Analysis
-
max time kernel
152s -
max time network
83s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
19-07-2020 19:31
Static task
static1
Behavioral task
behavioral1
Sample
zeusaes_2.7.7.3.vir.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
zeusaes_2.7.7.3.vir.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
zeusaes_2.7.7.3.vir.exe
-
Size
218KB
-
MD5
354f372a0e38336f3a6c9e341f8ed271
-
SHA1
6ece6eae832907eeffcc69d886ae0b2d644ba3c0
-
SHA256
87c779ed21a3c5abb368edd0472968f7f4f3c839fa8ac6ed058bfbee6c6c056a
-
SHA512
ac5b918460674f1ea3a9126ee4d70e9748f4b768c71f9b9f1d69fe31f0a8fd2e58217f56a50129c8d78c2bc05077863e56caf07f119cd861108d77a377b38f0a
Score
8/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1840 cmd.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
pywo.exepid process 1824 pywo.exe 1824 pywo.exe 1824 pywo.exe 1824 pywo.exe 1824 pywo.exe 1824 pywo.exe 1824 pywo.exe 1824 pywo.exe 1824 pywo.exe 1824 pywo.exe 1824 pywo.exe 1824 pywo.exe 1824 pywo.exe 1824 pywo.exe 1824 pywo.exe 1824 pywo.exe 1824 pywo.exe 1824 pywo.exe 1824 pywo.exe 1824 pywo.exe 1824 pywo.exe 1824 pywo.exe 1824 pywo.exe 1824 pywo.exe 1824 pywo.exe 1824 pywo.exe 1824 pywo.exe 1824 pywo.exe 1824 pywo.exe 1824 pywo.exe 1824 pywo.exe 1824 pywo.exe 1824 pywo.exe 1824 pywo.exe 1824 pywo.exe 1824 pywo.exe 1824 pywo.exe 1824 pywo.exe 1824 pywo.exe 1824 pywo.exe 1824 pywo.exe 1824 pywo.exe 1824 pywo.exe 1824 pywo.exe 1824 pywo.exe 1824 pywo.exe 1824 pywo.exe 1824 pywo.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
pywo.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\Currentversion\Run pywo.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\{83EB8DDA-5752-CD84-8836-42F737EF4B70} = "C:\\Users\\Admin\\AppData\\Roaming\\Iddaq\\pywo.exe" pywo.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
zeusaes_2.7.7.3.vir.exezeusaes_2.7.7.3.vir.exepywo.exepywo.exedescription pid process target process PID 1312 wrote to memory of 872 1312 zeusaes_2.7.7.3.vir.exe zeusaes_2.7.7.3.vir.exe PID 1312 wrote to memory of 872 1312 zeusaes_2.7.7.3.vir.exe zeusaes_2.7.7.3.vir.exe PID 1312 wrote to memory of 872 1312 zeusaes_2.7.7.3.vir.exe zeusaes_2.7.7.3.vir.exe PID 1312 wrote to memory of 872 1312 zeusaes_2.7.7.3.vir.exe zeusaes_2.7.7.3.vir.exe PID 1312 wrote to memory of 872 1312 zeusaes_2.7.7.3.vir.exe zeusaes_2.7.7.3.vir.exe PID 1312 wrote to memory of 872 1312 zeusaes_2.7.7.3.vir.exe zeusaes_2.7.7.3.vir.exe PID 1312 wrote to memory of 872 1312 zeusaes_2.7.7.3.vir.exe zeusaes_2.7.7.3.vir.exe PID 1312 wrote to memory of 872 1312 zeusaes_2.7.7.3.vir.exe zeusaes_2.7.7.3.vir.exe PID 1312 wrote to memory of 872 1312 zeusaes_2.7.7.3.vir.exe zeusaes_2.7.7.3.vir.exe PID 872 wrote to memory of 780 872 zeusaes_2.7.7.3.vir.exe pywo.exe PID 872 wrote to memory of 780 872 zeusaes_2.7.7.3.vir.exe pywo.exe PID 872 wrote to memory of 780 872 zeusaes_2.7.7.3.vir.exe pywo.exe PID 872 wrote to memory of 780 872 zeusaes_2.7.7.3.vir.exe pywo.exe PID 780 wrote to memory of 1824 780 pywo.exe pywo.exe PID 780 wrote to memory of 1824 780 pywo.exe pywo.exe PID 780 wrote to memory of 1824 780 pywo.exe pywo.exe PID 780 wrote to memory of 1824 780 pywo.exe pywo.exe PID 780 wrote to memory of 1824 780 pywo.exe pywo.exe PID 780 wrote to memory of 1824 780 pywo.exe pywo.exe PID 780 wrote to memory of 1824 780 pywo.exe pywo.exe PID 780 wrote to memory of 1824 780 pywo.exe pywo.exe PID 780 wrote to memory of 1824 780 pywo.exe pywo.exe PID 1824 wrote to memory of 1792 1824 pywo.exe explorer.exe PID 1824 wrote to memory of 1792 1824 pywo.exe explorer.exe PID 1824 wrote to memory of 1792 1824 pywo.exe explorer.exe PID 1824 wrote to memory of 1792 1824 pywo.exe explorer.exe PID 1824 wrote to memory of 1792 1824 pywo.exe explorer.exe PID 1824 wrote to memory of 1792 1824 pywo.exe explorer.exe PID 1824 wrote to memory of 1792 1824 pywo.exe explorer.exe PID 1824 wrote to memory of 1792 1824 pywo.exe explorer.exe PID 1824 wrote to memory of 1792 1824 pywo.exe explorer.exe PID 1824 wrote to memory of 1792 1824 pywo.exe explorer.exe PID 872 wrote to memory of 1840 872 zeusaes_2.7.7.3.vir.exe cmd.exe PID 872 wrote to memory of 1840 872 zeusaes_2.7.7.3.vir.exe cmd.exe PID 872 wrote to memory of 1840 872 zeusaes_2.7.7.3.vir.exe cmd.exe PID 872 wrote to memory of 1840 872 zeusaes_2.7.7.3.vir.exe cmd.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
zeusaes_2.7.7.3.vir.exepywo.exedescription pid process target process PID 1312 set thread context of 872 1312 zeusaes_2.7.7.3.vir.exe zeusaes_2.7.7.3.vir.exe PID 780 set thread context of 1824 780 pywo.exe pywo.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
zeusaes_2.7.7.3.vir.exedescription pid process Token: SeSecurityPrivilege 872 zeusaes_2.7.7.3.vir.exe -
Loads dropped DLL 2 IoCs
Processes:
zeusaes_2.7.7.3.vir.exepid process 872 zeusaes_2.7.7.3.vir.exe 872 zeusaes_2.7.7.3.vir.exe -
Executes dropped EXE 2 IoCs
Processes:
pywo.exepywo.exepid process 780 pywo.exe 1824 pywo.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\zeusaes_2.7.7.3.vir.exe"C:\Users\Admin\AppData\Local\Temp\zeusaes_2.7.7.3.vir.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\zeusaes_2.7.7.3.vir.exe"C:\Users\Admin\AppData\Local\Temp\zeusaes_2.7.7.3.vir.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Iddaq\pywo.exe"C:\Users\Admin\AppData\Roaming\Iddaq\pywo.exe"3⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Iddaq\pywo.exe"C:\Users\Admin\AppData\Roaming\Iddaq\pywo.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp258583b9.bat"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp258583b9.bat
-
C:\Users\Admin\AppData\Roaming\Iddaq\pywo.exe
-
C:\Users\Admin\AppData\Roaming\Iddaq\pywo.exe
-
C:\Users\Admin\AppData\Roaming\Iddaq\pywo.exe
-
\Users\Admin\AppData\Roaming\Iddaq\pywo.exe
-
\Users\Admin\AppData\Roaming\Iddaq\pywo.exe
-
memory/780-5-0x0000000000000000-mapping.dmp
-
memory/872-0-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/872-1-0x000000000041322D-mapping.dmp
-
memory/872-2-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1824-9-0x000000000041322D-mapping.dmp
-
memory/1840-12-0x0000000000000000-mapping.dmp