f5704734ab296a55510f0a43d7aa8981f4bba8a7a98ef108c99034e63dbc6678

General

Target

zeusx_1.1.4.10.vir.exe
Size

145KB
MD5

35dd5d67c22cbcf5b4c5246ed7852534
SHA1

74b6ba155a7acd40a510184a239167c53cababfb
SHA256

f5704734ab296a55510f0a43d7aa8981f4bba8a7a98ef108c99034e63dbc6678
SHA512

33cd8083fca09ab42518ecd9b9f759fe365310d4197fd345fe944337c7646927410ae7c8408cd3ba3348d57d3dad6716d359095bd97d1b7a857afc47c3fdb8c0

Score

8^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

umduo.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\{C1B2A0AD-8722-634C-B27D-71E265F46B6B} = "C:\\Users\\Admin\\AppData\\Roaming\\Tepu\\umduo.exe"	umduo.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\Currentversion\Run	umduo.exe

Suspicious use of WriteProcessMemory 77 IoCs

Processes:

zeusx_1.1.4.10.vir.exezeusx_1.1.4.10.vir.exeumduo.exeumduo.exe

description	pid	process	target process
PID 3864 wrote to memory of 2448	3864	zeusx_1.1.4.10.vir.exe	zeusx_1.1.4.10.vir.exe
PID 3864 wrote to memory of 2448	3864	zeusx_1.1.4.10.vir.exe	zeusx_1.1.4.10.vir.exe
PID 3864 wrote to memory of 2448	3864	zeusx_1.1.4.10.vir.exe	zeusx_1.1.4.10.vir.exe
PID 3864 wrote to memory of 2448	3864	zeusx_1.1.4.10.vir.exe	zeusx_1.1.4.10.vir.exe
PID 3864 wrote to memory of 2448	3864	zeusx_1.1.4.10.vir.exe	zeusx_1.1.4.10.vir.exe
PID 3864 wrote to memory of 2448	3864	zeusx_1.1.4.10.vir.exe	zeusx_1.1.4.10.vir.exe
PID 3864 wrote to memory of 2448	3864	zeusx_1.1.4.10.vir.exe	zeusx_1.1.4.10.vir.exe
PID 3864 wrote to memory of 2448	3864	zeusx_1.1.4.10.vir.exe	zeusx_1.1.4.10.vir.exe
PID 2448 wrote to memory of 3812	2448	zeusx_1.1.4.10.vir.exe	umduo.exe
PID 2448 wrote to memory of 3812	2448	zeusx_1.1.4.10.vir.exe	umduo.exe
PID 2448 wrote to memory of 3812	2448	zeusx_1.1.4.10.vir.exe	umduo.exe
PID 3812 wrote to memory of 3780	3812	umduo.exe	umduo.exe
PID 3812 wrote to memory of 3780	3812	umduo.exe	umduo.exe
PID 3812 wrote to memory of 3780	3812	umduo.exe	umduo.exe
PID 3812 wrote to memory of 3780	3812	umduo.exe	umduo.exe
PID 3812 wrote to memory of 3780	3812	umduo.exe	umduo.exe
PID 3812 wrote to memory of 3780	3812	umduo.exe	umduo.exe
PID 3812 wrote to memory of 3780	3812	umduo.exe	umduo.exe
PID 3812 wrote to memory of 3780	3812	umduo.exe	umduo.exe
PID 2448 wrote to memory of 3264	2448	zeusx_1.1.4.10.vir.exe	cmd.exe
PID 2448 wrote to memory of 3264	2448	zeusx_1.1.4.10.vir.exe	cmd.exe
PID 2448 wrote to memory of 3264	2448	zeusx_1.1.4.10.vir.exe	cmd.exe
PID 3780 wrote to memory of 2672	3780	umduo.exe	sihost.exe
PID 3780 wrote to memory of 2672	3780	umduo.exe	sihost.exe
PID 3780 wrote to memory of 2672	3780	umduo.exe	sihost.exe
PID 3780 wrote to memory of 2672	3780	umduo.exe	sihost.exe
PID 3780 wrote to memory of 2672	3780	umduo.exe	sihost.exe
PID 3780 wrote to memory of 2712	3780	umduo.exe	svchost.exe
PID 3780 wrote to memory of 2712	3780	umduo.exe	svchost.exe
PID 3780 wrote to memory of 2712	3780	umduo.exe	svchost.exe
PID 3780 wrote to memory of 2712	3780	umduo.exe	svchost.exe
PID 3780 wrote to memory of 2712	3780	umduo.exe	svchost.exe
PID 3780 wrote to memory of 2812	3780	umduo.exe	taskhostw.exe
PID 3780 wrote to memory of 2812	3780	umduo.exe	taskhostw.exe
PID 3780 wrote to memory of 2812	3780	umduo.exe	taskhostw.exe
PID 3780 wrote to memory of 2812	3780	umduo.exe	taskhostw.exe
PID 3780 wrote to memory of 2812	3780	umduo.exe	taskhostw.exe
PID 3780 wrote to memory of 3000	3780	umduo.exe	Explorer.EXE
PID 3780 wrote to memory of 3000	3780	umduo.exe	Explorer.EXE
PID 3780 wrote to memory of 3000	3780	umduo.exe	Explorer.EXE
PID 3780 wrote to memory of 3000	3780	umduo.exe	Explorer.EXE
PID 3780 wrote to memory of 3000	3780	umduo.exe	Explorer.EXE
PID 3780 wrote to memory of 3140	3780	umduo.exe	ShellExperienceHost.exe
PID 3780 wrote to memory of 3140	3780	umduo.exe	ShellExperienceHost.exe
PID 3780 wrote to memory of 3140	3780	umduo.exe	ShellExperienceHost.exe
PID 3780 wrote to memory of 3140	3780	umduo.exe	ShellExperienceHost.exe
PID 3780 wrote to memory of 3140	3780	umduo.exe	ShellExperienceHost.exe
PID 3780 wrote to memory of 3172	3780	umduo.exe	SearchUI.exe
PID 3780 wrote to memory of 3172	3780	umduo.exe	SearchUI.exe
PID 3780 wrote to memory of 3172	3780	umduo.exe	SearchUI.exe
PID 3780 wrote to memory of 3172	3780	umduo.exe	SearchUI.exe
PID 3780 wrote to memory of 3172	3780	umduo.exe	SearchUI.exe
PID 3780 wrote to memory of 3388	3780	umduo.exe	RuntimeBroker.exe
PID 3780 wrote to memory of 3388	3780	umduo.exe	RuntimeBroker.exe
PID 3780 wrote to memory of 3388	3780	umduo.exe	RuntimeBroker.exe
PID 3780 wrote to memory of 3388	3780	umduo.exe	RuntimeBroker.exe
PID 3780 wrote to memory of 3388	3780	umduo.exe	RuntimeBroker.exe
PID 3780 wrote to memory of 3588	3780	umduo.exe	DllHost.exe
PID 3780 wrote to memory of 3588	3780	umduo.exe	DllHost.exe
PID 3780 wrote to memory of 3588	3780	umduo.exe	DllHost.exe
PID 3780 wrote to memory of 3588	3780	umduo.exe	DllHost.exe
PID 3780 wrote to memory of 3588	3780	umduo.exe	DllHost.exe
PID 3780 wrote to memory of 3536	3780	umduo.exe	backgroundTaskHost.exe
PID 3780 wrote to memory of 3536	3780	umduo.exe	backgroundTaskHost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

zeusx_1.1.4.10.vir.exeumduo.exe

description	pid	process	target process
PID 3864 set thread context of 2448	3864	zeusx_1.1.4.10.vir.exe	zeusx_1.1.4.10.vir.exe
PID 3812 set thread context of 3780	3812	umduo.exe	umduo.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

zeusx_1.1.4.10.vir.exe

description pid process

Token: SeSecurityPrivilege 2448 zeusx_1.1.4.10.vir.exe
Executes dropped EXE 2 IoCs

Processes:

umduo.exeumduo.exe

pid process

3812 umduo.exe
3780 umduo.exe

description	pid	process
Token: SeSecurityPrivilege	2448	zeusx_1.1.4.10.vir.exe

pid	process
3812	umduo.exe
3780	umduo.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

umduo.exe

pid	process
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe
3780	umduo.exe

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2672

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2712

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2812

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3000

C:\Users\Admin\AppData\Local\Temp\zeusx_1.1.4.10.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zeusx_1.1.4.10.vir.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:3864

C:\Users\Admin\AppData\Local\Temp\zeusx_1.1.4.10.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zeusx_1.1.4.10.vir.exe"
3⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:2448

C:\Users\Admin\AppData\Roaming\Tepu\umduo.exe
"C:\Users\Admin\AppData\Roaming\Tepu\umduo.exe"
4⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Executes dropped EXE
PID:3812

C:\Users\Admin\AppData\Roaming\Tepu\umduo.exe
"C:\Users\Admin\AppData\Roaming\Tepu\umduo.exe"
5⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3780

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpadbe192f.bat"
4⤵
PID:3264

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:3848

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3140

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3172

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3388

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3588

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca
1⤵
PID:3536

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpadbe192f.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Tepu\umduo.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Tepu\umduo.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Tepu\umduo.exe

Download Submit
memory/2448-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2448-1-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3264-7-0x0000000000000000-mapping.dmp

Download
memory/3264-9-0x0000000000000000-mapping.dmp

Download
memory/3812-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads