1f3842bc152088bc10de6e14adabf860902dee318375a6567e0b85a9faaed1f0

General

Target

zeus 2_2.1.0.0.vir.exe
Size

401KB
MD5

dccf842de5eb002597c65d495d973bff
SHA1

0ea106c7a37491f50510f3c3425802ef2b951900
SHA256

1f3842bc152088bc10de6e14adabf860902dee318375a6567e0b85a9faaed1f0
SHA512

f9662baebb98a689a2e015b9efe179e9a6b2f0e555048762ddc65ad75a5de438b48068084fc5e8c94f34a7b476b60040d7a6ead4e9de82af32407bfb682d80b6

Score

8^/10

persistence

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

ubfu.exe

pid	process
1500	ubfu.exe
1500	ubfu.exe
1500	ubfu.exe
1500	ubfu.exe
1500	ubfu.exe
1500	ubfu.exe
1500	ubfu.exe
1500	ubfu.exe
1500	ubfu.exe
1500	ubfu.exe
1500	ubfu.exe
1500	ubfu.exe
1500	ubfu.exe
1500	ubfu.exe
1500	ubfu.exe
1500	ubfu.exe
1500	ubfu.exe
1500	ubfu.exe
1500	ubfu.exe
1500	ubfu.exe
1500	ubfu.exe
1500	ubfu.exe
1500	ubfu.exe
1500	ubfu.exe
1500	ubfu.exe
1500	ubfu.exe
1500	ubfu.exe
1500	ubfu.exe
1500	ubfu.exe
1500	ubfu.exe
1500	ubfu.exe
1500	ubfu.exe
1500	ubfu.exe
1500	ubfu.exe
1500	ubfu.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

908 cmd.exe

pid	process
908	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ubfu.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\Currentversion\Run	ubfu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\{D4807D06-6B7D-5995-947A-7B8AB5D60B28} = "C:\\Users\\Admin\\AppData\\Roaming\\Oxafyt\\ubfu.exe"	ubfu.exe

Suspicious use of WriteProcessMemory 93 IoCs

Processes:

zeus 2_2.1.0.0.vir.exezeus 2_2.1.0.0.vir.exeubfu.exeubfu.exe

description	pid	process	target process
PID 1140 wrote to memory of 864	1140	zeus 2_2.1.0.0.vir.exe	zeus 2_2.1.0.0.vir.exe
PID 1140 wrote to memory of 864	1140	zeus 2_2.1.0.0.vir.exe	zeus 2_2.1.0.0.vir.exe
PID 1140 wrote to memory of 864	1140	zeus 2_2.1.0.0.vir.exe	zeus 2_2.1.0.0.vir.exe
PID 1140 wrote to memory of 864	1140	zeus 2_2.1.0.0.vir.exe	zeus 2_2.1.0.0.vir.exe
PID 1140 wrote to memory of 864	1140	zeus 2_2.1.0.0.vir.exe	zeus 2_2.1.0.0.vir.exe
PID 1140 wrote to memory of 864	1140	zeus 2_2.1.0.0.vir.exe	zeus 2_2.1.0.0.vir.exe
PID 1140 wrote to memory of 864	1140	zeus 2_2.1.0.0.vir.exe	zeus 2_2.1.0.0.vir.exe
PID 1140 wrote to memory of 864	1140	zeus 2_2.1.0.0.vir.exe	zeus 2_2.1.0.0.vir.exe
PID 1140 wrote to memory of 864	1140	zeus 2_2.1.0.0.vir.exe	zeus 2_2.1.0.0.vir.exe
PID 1140 wrote to memory of 864	1140	zeus 2_2.1.0.0.vir.exe	zeus 2_2.1.0.0.vir.exe
PID 1140 wrote to memory of 864	1140	zeus 2_2.1.0.0.vir.exe	zeus 2_2.1.0.0.vir.exe
PID 1140 wrote to memory of 864	1140	zeus 2_2.1.0.0.vir.exe	zeus 2_2.1.0.0.vir.exe
PID 864 wrote to memory of 316	864	zeus 2_2.1.0.0.vir.exe	ubfu.exe
PID 864 wrote to memory of 316	864	zeus 2_2.1.0.0.vir.exe	ubfu.exe
PID 864 wrote to memory of 316	864	zeus 2_2.1.0.0.vir.exe	ubfu.exe
PID 864 wrote to memory of 316	864	zeus 2_2.1.0.0.vir.exe	ubfu.exe
PID 864 wrote to memory of 316	864	zeus 2_2.1.0.0.vir.exe	ubfu.exe
PID 864 wrote to memory of 316	864	zeus 2_2.1.0.0.vir.exe	ubfu.exe
PID 864 wrote to memory of 316	864	zeus 2_2.1.0.0.vir.exe	ubfu.exe
PID 316 wrote to memory of 1500	316	ubfu.exe	ubfu.exe
PID 316 wrote to memory of 1500	316	ubfu.exe	ubfu.exe
PID 316 wrote to memory of 1500	316	ubfu.exe	ubfu.exe
PID 316 wrote to memory of 1500	316	ubfu.exe	ubfu.exe
PID 316 wrote to memory of 1500	316	ubfu.exe	ubfu.exe
PID 316 wrote to memory of 1500	316	ubfu.exe	ubfu.exe
PID 316 wrote to memory of 1500	316	ubfu.exe	ubfu.exe
PID 316 wrote to memory of 1500	316	ubfu.exe	ubfu.exe
PID 316 wrote to memory of 1500	316	ubfu.exe	ubfu.exe
PID 316 wrote to memory of 1500	316	ubfu.exe	ubfu.exe
PID 316 wrote to memory of 1500	316	ubfu.exe	ubfu.exe
PID 316 wrote to memory of 1500	316	ubfu.exe	ubfu.exe
PID 864 wrote to memory of 908	864	zeus 2_2.1.0.0.vir.exe	cmd.exe
PID 864 wrote to memory of 908	864	zeus 2_2.1.0.0.vir.exe	cmd.exe
PID 864 wrote to memory of 908	864	zeus 2_2.1.0.0.vir.exe	cmd.exe
PID 864 wrote to memory of 908	864	zeus 2_2.1.0.0.vir.exe	cmd.exe
PID 864 wrote to memory of 908	864	zeus 2_2.1.0.0.vir.exe	cmd.exe
PID 864 wrote to memory of 908	864	zeus 2_2.1.0.0.vir.exe	cmd.exe
PID 864 wrote to memory of 908	864	zeus 2_2.1.0.0.vir.exe	cmd.exe
PID 1500 wrote to memory of 1148	1500	ubfu.exe	taskhost.exe
PID 1500 wrote to memory of 1148	1500	ubfu.exe	taskhost.exe
PID 1500 wrote to memory of 1148	1500	ubfu.exe	taskhost.exe
PID 1500 wrote to memory of 1148	1500	ubfu.exe	taskhost.exe
PID 1500 wrote to memory of 1148	1500	ubfu.exe	taskhost.exe
PID 1500 wrote to memory of 1264	1500	ubfu.exe	Dwm.exe
PID 1500 wrote to memory of 1264	1500	ubfu.exe	Dwm.exe
PID 1500 wrote to memory of 1264	1500	ubfu.exe	Dwm.exe
PID 1500 wrote to memory of 1264	1500	ubfu.exe	Dwm.exe
PID 1500 wrote to memory of 1264	1500	ubfu.exe	Dwm.exe
PID 1500 wrote to memory of 1308	1500	ubfu.exe	Explorer.EXE
PID 1500 wrote to memory of 1308	1500	ubfu.exe	Explorer.EXE
PID 1500 wrote to memory of 1308	1500	ubfu.exe	Explorer.EXE
PID 1500 wrote to memory of 1308	1500	ubfu.exe	Explorer.EXE
PID 1500 wrote to memory of 1308	1500	ubfu.exe	Explorer.EXE
PID 1500 wrote to memory of 864	1500	ubfu.exe	zeus 2_2.1.0.0.vir.exe
PID 1500 wrote to memory of 864	1500	ubfu.exe	zeus 2_2.1.0.0.vir.exe
PID 1500 wrote to memory of 864	1500	ubfu.exe	zeus 2_2.1.0.0.vir.exe
PID 1500 wrote to memory of 864	1500	ubfu.exe	zeus 2_2.1.0.0.vir.exe
PID 1500 wrote to memory of 864	1500	ubfu.exe	zeus 2_2.1.0.0.vir.exe
PID 1500 wrote to memory of 908	1500	ubfu.exe	cmd.exe
PID 1500 wrote to memory of 908	1500	ubfu.exe	cmd.exe
PID 1500 wrote to memory of 908	1500	ubfu.exe	cmd.exe
PID 1500 wrote to memory of 908	1500	ubfu.exe	cmd.exe
PID 1500 wrote to memory of 908	1500	ubfu.exe	cmd.exe
PID 1500 wrote to memory of 640	1500	ubfu.exe	conhost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

