Analysis
-
max time kernel
150s -
max time network
110s -
platform
windows10_x64 -
resource
win10 -
submitted
19-07-2020 17:31
Static task
static1
Behavioral task
behavioral1
Sample
zeusx_1.1.4.10.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
zeusx_1.1.4.10.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
zeusx_1.1.4.10.vir.exe
-
Size
145KB
-
MD5
35dd5d67c22cbcf5b4c5246ed7852534
-
SHA1
74b6ba155a7acd40a510184a239167c53cababfb
-
SHA256
f5704734ab296a55510f0a43d7aa8981f4bba8a7a98ef108c99034e63dbc6678
-
SHA512
33cd8083fca09ab42518ecd9b9f759fe365310d4197fd345fe944337c7646927410ae7c8408cd3ba3348d57d3dad6716d359095bd97d1b7a857afc47c3fdb8c0
Score
8/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
umduo.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\{C1B2A0AD-8722-634C-B27D-71E265F46B6B} = "C:\\Users\\Admin\\AppData\\Roaming\\Tepu\\umduo.exe" umduo.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\Currentversion\Run umduo.exe -
Suspicious use of WriteProcessMemory 77 IoCs
Processes:
zeusx_1.1.4.10.vir.exezeusx_1.1.4.10.vir.exeumduo.exeumduo.exedescription pid process target process PID 3864 wrote to memory of 2448 3864 zeusx_1.1.4.10.vir.exe zeusx_1.1.4.10.vir.exe PID 3864 wrote to memory of 2448 3864 zeusx_1.1.4.10.vir.exe zeusx_1.1.4.10.vir.exe PID 3864 wrote to memory of 2448 3864 zeusx_1.1.4.10.vir.exe zeusx_1.1.4.10.vir.exe PID 3864 wrote to memory of 2448 3864 zeusx_1.1.4.10.vir.exe zeusx_1.1.4.10.vir.exe PID 3864 wrote to memory of 2448 3864 zeusx_1.1.4.10.vir.exe zeusx_1.1.4.10.vir.exe PID 3864 wrote to memory of 2448 3864 zeusx_1.1.4.10.vir.exe zeusx_1.1.4.10.vir.exe PID 3864 wrote to memory of 2448 3864 zeusx_1.1.4.10.vir.exe zeusx_1.1.4.10.vir.exe PID 3864 wrote to memory of 2448 3864 zeusx_1.1.4.10.vir.exe zeusx_1.1.4.10.vir.exe PID 2448 wrote to memory of 3812 2448 zeusx_1.1.4.10.vir.exe umduo.exe PID 2448 wrote to memory of 3812 2448 zeusx_1.1.4.10.vir.exe umduo.exe PID 2448 wrote to memory of 3812 2448 zeusx_1.1.4.10.vir.exe umduo.exe PID 3812 wrote to memory of 3780 3812 umduo.exe umduo.exe PID 3812 wrote to memory of 3780 3812 umduo.exe umduo.exe PID 3812 wrote to memory of 3780 3812 umduo.exe umduo.exe PID 3812 wrote to memory of 3780 3812 umduo.exe umduo.exe PID 3812 wrote to memory of 3780 3812 umduo.exe umduo.exe PID 3812 wrote to memory of 3780 3812 umduo.exe umduo.exe PID 3812 wrote to memory of 3780 3812 umduo.exe umduo.exe PID 3812 wrote to memory of 3780 3812 umduo.exe umduo.exe PID 2448 wrote to memory of 3264 2448 zeusx_1.1.4.10.vir.exe cmd.exe PID 2448 wrote to memory of 3264 2448 zeusx_1.1.4.10.vir.exe cmd.exe PID 2448 wrote to memory of 3264 2448 zeusx_1.1.4.10.vir.exe cmd.exe PID 3780 wrote to memory of 2672 3780 umduo.exe sihost.exe PID 3780 wrote to memory of 2672 3780 umduo.exe sihost.exe PID 3780 wrote to memory of 2672 3780 umduo.exe sihost.exe PID 3780 wrote to memory of 2672 3780 umduo.exe sihost.exe PID 3780 wrote to memory of 2672 3780 umduo.exe sihost.exe PID 3780 wrote to memory of 2712 3780 umduo.exe svchost.exe PID 3780 wrote to memory of 2712 3780 umduo.exe svchost.exe PID 3780 wrote to memory of 2712 3780 umduo.exe svchost.exe PID 3780 wrote to memory of 2712 3780 umduo.exe svchost.exe PID 3780 wrote to memory of 2712 3780 umduo.exe svchost.exe PID 3780 wrote to memory of 2812 3780 umduo.exe taskhostw.exe PID 3780 wrote to memory of 2812 3780 umduo.exe taskhostw.exe PID 3780 wrote to memory of 2812 3780 umduo.exe taskhostw.exe PID 3780 wrote to memory of 2812 3780 umduo.exe taskhostw.exe PID 3780 wrote to memory of 2812 3780 umduo.exe taskhostw.exe PID 3780 wrote to memory of 3000 3780 umduo.exe Explorer.EXE PID 3780 wrote to memory of 3000 3780 umduo.exe Explorer.EXE PID 3780 wrote to memory of 3000 3780 umduo.exe Explorer.EXE PID 3780 wrote to memory of 3000 3780 umduo.exe Explorer.EXE PID 3780 wrote to memory of 3000 3780 umduo.exe Explorer.EXE PID 3780 wrote to memory of 3140 3780 umduo.exe ShellExperienceHost.exe PID 3780 wrote to memory of 3140 3780 umduo.exe ShellExperienceHost.exe PID 3780 wrote to memory of 3140 3780 umduo.exe ShellExperienceHost.exe PID 3780 wrote to memory of 3140 3780 umduo.exe ShellExperienceHost.exe PID 3780 wrote to memory of 3140 3780 umduo.exe ShellExperienceHost.exe PID 3780 wrote to memory of 3172 3780 umduo.exe SearchUI.exe PID 3780 wrote to memory of 3172 3780 umduo.exe SearchUI.exe PID 3780 wrote to memory of 3172 3780 umduo.exe SearchUI.exe PID 3780 wrote to memory of 3172 3780 umduo.exe SearchUI.exe PID 3780 wrote to memory of 3172 3780 umduo.exe SearchUI.exe PID 3780 wrote to memory of 3388 3780 umduo.exe RuntimeBroker.exe PID 3780 wrote to memory of 3388 3780 umduo.exe RuntimeBroker.exe PID 3780 wrote to memory of 3388 3780 umduo.exe RuntimeBroker.exe PID 3780 wrote to memory of 3388 3780 umduo.exe RuntimeBroker.exe PID 3780 wrote to memory of 3388 3780 umduo.exe RuntimeBroker.exe PID 3780 wrote to memory of 3588 3780 umduo.exe DllHost.exe PID 3780 wrote to memory of 3588 3780 umduo.exe DllHost.exe PID 3780 wrote to memory of 3588 3780 umduo.exe DllHost.exe PID 3780 wrote to memory of 3588 3780 umduo.exe DllHost.exe PID 3780 wrote to memory of 3588 3780 umduo.exe DllHost.exe PID 3780 wrote to memory of 3536 3780 umduo.exe backgroundTaskHost.exe PID 3780 wrote to memory of 3536 3780 umduo.exe backgroundTaskHost.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
zeusx_1.1.4.10.vir.exeumduo.exedescription pid process target process PID 3864 set thread context of 2448 3864 zeusx_1.1.4.10.vir.exe zeusx_1.1.4.10.vir.exe PID 3812 set thread context of 3780 3812 umduo.exe umduo.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
zeusx_1.1.4.10.vir.exedescription pid process Token: SeSecurityPrivilege 2448 zeusx_1.1.4.10.vir.exe -
Executes dropped EXE 2 IoCs
Processes:
umduo.exeumduo.exepid process 3812 umduo.exe 3780 umduo.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
umduo.exepid process 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe 3780 umduo.exe
Processes
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\zeusx_1.1.4.10.vir.exe"C:\Users\Admin\AppData\Local\Temp\zeusx_1.1.4.10.vir.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\zeusx_1.1.4.10.vir.exe"C:\Users\Admin\AppData\Local\Temp\zeusx_1.1.4.10.vir.exe"3⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Tepu\umduo.exe"C:\Users\Admin\AppData\Roaming\Tepu\umduo.exe"4⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Tepu\umduo.exe"C:\Users\Admin\AppData\Roaming\Tepu\umduo.exe"5⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpadbe192f.bat"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpadbe192f.bat
-
C:\Users\Admin\AppData\Roaming\Tepu\umduo.exe
-
C:\Users\Admin\AppData\Roaming\Tepu\umduo.exe
-
C:\Users\Admin\AppData\Roaming\Tepu\umduo.exe
-
memory/2448-0-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/2448-1-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/3264-7-0x0000000000000000-mapping.dmp
-
memory/3264-9-0x0000000000000000-mapping.dmp
-
memory/3812-2-0x0000000000000000-mapping.dmp