Analysis
-
max time kernel
151s -
max time network
99s -
platform
windows7_x64 -
resource
win7 -
submitted
19-07-2020 17:18
Static task
static1
Behavioral task
behavioral1
Sample
zeus 2_2.1.0.0.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
zeus 2_2.1.0.0.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
zeus 2_2.1.0.0.vir.exe
-
Size
401KB
-
MD5
dccf842de5eb002597c65d495d973bff
-
SHA1
0ea106c7a37491f50510f3c3425802ef2b951900
-
SHA256
1f3842bc152088bc10de6e14adabf860902dee318375a6567e0b85a9faaed1f0
-
SHA512
f9662baebb98a689a2e015b9efe179e9a6b2f0e555048762ddc65ad75a5de438b48068084fc5e8c94f34a7b476b60040d7a6ead4e9de82af32407bfb682d80b6
Score
8/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
ubfu.exepid process 1500 ubfu.exe 1500 ubfu.exe 1500 ubfu.exe 1500 ubfu.exe 1500 ubfu.exe 1500 ubfu.exe 1500 ubfu.exe 1500 ubfu.exe 1500 ubfu.exe 1500 ubfu.exe 1500 ubfu.exe 1500 ubfu.exe 1500 ubfu.exe 1500 ubfu.exe 1500 ubfu.exe 1500 ubfu.exe 1500 ubfu.exe 1500 ubfu.exe 1500 ubfu.exe 1500 ubfu.exe 1500 ubfu.exe 1500 ubfu.exe 1500 ubfu.exe 1500 ubfu.exe 1500 ubfu.exe 1500 ubfu.exe 1500 ubfu.exe 1500 ubfu.exe 1500 ubfu.exe 1500 ubfu.exe 1500 ubfu.exe 1500 ubfu.exe 1500 ubfu.exe 1500 ubfu.exe 1500 ubfu.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 908 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ubfu.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\Currentversion\Run ubfu.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\{D4807D06-6B7D-5995-947A-7B8AB5D60B28} = "C:\\Users\\Admin\\AppData\\Roaming\\Oxafyt\\ubfu.exe" ubfu.exe -
Suspicious use of WriteProcessMemory 93 IoCs
Processes:
zeus 2_2.1.0.0.vir.exezeus 2_2.1.0.0.vir.exeubfu.exeubfu.exedescription pid process target process PID 1140 wrote to memory of 864 1140 zeus 2_2.1.0.0.vir.exe zeus 2_2.1.0.0.vir.exe PID 1140 wrote to memory of 864 1140 zeus 2_2.1.0.0.vir.exe zeus 2_2.1.0.0.vir.exe PID 1140 wrote to memory of 864 1140 zeus 2_2.1.0.0.vir.exe zeus 2_2.1.0.0.vir.exe PID 1140 wrote to memory of 864 1140 zeus 2_2.1.0.0.vir.exe zeus 2_2.1.0.0.vir.exe PID 1140 wrote to memory of 864 1140 zeus 2_2.1.0.0.vir.exe zeus 2_2.1.0.0.vir.exe PID 1140 wrote to memory of 864 1140 zeus 2_2.1.0.0.vir.exe zeus 2_2.1.0.0.vir.exe PID 1140 wrote to memory of 864 1140 zeus 2_2.1.0.0.vir.exe zeus 2_2.1.0.0.vir.exe PID 1140 wrote to memory of 864 1140 zeus 2_2.1.0.0.vir.exe zeus 2_2.1.0.0.vir.exe PID 1140 wrote to memory of 864 1140 zeus 2_2.1.0.0.vir.exe zeus 2_2.1.0.0.vir.exe PID 1140 wrote to memory of 864 1140 zeus 2_2.1.0.0.vir.exe zeus 2_2.1.0.0.vir.exe PID 1140 wrote to memory of 864 1140 zeus 2_2.1.0.0.vir.exe zeus 2_2.1.0.0.vir.exe PID 1140 wrote to memory of 864 1140 zeus 2_2.1.0.0.vir.exe zeus 2_2.1.0.0.vir.exe PID 864 wrote to memory of 316 864 zeus 2_2.1.0.0.vir.exe ubfu.exe PID 864 wrote