zeus 2_2.1.0.0.vir.exeubfu.exe

description	pid	process	target process
PID 1140 set thread context of 864	1140	zeus 2_2.1.0.0.vir.exe	zeus 2_2.1.0.0.vir.exe
PID 316 set thread context of 1500	316	ubfu.exe	ubfu.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

zeus 2_2.1.0.0.vir.exe

description	pid	process
Token: SeSecurityPrivilege	864	zeus 2_2.1.0.0.vir.exe
Token: SeRestorePrivilege	864	zeus 2_2.1.0.0.vir.exe
Token: SeBackupPrivilege	864	zeus 2_2.1.0.0.vir.exe

Loads dropped DLL 8 IoCs

Processes:

zeus 2_2.1.0.0.vir.exeubfu.exeubfu.exe

pid process

864 zeus 2_2.1.0.0.vir.exe
316 ubfu.exe
316 ubfu.exe
316 ubfu.exe
316 ubfu.exe
1500 ubfu.exe
1500 ubfu.exe
1500 ubfu.exe
Executes dropped EXE 2 IoCs

Processes:

ubfu.exeubfu.exe

pid process

316 ubfu.exe
1500 ubfu.exe

pid	process
864	zeus 2_2.1.0.0.vir.exe
316	ubfu.exe
316	ubfu.exe
316	ubfu.exe
316	ubfu.exe
1500	ubfu.exe
1500	ubfu.exe
1500	ubfu.exe

pid	process
316	ubfu.exe
1500	ubfu.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1148

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1264

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1308

C:\Users\Admin\AppData\Local\Temp\zeus 2_2.1.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zeus 2_2.1.0.0.vir.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1140

C:\Users\Admin\AppData\Local\Temp\zeus 2_2.1.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zeus 2_2.1.0.0.vir.exe"
3⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
PID:864

C:\Users\Admin\AppData\Roaming\Oxafyt\ubfu.exe
"C:\Users\Admin\AppData\Roaming\Oxafyt\ubfu.exe"
4⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Loads dropped DLL
- Executes dropped EXE
PID:316

C:\Users\Admin\AppData\Roaming\Oxafyt\ubfu.exe
"C:\Users\Admin\AppData\Roaming\Oxafyt\ubfu.exe"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Executes dropped EXE
PID:1500

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp560e4351.bat"
4⤵
- Deletes itself
PID:908

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-6206651608779662951150781288458971480512034206-69500577346998455-847530103"
1⤵
PID:640

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1816

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1844

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1868

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:848

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1328

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp560e4351.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Oxafyt\ubfu.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Oxafyt\ubfu.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Oxafyt\ubfu.exe

Download Submit
\Users\Admin\AppData\Roaming\Oxafyt\ubfu.exe

Download Submit
\Users\Admin\AppData\Roaming\Oxafyt\ubfu.exe

Download Submit
\Users\Admin\AppData\Roaming\Oxafyt\ubfu.exe

Download Submit
\Users\Admin\AppData\Roaming\Oxafyt\ubfu.exe

Download Submit
\Users\Admin\AppData\Roaming\Oxafyt\ubfu.exe

Download Submit
\Users\Admin\AppData\Roaming\Oxafyt\ubfu.exe

Download Submit
\Users\Admin\AppData\Roaming\Oxafyt\ubfu.exe

Download Submit
\Users\Admin\AppData\Roaming\Oxafyt\ubfu.exe

Download Submit
memory/316-4-0x0000000000000000-mapping.dmp

Download
memory/864-0-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/864-2-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/864-1-0x000000000040D6CC-mapping.dmp

Download
memory/908-18-0x0000000000000000-mapping.dmp

Download
memory/908-19-0x0000000000000000-mapping.dmp

Download
memory/1500-12-0x000000000040D6CC-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads