Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7 -
submitted
19-07-2020 19:46
Static task
static1
Behavioral task
behavioral1
Sample
zeusx_1.1.4.1.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
zeusx_1.1.4.1.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
zeusx_1.1.4.1.vir.exe
-
Size
145KB
-
MD5
fa3efd43540aa0685ccc1b83ef61609d
-
SHA1
2f91156e75565f0e13e32c22a76739813ae7553b
-
SHA256
65bb15f0e438e2c4334b1c3a83cbcb465cee8173a93dcb3ec4cb8e2237b57707
-
SHA512
183c8bc925e75e1b23ff1f83b60ced35679444c50e07515d7deed7a0823bede5f028f519281215e73f85db641923ad1dcfa75230584f3034db13d752033fa3f0
Score
8/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
zeusx_1.1.4.1.vir.exedescription pid process Token: SeSecurityPrivilege 2040 zeusx_1.1.4.1.vir.exe Token: SeSecurityPrivilege 2040 zeusx_1.1.4.1.vir.exe Token: SeSecurityPrivilege 2040 zeusx_1.1.4.1.vir.exe -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
zeusx_1.1.4.1.vir.exeuxxuo.exedescription pid process target process PID 2040 wrote to memory of 844 2040 zeusx_1.1.4.1.vir.exe uxxuo.exe PID 2040 wrote to memory of 844 2040 zeusx_1.1.4.1.vir.exe uxxuo.exe PID 2040 wrote to memory of 844 2040 zeusx_1.1.4.1.vir.exe uxxuo.exe PID 2040 wrote to memory of 844 2040 zeusx_1.1.4.1.vir.exe uxxuo.exe PID 844 wrote to memory of 1136 844 uxxuo.exe taskhost.exe PID 844 wrote to memory of 1136 844 uxxuo.exe taskhost.exe PID 844 wrote to memory of 1136 844 uxxuo.exe taskhost.exe PID 844 wrote to memory of 1136 844 uxxuo.exe taskhost.exe PID 844 wrote to memory of 1136 844 uxxuo.exe taskhost.exe PID 844 wrote to memory of 1216 844 uxxuo.exe Dwm.exe PID 844 wrote to memory of 1216 844 uxxuo.exe Dwm.exe PID 844 wrote to memory of 1216 844 uxxuo.exe Dwm.exe PID 844 wrote to memory of 1216 844 uxxuo.exe Dwm.exe PID 844 wrote to memory of 1216 844 uxxuo.exe Dwm.exe PID 844 wrote to memory of 1256 844 uxxuo.exe Explorer.EXE PID 844 wrote to memory of 1256 844 uxxuo.exe Explorer.EXE PID 844 wrote to memory of 1256 844 uxxuo.exe Explorer.EXE PID 844 wrote to memory of 1256 844 uxxuo.exe Explorer.EXE PID 844 wrote to memory of 1256 844 uxxuo.exe Explorer.EXE PID 844 wrote to memory of 2040 844 uxxuo.exe zeusx_1.1.4.1.vir.exe PID 844 wrote to memory of 2040 844 uxxuo.exe zeusx_1.1.4.1.vir.exe PID 844 wrote to memory of 2040 844 uxxuo.exe zeusx_1.1.4.1.vir.exe PID 844 wrote to memory of 2040 844 uxxuo.exe zeusx_1.1.4.1.vir.exe PID 844 wrote to memory of 2040 844 uxxuo.exe zeusx_1.1.4.1.vir.exe PID 2040 wrote to memory of 1420 2040 zeusx_1.1.4.1.vir.exe cmd.exe PID 2040 wrote to memory of 1420 2040 zeusx_1.1.4.1.vir.exe cmd.exe PID 2040 wrote to memory of 1420 2040 zeusx_1.1.4.1.vir.exe cmd.exe PID 2040 wrote to memory of 1420 2040 zeusx_1.1.4.1.vir.exe cmd.exe PID 2040 wrote to memory of 1420 2040 zeusx_1.1.4.1.vir.exe cmd.exe PID 2040 wrote to memory of 1420 2040 zeusx_1.1.4.1.vir.exe cmd.exe PID 2040 wrote to memory of 1420 2040 zeusx_1.1.4.1.vir.exe cmd.exe PID 2040 wrote to memory of 1420 2040 zeusx_1.1.4.1.vir.exe cmd.exe PID 2040 wrote to memory of 1420 2040 zeusx_1.1.4.1.vir.exe cmd.exe PID 844 wrote to memory of 796 844 uxxuo.exe DllHost.exe PID 844 wrote to memory of 796 844 uxxuo.exe DllHost.exe PID 844 wrote to memory of 796 844 uxxuo.exe DllHost.exe PID 844 wrote to memory of 796 844 uxxuo.exe DllHost.exe PID 844 wrote to memory of 796 844 uxxuo.exe DllHost.exe PID 844 wrote to memory of 1056 844 uxxuo.exe DllHost.exe PID 844 wrote to memory of 1056 844 uxxuo.exe DllHost.exe PID 844 wrote to memory of 1056 844 uxxuo.exe DllHost.exe PID 844 wrote to memory of 1056 844 uxxuo.exe DllHost.exe PID 844 wrote to memory of 1056 844 uxxuo.exe DllHost.exe PID 844 wrote to memory of 1808 844 uxxuo.exe DllHost.exe PID 844 wrote to memory of 1808 844 uxxuo.exe DllHost.exe PID 844 wrote to memory of 1808 844 uxxuo.exe DllHost.exe PID 844 wrote to memory of 1808 844 uxxuo.exe DllHost.exe PID 844 wrote to memory of 1808 844 uxxuo.exe DllHost.exe -
Executes dropped EXE 1 IoCs
Processes:
uxxuo.exepid process 844 uxxuo.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
zeusx_1.1.4.1.vir.exeuxxuo.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion zeusx_1.1.4.1.vir.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion uxxuo.exe -
Processes:
zeusx_1.1.4.1.vir.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Privacy zeusx_1.1.4.1.vir.exe Set value (int) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" zeusx_1.1.4.1.vir.exe -
Loads dropped DLL 2 IoCs
Processes:
zeusx_1.1.4.1.vir.exepid process 2040 zeusx_1.1.4.1.vir.exe 2040 zeusx_1.1.4.1.vir.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
uxxuo.exepid process 844 uxxuo.exe 844 uxxuo.exe 844 uxxuo.exe 844 uxxuo.exe 844 uxxuo.exe 844 uxxuo.exe 844 uxxuo.exe 844 uxxuo.exe 844 uxxuo.exe 844 uxxuo.exe 844 uxxuo.exe 844 uxxuo.exe 844 uxxuo.exe 844 uxxuo.exe 844 uxxuo.exe 844 uxxuo.exe 844 uxxuo.exe 844 uxxuo.exe 844 uxxuo.exe 844 uxxuo.exe 844 uxxuo.exe 844 uxxuo.exe 844 uxxuo.exe 844 uxxuo.exe 844 uxxuo.exe 844 uxxuo.exe 844 uxxuo.exe 844 uxxuo.exe 844 uxxuo.exe 844 uxxuo.exe 844 uxxuo.exe 844 uxxuo.exe 844 uxxuo.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
zeusx_1.1.4.1.vir.exedescription pid process target process PID 2040 set thread context of 1420 2040 zeusx_1.1.4.1.vir.exe cmd.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1420 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
uxxuo.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\Currentversion\Run uxxuo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7CFA2761-DB00-2EB5-7BCD-0695C942D0FC} = "C:\\Users\\Admin\\AppData\\Roaming\\Eczyny\\uxxuo.exe" uxxuo.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\zeusx_1.1.4.1.vir.exe"C:\Users\Admin\AppData\Local\Temp\zeusx_1.1.4.1.vir.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Checks BIOS information in registry
- Modifies Internet Explorer settings
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Eczyny\uxxuo.exe"C:\Users\Admin\AppData\Roaming\Eczyny\uxxuo.exe"3⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp8413eba7.bat"3⤵
- Deletes itself
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp8413eba7.bat
-
C:\Users\Admin\AppData\Roaming\Eczyny\uxxuo.exe
-
C:\Users\Admin\AppData\Roaming\Eczyny\uxxuo.exe
-
C:\Users\Admin\AppData\Roaming\Liti\wova.mou
-
\Users\Admin\AppData\Roaming\Eczyny\uxxuo.exe
-
\Users\Admin\AppData\Roaming\Eczyny\uxxuo.exe
-
memory/844-2-0x0000000000000000-mapping.dmp
-
memory/1420-5-0x0000000000050000-0x000000000006A000-memory.dmpFilesize
104KB
-
memory/1420-7-0x00000000000576F0-mapping.dmp