d00caf2b9c674f6655223fc6bd924baef259087122d9af40d62b2e4066aa6224

General

Target

zeusaes_2.7.6.2.vir.exe
Size

165KB
MD5

29eb89f06144fe55f050ed1862f5fc03
SHA1

43f151bfddc1c85bc055c392f298757617d6da73
SHA256

d00caf2b9c674f6655223fc6bd924baef259087122d9af40d62b2e4066aa6224
SHA512

8927aaee02adc8a02f826893aaff783a0f22d5575ccd73a8c15b83c410f0abe7d3b4292a9ac28a5047f252cfda35fa167747d62f11666f239c05b81e92a197c4

Score

8^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

hoda.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\Currentversion\Run	hoda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\{2FCAB493-7618-2796-C7BB-1E7551641ADD} = "C:\\Users\\Admin\\AppData\\Roaming\\Caxutu\\hoda.exe"	hoda.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

zeusaes_2.7.6.2.vir.exe

description pid process

Token: SeSecurityPrivilege 2044 zeusaes_2.7.6.2.vir.exe
Loads dropped DLL 2 IoCs

Processes:

zeusaes_2.7.6.2.vir.exe

pid process

2044 zeusaes_2.7.6.2.vir.exe
2044 zeusaes_2.7.6.2.vir.exe

description	pid	process
Token: SeSecurityPrivilege	2044	zeusaes_2.7.6.2.vir.exe

pid	process
2044	zeusaes_2.7.6.2.vir.exe
2044	zeusaes_2.7.6.2.vir.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

zeusaes_2.7.6.2.vir.exehoda.exe

description	pid	process	target process
PID 2044 wrote to memory of 844	2044	zeusaes_2.7.6.2.vir.exe	hoda.exe
PID 2044 wrote to memory of 844	2044	zeusaes_2.7.6.2.vir.exe	hoda.exe
PID 2044 wrote to memory of 844	2044	zeusaes_2.7.6.2.vir.exe	hoda.exe
PID 2044 wrote to memory of 844	2044	zeusaes_2.7.6.2.vir.exe	hoda.exe
PID 844 wrote to memory of 840	844	hoda.exe	explorer.exe
PID 844 wrote to memory of 840	844	hoda.exe	explorer.exe
PID 844 wrote to memory of 840	844	hoda.exe	explorer.exe
PID 844 wrote to memory of 840	844	hoda.exe	explorer.exe
PID 844 wrote to memory of 840	844	hoda.exe	explorer.exe
PID 844 wrote to memory of 840	844	hoda.exe	explorer.exe
PID 844 wrote to memory of 840	844	hoda.exe	explorer.exe
PID 844 wrote to memory of 840	844	hoda.exe	explorer.exe
PID 844 wrote to memory of 840	844	hoda.exe	explorer.exe
PID 844 wrote to memory of 840	844	hoda.exe	explorer.exe
PID 2044 wrote to memory of 1464	2044	zeusaes_2.7.6.2.vir.exe	cmd.exe
PID 2044 wrote to memory of 1464	2044	zeusaes_2.7.6.2.vir.exe	cmd.exe
PID 2044 wrote to memory of 1464	2044	zeusaes_2.7.6.2.vir.exe	cmd.exe
PID 2044 wrote to memory of 1464	2044	zeusaes_2.7.6.2.vir.exe	cmd.exe

Executes dropped EXE 1 IoCs

Processes:

hoda.exe

pid process

844 hoda.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1464 cmd.exe

pid	process
1464	cmd.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

hoda.exe

pid	process
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe
844	hoda.exe

C:\Users\Admin\AppData\Local\Temp\zeusaes_2.7.6.2.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zeusaes_2.7.6.2.vir.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044

C:\Users\Admin\AppData\Roaming\Caxutu\hoda.exe
"C:\Users\Admin\AppData\Roaming\Caxutu\hoda.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:844

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
3⤵
PID:840

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp2c3506a7.bat"
2⤵
- Deletes itself
PID:1464

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2c3506a7.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Caxutu\hoda.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Caxutu\hoda.exe

Download Submit
\Users\Admin\AppData\Roaming\Caxutu\hoda.exe

Download Submit
\Users\Admin\AppData\Roaming\Caxutu\hoda.exe

Download Submit
memory/844-2-0x0000000000000000-mapping.dmp

Download
memory/1464-5-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads