Analysis
-
max time kernel
151s -
max time network
118s -
platform
windows7_x64 -
resource
win7 -
submitted
19-07-2020 17:31
Static task
static1
Behavioral task
behavioral1
Sample
zeusx_1.1.4.10.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
zeusx_1.1.4.10.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
zeusx_1.1.4.10.vir.exe
-
Size
145KB
-
MD5
35dd5d67c22cbcf5b4c5246ed7852534
-
SHA1
74b6ba155a7acd40a510184a239167c53cababfb
-
SHA256
f5704734ab296a55510f0a43d7aa8981f4bba8a7a98ef108c99034e63dbc6678
-
SHA512
33cd8083fca09ab42518ecd9b9f759fe365310d4197fd345fe944337c7646927410ae7c8408cd3ba3348d57d3dad6716d359095bd97d1b7a857afc47c3fdb8c0
Score
8/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes:
gumo.exepid process 1428 gumo.exe 1428 gumo.exe 1428 gumo.exe 1428 gumo.exe 1428 gumo.exe 1428 gumo.exe 1428 gumo.exe 1428 gumo.exe 1428 gumo.exe 1428 gumo.exe 1428 gumo.exe 1428 gumo.exe 1428 gumo.exe 1428 gumo.exe 1428 gumo.exe 1428 gumo.exe 1428 gumo.exe 1428 gumo.exe 1428 gumo.exe 1428 gumo.exe 1428 gumo.exe 1428 gumo.exe 1428 gumo.exe 1428 gumo.exe 1428 gumo.exe 1428 gumo.exe 1428 gumo.exe 1428 gumo.exe 1428 gumo.exe 1428 gumo.exe 1428 gumo.exe 1428 gumo.exe 1428 gumo.exe 1428 gumo.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
zeusx_1.1.4.10.vir.execmd.exedescription pid process Token: SeSecurityPrivilege 1172 zeusx_1.1.4.10.vir.exe Token: SeSecurityPrivilege 1172 zeusx_1.1.4.10.vir.exe Token: SeSecurityPrivilege 1172 zeusx_1.1.4.10.vir.exe Token: SeSecurityPrivilege 1512 cmd.exe Token: SeSecurityPrivilege 1512 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
gumo.exegumo.exepid process 872 gumo.exe 1428 gumo.exe -
Loads dropped DLL 2 IoCs
Processes:
zeusx_1.1.4.10.vir.exepid process 1172 zeusx_1.1.4.10.vir.exe 1172 zeusx_1.1.4.10.vir.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1512 cmd.exe -
Processes:
zeusx_1.1.4.10.vir.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Privacy zeusx_1.1.4.10.vir.exe Set value (int) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" zeusx_1.1.4.10.vir.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
gumo.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\Currentversion\Run gumo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\{F60B01B6-28C8-72A6-E081-CF9BF3186C19} = "C:\\Users\\Admin\\AppData\\Roaming\\Yqet\\gumo.exe" gumo.exe -
Suspicious use of WriteProcessMemory 71 IoCs
Processes:
zeusx_1.1.4.10.vir.exezeusx_1.1.4.10.vir.exegumo.exegumo.exedescription pid process target process PID 1124 wrote to memory of 1172 1124 zeusx_1.1.4.10.vir.exe zeusx_1.1.4.10.vir.exe PID 1124 wrote to memory of 1172 1124 zeusx_1.1.4.10.vir.exe zeusx_1.1.4.10.vir.exe PID 1124 wrote to memory of 1172 1124 zeusx_1.1.4.10.vir.exe zeusx_1.1.4.10.vir.exe PID 1124 wrote to memory of 1172 1124 zeusx_1.1.4.10.vir.exe zeusx_1.1.4.10.vir.exe PID 1124 wrote to memory of 1172 1124 zeusx_1.1.4.10.vir.exe zeusx_1.1.4.10.vir.exe PID 1124 wrote to memory of 1172 1124 zeusx_1.1.4.10.vir.exe zeusx_1.1.4.10.vir.exe PID 1124 wrote to memory of 1172 1124 zeusx_1.1.4.10.vir.exe zeusx_1.1.4.10.vir.exe PID 1124 wrote to memory of 1172 1124 zeusx_1.1.4.10.vir.exe zeusx_1.1.4.10.vir.exe PID 1124 wrote to memory of 1172 1124 zeusx_1.1.4.10.vir.exe zeusx_1.1.4.10.vir.exe PID 1172 wrote to memory of 872 1172 zeusx_1.1.4.10.vir.exe gumo.exe PID 1172 wrote to memory of 872 1172 zeusx_1.1.4.10.vir.exe gumo.exe PID 1172 wrote to memory of 872 1172 zeusx_1.1.4.10.vir.exe gumo.exe PID 1172 wrote to memory of 872 1172 zeusx_1.1.4.10.vir.exe gumo.exe PID 872 wrote to memory of 1428 872 gumo.exe gumo.exe PID 872 wrote to memory of 1428 872 gumo.exe gumo.exe PID 872 wrote to memory of 1428 872 gumo.exe gumo.exe PID 872 wrote to memory of 1428 872 gumo.exe gumo.exe PID 872 wrote to memory of 1428 872 gumo.exe gumo.exe PID 872 wrote to memory of 1428 872 gumo.exe gumo.exe PID 872 wrote to memory of 1428 872 gumo.exe gumo.exe PID 872 wrote to memory of 1428 872 gumo.exe gumo.exe PID 872 wrote to memory of 1428 872 gumo.exe gumo.exe PID 1428 wrote to memory of 1184 1428 gumo.exe taskhost.exe PID 1428 wrote to memory of 1184 1428 gumo.exe taskhost.exe PID 1428 wrote to memory of 1184 1428 gumo.exe taskhost.exe PID 1428 wrote to memory of 1184 1428 gumo.exe taskhost.exe PID 1428 wrote to memory of 1184 1428 gumo.exe taskhost.exe PID 1428 wrote to memory of 1272 1428 gumo.exe Dwm.exe PID 1428 wrote to memory of 1272 1428 gumo.exe Dwm.exe PID 1428 wrote to memory of 1272 1428 gumo.exe Dwm.exe PID 1428 wrote to memory of 1272 1428 gumo.exe Dwm.exe PID 1428 wrote to memory of 1272 1428 gumo.exe Dwm.exe PID 1428 wrote to memory of 1312 1428 gumo.exe Explorer.EXE PID 1428 wrote to memory of 1312 1428 gumo.exe Explorer.EXE PID 1428 wrote to memory of 1312 1428 gumo.exe Explorer.EXE PID 1428 wrote to memory of 1312 1428 gumo.exe Explorer.EXE PID 1428 wrote to memory of 1312 1428 gumo.exe Explorer.EXE PID 1428 wrote to memory of 1172 1428 gumo.exe zeusx_1.1.4.10.vir.exe PID 1428 wrote to memory of 1172 1428 gumo.exe zeusx_1.1.4.10.vir.exe PID 1428 wrote to memory of 1172 1428 gumo.exe zeusx_1.1.4.10.vir.exe PID 1428 wrote to memory of 1172 1428 gumo.exe zeusx_1.1.4.10.vir.exe PID 1428 wrote to memory of 1172 1428 gumo.exe zeusx_1.1.4.10.vir.exe PID 1172 wrote to memory of 1512 1172 zeusx_1.1.4.10.vir.exe cmd.exe PID 1172 wrote to memory of 1512 1172 zeusx_1.1.4.10.vir.exe cmd.exe PID 1172 wrote to memory of 1512 1172 zeusx_1.1.4.10.vir.exe cmd.exe PID 1172 wrote to memory of 1512 1172 zeusx_1.1.4.10.vir.exe cmd.exe PID 1428 wrote to memory of 1512 1428 gumo.exe cmd.exe PID 1428 wrote to memory of 1512 1428 gumo.exe cmd.exe PID 1428 wrote to memory of 1512 1428 gumo.exe cmd.exe PID 1428 wrote to memory of 1512 1428 gumo.exe cmd.exe PID 1428 wrote to memory of 1512 1428 gumo.exe cmd.exe PID 1428 wrote to memory of 904 1428 gumo.exe conhost.exe PID 1428 wrote to memory of 904 1428 gumo.exe conhost.exe PID 1428 wrote to memory of 904 1428 gumo.exe conhost.exe PID 1428 wrote to memory of 904 1428 gumo.exe conhost.exe PID 1428 wrote to memory of 904 1428 gumo.exe conhost.exe PID 1428 wrote to memory of 1540 1428 gumo.exe DllHost.exe PID 1428 wrote to memory of 1540 1428 gumo.exe DllHost.exe PID 1428 wrote to memory of 1540 1428 gumo.exe DllHost.exe PID 1428 wrote to memory of 1540 1428 gumo.exe DllHost.exe PID 1428 wrote to memory of 1540 1428 gumo.exe DllHost.exe PID 1428 wrote to memory of 1380 1428 gumo.exe DllHost.exe PID 1428 wrote to memory of 1380 1428 gumo.exe DllHost.exe PID 1428 wrote to memory of 1380 1428 gumo.exe DllHost.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
zeusx_1.1.4.10.vir.exegumo.exedescription pid process target process PID 1124 set thread context of 1172 1124 zeusx_1.1.4.10.vir.exe zeusx_1.1.4.10.vir.exe PID 872 set thread context of 1428 872 gumo.exe gumo.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\zeusx_1.1.4.10.vir.exe"C:\Users\Admin\AppData\Local\Temp\zeusx_1.1.4.10.vir.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\zeusx_1.1.4.10.vir.exe"C:\Users\Admin\AppData\Local\Temp\zeusx_1.1.4.10.vir.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Yqet\gumo.exe"C:\Users\Admin\AppData\Roaming\Yqet\gumo.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Yqet\gumo.exe"C:\Users\Admin\AppData\Roaming\Yqet\gumo.exe"5⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp616034f7.bat"4⤵
- Suspicious use of AdjustPrivilegeToken
- Deletes itself
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1299250175497254299906257193764152138-1139181178-2023267812-12647999631510483355"1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp616034f7.bat
-
C:\Users\Admin\AppData\Roaming\Syalv\wipeo.max
-
C:\Users\Admin\AppData\Roaming\Yqet\gumo.exe
-
C:\Users\Admin\AppData\Roaming\Yqet\gumo.exe
-
C:\Users\Admin\AppData\Roaming\Yqet\gumo.exe
-
\Users\Admin\AppData\Roaming\Yqet\gumo.exe
-
\Users\Admin\AppData\Roaming\Yqet\gumo.exe
-
memory/872-4-0x0000000000000000-mapping.dmp
-
memory/1172-10-0x00000000004163A2-mapping.dmp
-
memory/1172-0-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/1172-1-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/1512-11-0x0000000000000000-mapping.dmp
-
memory/1512-12-0x0000000000000000-mapping.dmp