Overview

overview

8

Static

static

zeusx_1.1....ir.exe

windows7_x64

8

zeusx_1.1....ir.exe

windows10_x64

8

Analysis

  • max time kernel
    151s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    19-07-2020 17:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    zeusx_1.1.4.10.vir.exe

  • Size

    145KB

  • MD5

    35dd5d67c22cbcf5b4c5246ed7852534

  • SHA1

    74b6ba155a7acd40a510184a239167c53cababfb

  • SHA256

    f5704734ab296a55510f0a43d7aa8981f4bba8a7a98ef108c99034e63dbc6678

  • SHA512

    33cd8083fca09ab42518ecd9b9f759fe365310d4197fd345fe944337c7646927410ae7c8408cd3ba3348d57d3dad6716d359095bd97d1b7a857afc47c3fdb8c0

Score
8/10
persistence

Malware Config

Signatures

  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Deletes itself 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of WriteProcessMemory 71 IoCs
  • Suspicious use of SetThreadContext 2 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1184
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1272
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1312
          • C:\Users\Admin\AppData\Local\Temp\zeusx_1.1.4.10.vir.exe
            "C:\Users\Admin\AppData\Local\Temp\zeusx_1.1.4.10.vir.exe"
            2⤵
            • Suspicious use of WriteProcessMemory
            • Suspicious use of SetThreadContext
            PID:1124
            • C:\Users\Admin\AppData\Local\Temp\zeusx_1.1.4.10.vir.exe
              "C:\Users\Admin\AppData\Local\Temp\zeusx_1.1.4.10.vir.exe"
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              • Loads dropped DLL
              • Modifies Internet Explorer settings
              • Suspicious use of WriteProcessMemory
              PID:1172
              • C:\Users\Admin\AppData\Roaming\Yqet\gumo.exe
                "C:\Users\Admin\AppData\Roaming\Yqet\gumo.exe"
                4⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                • Suspicious use of SetThreadContext
                PID:872
                • C:\Users\Admin\AppData\Roaming\Yqet\gumo.exe
                  "C:\Users\Admin\AppData\Roaming\Yqet\gumo.exe"
                  5⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Suspicious use of WriteProcessMemory
                  PID:1428
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp616034f7.bat"
                4⤵
                • Suspicious use of AdjustPrivilegeToken
                • Deletes itself
                PID:1512
        • C:\Windows\system32\conhost.exe
          \??\C:\Windows\system32\conhost.exe "1299250175497254299906257193764152138-1139181178-2023267812-12647999631510483355"
          1⤵
            PID:904
          • C:\Windows\system32\DllHost.exe
            C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
            1⤵
              PID:1540
            • C:\Windows\system32\DllHost.exe
              C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
              1⤵
                PID:1380
              • C:\Windows\system32\DllHost.exe
                C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                1⤵
                  PID:1860

                Network

                MITRE ATT&CK Matrix ATT&CK v6

                Initial Access

                Execution

                Persistence

                Registry Run Keys / Startup Folder

                1
                T1060

                Privilege Escalation

                Defense Evasion

                Modify Registry

                2
                T1112

                Credential Access

                Discovery

                Lateral Movement

                Collection

                Exfiltration

                Command and Control

                Impact

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\tmp616034f7.bat
                  Download Submit
                • C:\Users\Admin\AppData\Roaming\Syalv\wipeo.max
                  Download Submit
                • C:\Users\Admin\AppData\Roaming\Yqet\gumo.exe
                  Download Submit
                • C:\Users\Admin\AppData\Roaming\Yqet\gumo.exe
                  Download Submit
                • C:\Users\Admin\AppData\Roaming\Yqet\gumo.exe
                  Download Submit
                • \Users\Admin\AppData\Roaming\Yqet\gumo.exe
                  Download Submit
                • \Users\Admin\AppData\Roaming\Yqet\gumo.exe
                  Download Submit
                • memory/872-4-0x0000000000000000-mapping.dmp
                  Download
                • memory/1172-10-0x00000000004163A2-mapping.dmp
                  Download
                • memory/1172-0-0x0000000000400000-0x000000000041F000-memory.dmp
                  Filesize

                  124KB

                  Download
                • memory/1172-1-0x0000000000400000-0x000000000041F000-memory.dmp
                  Filesize

                  124KB

                  Download
                • memory/1512-11-0x0000000000000000-mapping.dmp
                  Download
                • memory/1512-12-0x0000000000000000-mapping.dmp
                  Download