Processes:
zeus 1_1.3.3.0.vir.exedescription ioc process File opened for modification C:\Windows\SysWOW64\sdra64.exe zeus 1_1.3.3.0.vir.exe File created C:\Windows\SysWOW64\sdra64.exe zeus 1_1.3.3.0.vir.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\zeus 1_1.3.3.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\zeus 1_1.3.3.0.vir.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\zeus 1_1.3.3.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\zeus 1_1.3.3.0.vir.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Modifies WinLogon for persistence
- Drops file in System32 directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1328-0-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1328-1-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1328-2-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1328-4-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1328-5-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1328-6-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1328-7-0x000000000040422E-mapping.dmp
-
memory/1328-8-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB