Analysis
-
max time kernel
151s -
max time network
117s -
platform
windows7_x64 -
resource
win7 -
submitted
19-07-2020 19:42
Static task
static1
Behavioral task
behavioral1
Sample
zeusaes_2.7.6.2.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
zeusaes_2.7.6.2.vir.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
zeusaes_2.7.6.2.vir.exe
-
Size
165KB
-
MD5
29eb89f06144fe55f050ed1862f5fc03
-
SHA1
43f151bfddc1c85bc055c392f298757617d6da73
-
SHA256
d00caf2b9c674f6655223fc6bd924baef259087122d9af40d62b2e4066aa6224
-
SHA512
8927aaee02adc8a02f826893aaff783a0f22d5575ccd73a8c15b83c410f0abe7d3b4292a9ac28a5047f252cfda35fa167747d62f11666f239c05b81e92a197c4
Score
8/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
hoda.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\Currentversion\Run hoda.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\{2FCAB493-7618-2796-C7BB-1E7551641ADD} = "C:\\Users\\Admin\\AppData\\Roaming\\Caxutu\\hoda.exe" hoda.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
zeusaes_2.7.6.2.vir.exedescription pid process Token: SeSecurityPrivilege 2044 zeusaes_2.7.6.2.vir.exe -
Loads dropped DLL 2 IoCs
Processes:
zeusaes_2.7.6.2.vir.exepid process 2044 zeusaes_2.7.6.2.vir.exe 2044 zeusaes_2.7.6.2.vir.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
zeusaes_2.7.6.2.vir.exehoda.exedescription pid process target process PID 2044 wrote to memory of 844 2044 zeusaes_2.7.6.2.vir.exe hoda.exe PID 2044 wrote to memory of 844 2044 zeusaes_2.7.6.2.vir.exe hoda.exe PID 2044 wrote to memory of 844 2044 zeusaes_2.7.6.2.vir.exe hoda.exe PID 2044 wrote to memory of 844 2044 zeusaes_2.7.6.2.vir.exe hoda.exe PID 844 wrote to memory of 840 844 hoda.exe explorer.exe PID 844 wrote to memory of 840 844 hoda.exe explorer.exe PID 844 wrote to memory of 840 844 hoda.exe explorer.exe PID 844 wrote to memory of 840 844 hoda.exe explorer.exe PID 844 wrote to memory of 840 844 hoda.exe explorer.exe PID 844 wrote to memory of 840 844 hoda.exe explorer.exe PID 844 wrote to memory of 840 844 hoda.exe explorer.exe PID 844 wrote to memory of 840 844 hoda.exe explorer.exe PID 844 wrote to memory of 840 844 hoda.exe explorer.exe PID 844 wrote to memory of 840 844 hoda.exe explorer.exe PID 2044 wrote to memory of 1464 2044 zeusaes_2.7.6.2.vir.exe cmd.exe PID 2044 wrote to memory of 1464 2044 zeusaes_2.7.6.2.vir.exe cmd.exe PID 2044 wrote to memory of 1464 2044 zeusaes_2.7.6.2.vir.exe cmd.exe PID 2044 wrote to memory of 1464 2044 zeusaes_2.7.6.2.vir.exe cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
hoda.exepid process 844 hoda.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1464 cmd.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
hoda.exepid process 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe 844 hoda.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\zeusaes_2.7.6.2.vir.exe"C:\Users\Admin\AppData\Local\Temp\zeusaes_2.7.6.2.vir.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Caxutu\hoda.exe"C:\Users\Admin\AppData\Roaming\Caxutu\hoda.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp2c3506a7.bat"2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp2c3506a7.bat
-
C:\Users\Admin\AppData\Roaming\Caxutu\hoda.exe
-
C:\Users\Admin\AppData\Roaming\Caxutu\hoda.exe
-
\Users\Admin\AppData\Roaming\Caxutu\hoda.exe
-
\Users\Admin\AppData\Roaming\Caxutu\hoda.exe
-
memory/844-2-0x0000000000000000-mapping.dmp
-
memory/1464-5-0x0000000000000000-mapping.dmp