Analysis
-
max time kernel
151s -
max time network
144s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
19-07-2020 19:48
Static task
static1
Behavioral task
behavioral1
Sample
zeus 2_2.0.8.1.vir.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
zeus 2_2.0.8.1.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
zeus 2_2.0.8.1.vir.exe
-
Size
172KB
-
MD5
ad4396666fa436dc0bedfa892a4e7a54
-
SHA1
d8730c6489e16b35868b9787fb69b1e1b38cd201
-
SHA256
3738a4a5fc512d44852ab90f7fe37e91159117e484176a06506f41e0db70eae3
-
SHA512
4c30bd4fd412bc483f18ee4bdb09904a6d5bffa4d2db969ff82dc9680d8e2eae095750fd15a4ff36bddc70b6088409d92e3443dc7aa6164c49f6d449cd7d3aec
Score
8/10
Malware Config
Signatures
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
zeus 2_2.0.8.1.vir.exenooz.exedescription pid process target process PID 1312 set thread context of 1428 1312 zeus 2_2.0.8.1.vir.exe zeus 2_2.0.8.1.vir.exe PID 1544 set thread context of 1072 1544 nooz.exe nooz.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
zeus 2_2.0.8.1.vir.execmd.exedescription pid process Token: SeSecurityPrivilege 1428 zeus 2_2.0.8.1.vir.exe Token: SeSecurityPrivilege 1428 zeus 2_2.0.8.1.vir.exe Token: SeSecurityPrivilege 1428 zeus 2_2.0.8.1.vir.exe Token: SeSecurityPrivilege 1520 cmd.exe Token: SeSecurityPrivilege 1520 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
zeus 2_2.0.8.1.vir.exepid process 1428 zeus 2_2.0.8.1.vir.exe 1428 zeus 2_2.0.8.1.vir.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1520 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
nooz.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\Currentversion\Run nooz.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\{C36A97D1-767C-D7AE-A3EF-E7B926C8D83E} = "C:\\Users\\Admin\\AppData\\Roaming\\Ogykq\\nooz.exe" nooz.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
zeus 2_2.0.8.1.vir.exenooz.exepid process 1312 zeus 2_2.0.8.1.vir.exe 1544 nooz.exe -
Suspicious use of WriteProcessMemory 71 IoCs
Processes:
zeus 2_2.0.8.1.vir.exezeus 2_2.0.8.1.vir.exenooz.exenooz.exedescription pid process target process PID 1312 wrote to memory of 1428 1312 zeus 2_2.0.8.1.vir.exe zeus 2_2.0.8.1.vir.exe PID 1312 wrote to memory of 1428 1312 zeus 2_2.0.8.1.vir.exe zeus 2_2.0.8.1.vir.exe PID 1312 wrote to memory of 1428 1312 zeus 2_2.0.8.1.vir.exe zeus 2_2.0.8.1.vir.exe PID 1312 wrote to memory of 1428 1312 zeus 2_2.0.8.1.vir.exe zeus 2_2.0.8.1.vir.exe PID 1312 wrote to memory of 1428 1312 zeus 2_2.0.8.1.vir.exe zeus 2_2.0.8.1.vir.exe PID 1312 wrote to memory of 1428 1312 zeus 2_2.0.8.1.vir.exe zeus 2_2.0.8.1.vir.exe PID 1312 wrote to memory of 1428 1312 zeus 2_2.0.8.1.vir.exe zeus 2_2.0.8.1.vir.exe PID 1312 wrote to memory of 1428 1312 zeus 2_2.0.8.1.vir.exe zeus 2_2.0.8.1.vir.exe PID 1312 wrote to memory of 1428 1312 zeus 2_2.0.8.1.vir.exe zeus 2_2.0.8.1.vir.exe PID 1428 wrote to memory of 1544 1428 zeus 2_2.0.8.1.vir.exe nooz.exe PID 1428 wrote to memory of 1544 1428 zeus 2_2.0.8.1.vir.exe nooz.exe PID 1428 wrote to memory of 1544 1428 zeus 2_2.0.8.1.vir.exe nooz.exe PID 1428 wrote to memory of 1544 1428 zeus 2_2.0.8.1.vir.exe nooz.exe PID 1544 wrote to memory of 1072 1544 nooz.exe nooz.exe PID 1544 wrote to memory of 1072 1544 nooz.exe nooz.exe PID 1544 wrote to memory of 1072 1544 nooz.exe nooz.exe PID 1544 wrote to memory of 1072 1544 nooz.exe nooz.exe PID 1544 wrote to memory of 1072 1544 nooz.exe nooz.exe PID 1544 wrote to memory of 1072 1544 nooz.exe nooz.exe PID 1544 wrote to memory of 1072 1544 nooz.exe nooz.exe PID 1544 wrote to memory of 1072 1544 nooz.exe nooz.exe PID 1544 wrote to memory of 1072 1544 nooz.exe nooz.exe PID 1072 wrote to memory of 1144 1072 nooz.exe taskhost.exe PID 1072 wrote to memory of 1144 1072 nooz.exe taskhost.exe PID 1072 wrote to memory of 1144 1072 nooz.exe taskhost.exe PID 1072 wrote to memory of 1144 1072 nooz.exe taskhost.exe PID 1072 wrote to memory of 1144 1072 nooz.exe taskhost.exe PID 1072 wrote to memory of 1236 1072 nooz.exe Dwm.exe PID 1072 wrote to memory of 1236 1072 nooz.exe Dwm.exe PID 1072 wrote to memory of 1236 1072 nooz.exe Dwm.exe PID 1072 wrote to memory of 1236 1072 nooz.exe Dwm.exe PID 1072 wrote to memory of 1236 1072 nooz.exe Dwm.exe PID 1072 wrote to memory of 1332 1072 nooz.exe Explorer.EXE PID 1072 wrote to memory of 1332 1072 nooz.exe Explorer.EXE PID 1072 wrote to memory of 1332 1072 nooz.exe Explorer.EXE PID 1072 wrote to memory of 1332 1072 nooz.exe Explorer.EXE PID 1072 wrote to memory of 1332 1072 nooz.exe Explorer.EXE PID 1072 wrote to memory of 1428 1072 nooz.exe zeus 2_2.0.8.1.vir.exe PID 1072 wrote to memory of 1428 1072 nooz.exe zeus 2_2.0.8.1.vir.exe PID 1072 wrote to memory of 1428 1072 nooz.exe zeus 2_2.0.8.1.vir.exe PID 1072 wrote to memory of 1428 1072 nooz.exe zeus 2_2.0.8.1.vir.exe PID 1072 wrote to memory of 1428 1072 nooz.exe zeus 2_2.0.8.1.vir.exe PID 1428 wrote to memory of 1520 1428 zeus 2_2.0.8.1.vir.exe cmd.exe PID 1428 wrote to memory of 1520 1428 zeus 2_2.0.8.1.vir.exe cmd.exe PID 1428 wrote to memory of 1520 1428 zeus 2_2.0.8.1.vir.exe cmd.exe PID 1428 wrote to memory of 1520 1428 zeus 2_2.0.8.1.vir.exe cmd.exe PID 1072 wrote to memory of 1520 1072 nooz.exe cmd.exe PID 1072 wrote to memory of 1520 1072 nooz.exe cmd.exe PID 1072 wrote to memory of 1520 1072 nooz.exe cmd.exe PID 1072 wrote to memory of 1520 1072 nooz.exe cmd.exe PID 1072 wrote to memory of 1520 1072 nooz.exe cmd.exe PID 1072 wrote to memory of 1696 1072 nooz.exe conhost.exe PID 1072 wrote to memory of 1696 1072 nooz.exe conhost.exe PID 1072 wrote to memory of 1696 1072 nooz.exe conhost.exe PID 1072 wrote to memory of 1696 1072 nooz.exe conhost.exe PID 1072 wrote to memory of 1696 1072 nooz.exe conhost.exe PID 1072 wrote to memory of 1856 1072 nooz.exe DllHost.exe PID 1072 wrote to memory of 1856 1072 nooz.exe DllHost.exe PID 1072 wrote to memory of 1856 1072 nooz.exe DllHost.exe PID 1072 wrote to memory of 1856 1072 nooz.exe DllHost.exe PID 1072 wrote to memory of 1856 1072 nooz.exe DllHost.exe PID 1072 wrote to memory of 520 1072 nooz.exe DllHost.exe PID 1072 wrote to memory of 520 1072 nooz.exe DllHost.exe PID 1072 wrote to memory of 520 1072 nooz.exe DllHost.exe -
Executes dropped EXE 2 IoCs
Processes:
nooz.exenooz.exepid process 1544 nooz.exe 1072 nooz.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
nooz.exepid process 1072 nooz.exe 1072 nooz.exe 1072 nooz.exe 1072 nooz.exe 1072 nooz.exe 1072 nooz.exe 1072 nooz.exe 1072 nooz.exe 1072 nooz.exe 1072 nooz.exe 1072 nooz.exe 1072 nooz.exe 1072 nooz.exe 1072 nooz.exe 1072 nooz.exe 1072 nooz.exe 1072 nooz.exe 1072 nooz.exe 1072 nooz.exe 1072 nooz.exe 1072 nooz.exe 1072 nooz.exe 1072 nooz.exe 1072 nooz.exe 1072 nooz.exe 1072 nooz.exe 1072 nooz.exe 1072 nooz.exe 1072 nooz.exe 1072 nooz.exe 1072 nooz.exe 1072 nooz.exe 1072 nooz.exe -
Processes:
zeus 2_2.0.8.1.vir.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" zeus 2_2.0.8.1.vir.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Privacy zeus 2_2.0.8.1.vir.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\zeus 2_2.0.8.1.vir.exe"C:\Users\Admin\AppData\Local\Temp\zeus 2_2.0.8.1.vir.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\zeus 2_2.0.8.1.vir.exe"C:\Users\Admin\AppData\Local\Temp\zeus 2_2.0.8.1.vir.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- Modifies Internet Explorer settings
-
C:\Users\Admin\AppData\Roaming\Ogykq\nooz.exe"C:\Users\Admin\AppData\Roaming\Ogykq\nooz.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Ogykq\nooz.exe"C:\Users\Admin\AppData\Roaming\Ogykq\nooz.exe"5⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp134de5c2.bat"4⤵
- Suspicious use of AdjustPrivilegeToken
- Deletes itself
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-10191840811599941944-1828782156197852134811073685951690794406-17637050191892463622"1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp134de5c2.bat
-
C:\Users\Admin\AppData\Roaming\Ezun\heofc.xez
-
C:\Users\Admin\AppData\Roaming\Ogykq\nooz.exe
-
C:\Users\Admin\AppData\Roaming\Ogykq\nooz.exe
-
C:\Users\Admin\AppData\Roaming\Ogykq\nooz.exe
-
\Users\Admin\AppData\Roaming\Ogykq\nooz.exe
-
\Users\Admin\AppData\Roaming\Ogykq\nooz.exe
-
memory/1072-13-0x0000000000405DB4-mapping.dmp
-
memory/1428-2-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/1428-16-0x0000000000405DB4-mapping.dmp
-
memory/1428-4-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/1428-3-0x0000000000405DB4-mapping.dmp
-
memory/1520-17-0x0000000000000000-mapping.dmp
-
memory/1520-18-0x0000000000000000-mapping.dmp
-
memory/1544-7-0x0000000000000000-mapping.dmp