to memory of 316 864 zeus 2_2.1.0.0.vir.exe ubfu.exe PID 864 wrote to memory of 316 864 zeus 2_2.1.0.0.vir.exe ubfu.exe PID 864 wrote to memory of 316 864 zeus 2_2.1.0.0.vir.exe ubfu.exe PID 864 wrote to memory of 316 864 zeus 2_2.1.0.0.vir.exe ubfu.exe PID 864 wrote to memory of 316 864 zeus 2_2.1.0.0.vir.exe ubfu.exe PID 864 wrote to memory of 316 864 zeus 2_2.1.0.0.vir.exe ubfu.exe PID 316 wrote to memory of 1500 316 ubfu.exe ubfu.exe PID 316 wrote to memory of 1500 316 ubfu.exe ubfu.exe PID 316 wrote to memory of 1500 316 ubfu.exe ubfu.exe PID 316 wrote to memory of 1500 316 ubfu.exe ubfu.exe PID 316 wrote to memory of 1500 316 ubfu.exe ubfu.exe PID 316 wrote to memory of 1500 316 ubfu.exe ubfu.exe PID 316 wrote to memory of 1500 316 ubfu.exe ubfu.exe PID 316 wrote to memory of 1500 316 ubfu.exe ubfu.exe PID 316 wrote to memory of 1500 316 ubfu.exe ubfu.exe PID 316 wrote to memory of 1500 316 ubfu.exe ubfu.exe PID 316 wrote to memory of 1500 316 ubfu.exe ubfu.exe PID 316 wrote to memory of 1500 316 ubfu.exe ubfu.exe PID 864 wrote to memory of 908 864 zeus 2_2.1.0.0.vir.exe cmd.exe PID 864 wrote to memory of 908 864 zeus 2_2.1.0.0.vir.exe cmd.exe PID 864 wrote to memory of 908 864 zeus 2_2.1.0.0.vir.exe cmd.exe PID 864 wrote to memory of 908 864 zeus 2_2.1.0.0.vir.exe cmd.exe PID 864 wrote to memory of 908 864 zeus 2_2.1.0.0.vir.exe cmd.exe PID 864 wrote to memory of 908 864 zeus 2_2.1.0.0.vir.exe cmd.exe PID 864 wrote to memory of 908 864 zeus 2_2.1.0.0.vir.exe cmd.exe PID 1500 wrote to memory of 1148 1500 ubfu.exe taskhost.exe PID 1500 wrote to memory of 1148 1500 ubfu.exe taskhost.exe PID 1500 wrote to memory of 1148 1500 ubfu.exe taskhost.exe PID 1500 wrote to memory of 1148 1500 ubfu.exe taskhost.exe PID 1500 wrote to memory of 1148 1500 ubfu.exe taskhost.exe PID 1500 wrote to memory of 1264 1500 ubfu.exe Dwm.exe PID 1500 wrote to memory of 1264 1500 ubfu.exe Dwm.exe PID 1500 wrote to memory of 1264 1500 ubfu.exe Dwm.exe PID 1500 wrote to memory of 1264 1500 ubfu.exe Dwm.exe PID 1500 wrote to memory of 1264 1500 ubfu.exe Dwm.exe PID 1500 wrote to memory of 1308 1500 ubfu.exe Explorer.EXE PID 1500 wrote to memory of 1308 1500 ubfu.exe Explorer.EXE PID 1500 wrote to memory of 1308 1500 ubfu.exe Explorer.EXE PID 1500 wrote to memory of 1308 1500 ubfu.exe Explorer.EXE PID 1500 wrote to memory of 1308 1500 ubfu.exe Explorer.EXE PID 1500 wrote to memory of 864 1500 ubfu.exe zeus 2_2.1.0.0.vir.exe PID 1500 wrote to memory of 864 1500 ubfu.exe zeus 2_2.1.0.0.vir.exe PID 1500 wrote to memory of 864 1500 ubfu.exe zeus 2_2.1.0.0.vir.exe PID 1500 wrote to memory of 864 1500 ubfu.exe zeus 2_2.1.0.0.vir.exe PID 1500 wrote to memory of 864 1500 ubfu.exe zeus 2_2.1.0.0.vir.exe PID 1500 wrote to memory of 908 1500 ubfu.exe cmd.exe PID 1500 wrote to memory of 908 1500 ubfu.exe cmd.exe PID 1500 wrote to memory of 908 1500 ubfu.exe cmd.exe PID 1500 wrote to memory of 908 1500 ubfu.exe cmd.exe PID 1500 wrote to memory of 908 1500 ubfu.exe cmd.exe PID 1500 wrote to memory of 640 1500 ubfu.exe conhost.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
zeus 2_2.1.0.0.vir.exeubfu.exedescription pid process target process PID 1140 set thread context of 864 1140 zeus 2_2.1.0.0.vir.exe zeus 2_2.1.0.0.vir.exe PID 316 set thread context of 1500 316 ubfu.exe ubfu.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
zeus 2_2.1.0.0.vir.exedescription pid process Token: SeSecurityPrivilege 864 zeus 2_2.1.0.0.vir.exe Token: SeRestorePrivilege 864 zeus 2_2.1.0.0.vir.exe Token: SeBackupPrivilege 864 zeus 2_2.1.0.0.vir.exe -
Loads dropped DLL 8 IoCs
Processes:
zeus 2_2.1.0.0.vir.exeubfu.exeubfu.exepid process 864 zeus 2_2.1.0.0.vir.exe 316 ubfu.exe 316 ubfu.exe 316 ubfu.exe 316 ubfu.exe 1500 ubfu.exe 1500 ubfu.exe 1500 ubfu.exe -
Executes dropped EXE 2 IoCs
Processes:
ubfu.exeubfu.exepid process 316 ubfu.exe 1500 ubfu.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\zeus 2_2.1.0.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\zeus 2_2.1.0.0.vir.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\zeus 2_2.1.0.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\zeus 2_2.1.0.0.vir.exe"3⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Oxafyt\ubfu.exe"C:\Users\Admin\AppData\Roaming\Oxafyt\ubfu.exe"4⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Loads dropped DLL
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Oxafyt\ubfu.exe"C:\Users\Admin\AppData\Roaming\Oxafyt\ubfu.exe"5⤵
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp560e4351.bat"4⤵
- Deletes itself
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-6206651608779662951150781288458971480512034206-69500577346998455-847530103"1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp560e4351.bat
-
C:\Users\Admin\AppData\Roaming\Oxafyt\ubfu.exe
-
C:\Users\Admin\AppData\Roaming\Oxafyt\ubfu.exe
-
C:\Users\Admin\AppData\Roaming\Oxafyt\ubfu.exe
-
\Users\Admin\AppData\Roaming\Oxafyt\ubfu.exe
-
\Users\Admin\AppData\Roaming\Oxafyt\ubfu.exe
-
\Users\Admin\AppData\Roaming\Oxafyt\ubfu.exe
-
\Users\Admin\AppData\Roaming\Oxafyt\ubfu.exe
-
\Users\Admin\AppData\Roaming\Oxafyt\ubfu.exe
-
\Users\Admin\AppData\Roaming\Oxafyt\ubfu.exe
-
\Users\Admin\AppData\Roaming\Oxafyt\ubfu.exe
-
\Users\Admin\AppData\Roaming\Oxafyt\ubfu.exe
-
memory/316-4-0x0000000000000000-mapping.dmp
-
memory/864-0-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/864-2-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/864-1-0x000000000040D6CC-mapping.dmp
-
memory/908-18-0x0000000000000000-mapping.dmp
-
memory/908-19-0x0000000000000000-mapping.dmp
-
memory/1500-12-0x000000000040D6CC-mapping.dmp