65bb15f0e438e2c4334b1c3a83cbcb465cee8173a93dcb3ec4cb8e2237b57707

General

Target

zeusx_1.1.4.1.vir.exe
Size

145KB
MD5

fa3efd43540aa0685ccc1b83ef61609d
SHA1

2f91156e75565f0e13e32c22a76739813ae7553b
SHA256

65bb15f0e438e2c4334b1c3a83cbcb465cee8173a93dcb3ec4cb8e2237b57707
SHA512

183c8bc925e75e1b23ff1f83b60ced35679444c50e07515d7deed7a0823bede5f028f519281215e73f85db641923ad1dcfa75230584f3034db13d752033fa3f0

Score

8^/10

persistence

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

zeusx_1.1.4.1.vir.exe

description	pid	process
Token: SeSecurityPrivilege	2040	zeusx_1.1.4.1.vir.exe
Token: SeSecurityPrivilege	2040	zeusx_1.1.4.1.vir.exe
Token: SeSecurityPrivilege	2040	zeusx_1.1.4.1.vir.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

zeusx_1.1.4.1.vir.exeuxxuo.exe

description	pid	process	target process
PID 2040 wrote to memory of 844	2040	zeusx_1.1.4.1.vir.exe	uxxuo.exe
PID 2040 wrote to memory of 844	2040	zeusx_1.1.4.1.vir.exe	uxxuo.exe
PID 2040 wrote to memory of 844	2040	zeusx_1.1.4.1.vir.exe	uxxuo.exe
PID 2040 wrote to memory of 844	2040	zeusx_1.1.4.1.vir.exe	uxxuo.exe
PID 844 wrote to memory of 1136	844	uxxuo.exe	taskhost.exe
PID 844 wrote to memory of 1136	844	uxxuo.exe	taskhost.exe
PID 844 wrote to memory of 1136	844	uxxuo.exe	taskhost.exe
PID 844 wrote to memory of 1136	844	uxxuo.exe	taskhost.exe
PID 844 wrote to memory of 1136	844	uxxuo.exe	taskhost.exe
PID 844 wrote to memory of 1216	844	uxxuo.exe	Dwm.exe
PID 844 wrote to memory of 1216	844	uxxuo.exe	Dwm.exe
PID 844 wrote to memory of 1216	844	uxxuo.exe	Dwm.exe
PID 844 wrote to memory of 1216	844	uxxuo.exe	Dwm.exe
PID 844 wrote to memory of 1216	844	uxxuo.exe	Dwm.exe
PID 844 wrote to memory of 1256	844	uxxuo.exe	Explorer.EXE
PID 844 wrote to memory of 1256	844	uxxuo.exe	Explorer.EXE
PID 844 wrote to memory of 1256	844	uxxuo.exe	Explorer.EXE
PID 844 wrote to memory of 1256	844	uxxuo.exe	Explorer.EXE
PID 844 wrote to memory of 1256	844	uxxuo.exe	Explorer.EXE
PID 844 wrote to memory of 2040	844	uxxuo.exe	zeusx_1.1.4.1.vir.exe
PID 844 wrote to memory of 2040	844	uxxuo.exe	zeusx_1.1.4.1.vir.exe
PID 844 wrote to memory of 2040	844	uxxuo.exe	zeusx_1.1.4.1.vir.exe
PID 844 wrote to memory of 2040	844	uxxuo.exe	zeusx_1.1.4.1.vir.exe
PID 844 wrote to memory of 2040	844	uxxuo.exe	zeusx_1.1.4.1.vir.exe
PID 2040 wrote to memory of 1420	2040	zeusx_1.1.4.1.vir.exe	cmd.exe
PID 2040 wrote to memory of 1420	2040	zeusx_1.1.4.1.vir.exe	cmd.exe
PID 2040 wrote to memory of 1420	2040	zeusx_1.1.4.1.vir.exe	cmd.exe
PID 2040 wrote to memory of 1420	2040	zeusx_1.1.4.1.vir.exe	cmd.exe
PID 2040 wrote to memory of 1420	2040	zeusx_1.1.4.1.vir.exe	cmd.exe
PID 2040 wrote to memory of 1420	2040	zeusx_1.1.4.1.vir.exe	cmd.exe
PID 2040 wrote to memory of 1420	2040	zeusx_1.1.4.1.vir.exe	cmd.exe
PID 2040 wrote to memory of 1420	2040	zeusx_1.1.4.1.vir.exe	cmd.exe
PID 2040 wrote to memory of 1420	2040	zeusx_1.1.4.1.vir.exe	cmd.exe
PID 844 wrote to memory of 796	844	uxxuo.exe	DllHost.exe
PID 844 wrote to memory of 796	844	uxxuo.exe	DllHost.exe
PID 844 wrote to memory of 796	844	uxxuo.exe	DllHost.exe
PID 844 wrote to memory of 796	844	uxxuo.exe	DllHost.exe
PID 844 wrote to memory of 796	844	uxxuo.exe	DllHost.exe
PID 844 wrote to memory of 1056	844	uxxuo.exe	DllHost.exe
PID 844 wrote to memory of 1056	844	uxxuo.exe	DllHost.exe
PID 844 wrote to memory of 1056	844	uxxuo.exe	DllHost.exe
PID 844 wrote to memory of 1056	844	uxxuo.exe	DllHost.exe
PID 844 wrote to memory of 1056	844	uxxuo.exe	DllHost.exe
PID 844 wrote to memory of 1808	844	uxxuo.exe	DllHost.exe
PID 844 wrote to memory of 1808	844	uxxuo.exe	DllHost.exe
PID 844 wrote to memory of 1808	844	uxxuo.exe	DllHost.exe
PID 844 wrote to memory of 1808	844	uxxuo.exe	DllHost.exe
PID 844 wrote to memory of 1808	844	uxxuo.exe	DllHost.exe

Executes dropped EXE 1 IoCs

Processes:

uxxuo.exe

pid process

844 uxxuo.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

zeusx_1.1.4.1.vir.exeuxxuo.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	zeusx_1.1.4.1.vir.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	uxxuo.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

zeusx_1.1.4.1.vir.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Privacy	zeusx_1.1.4.1.vir.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	zeusx_1.1.4.1.vir.exe

Loads dropped DLL 2 IoCs

Processes:

zeusx_1.1.4.1.vir.exe

pid process

2040 zeusx_1.1.4.1.vir.exe
2040 zeusx_1.1.4.1.vir.exe

pid	process
2040	zeusx_1.1.4.1.vir.exe
2040	zeusx_1.1.4.1.vir.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

uxxuo.exe

pid	process
844	uxxuo.exe
844	uxxuo.exe
844	uxxuo.exe
844	uxxuo.exe
844	uxxuo.exe
844	uxxuo.exe
844	uxxuo.exe
844	uxxuo.exe
844	uxxuo.exe
844	uxxuo.exe
844	uxxuo.exe
844	uxxuo.exe
844	uxxuo.exe
844	uxxuo.exe
844	uxxuo.exe
844	uxxuo.exe
844	uxxuo.exe
844	uxxuo.exe
844	uxxuo.exe
844	uxxuo.exe
844	uxxuo.exe
844	uxxuo.exe
844	uxxuo.exe
844	uxxuo.exe
844	uxxuo.exe
844	uxxuo.exe
844	uxxuo.exe
844	uxxuo.exe
844	uxxuo.exe
844	uxxuo.exe
844	uxxuo.exe
844	uxxuo.exe
844	uxxuo.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

zeusx_1.1.4.1.vir.exe

description pid process target process

PID 2040 set thread context of 1420 2040 zeusx_1.1.4.1.vir.exe cmd.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1420 cmd.exe

description	pid	process	target process
PID 2040 set thread context of 1420	2040	zeusx_1.1.4.1.vir.exe	cmd.exe

pid	process
1420	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

uxxuo.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\Currentversion\Run	uxxuo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7CFA2761-DB00-2EB5-7BCD-0695C942D0FC} = "C:\\Users\\Admin\\AppData\\Roaming\\Eczyny\\uxxuo.exe"	uxxuo.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1136

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1216

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\zeusx_1.1.4.1.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zeusx_1.1.4.1.vir.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Checks BIOS information in registry
- Modifies Internet Explorer settings
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2040

C:\Users\Admin\AppData\Roaming\Eczyny\uxxuo.exe
"C:\Users\Admin\AppData\Roaming\Eczyny\uxxuo.exe"
3⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application
PID:844

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp8413eba7.bat"
3⤵
- Deletes itself
PID:1420

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:796

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1056

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1808

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8413eba7.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Eczyny\uxxuo.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Eczyny\uxxuo.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Liti\wova.mou

Download Submit
\Users\Admin\AppData\Roaming\Eczyny\uxxuo.exe

Download Submit
\Users\Admin\AppData\Roaming\Eczyny\uxxuo.exe

Download Submit
memory/844-2-0x0000000000000000-mapping.dmp

Download
memory/1420-5-0x0000000000050000-0x000000000006A000-memory.dmp

Filesize
104KB

Download
memory/1420-7-0x00000000000576F0-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads