51d91d2e7e9aeee2a291dc1f7eadd9e422d159aef4cf902ef9038d951527636f

General

Target

zeus 1_1.4.1.2.vir.exe
Size

73KB
MD5

9d2d10f4c5c119ca971bef004f123a01
SHA1

272f976b647b7343dcb33af4cbff81a64b2a9cf1
SHA256

51d91d2e7e9aeee2a291dc1f7eadd9e422d159aef4cf902ef9038d951527636f
SHA512

cb5a0e6a022c566992ef834559ae510f7fc80d6c6ca51d6e5ccb2ced9193c6a87095c93f09ef576d4e0f985e85fa20f10d83aef0660f60bff89acb754b570c7b

Score

10^/10

persistence

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

zeus 1_1.4.1.2.vir.exe

pid process

1616 zeus 1_1.4.1.2.vir.exe
1616 zeus 1_1.4.1.2.vir.exe

pid	process
1616	zeus 1_1.4.1.2.vir.exe
1616	zeus 1_1.4.1.2.vir.exe

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

zeus 1_1.4.1.2.vir.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Windows\\host32.exe,"	zeus 1_1.4.1.2.vir.exe

Drops file in Windows directory 2 IoCs

Processes:

zeus 1_1.4.1.2.vir.exe

description ioc process

File opened for modification C:\Windows\host32.exe zeus 1_1.4.1.2.vir.exe
File created C:\Windows\host32.exe zeus 1_1.4.1.2.vir.exe

description	ioc	process
File opened for modification	C:\Windows\host32.exe	zeus 1_1.4.1.2.vir.exe
File created	C:\Windows\host32.exe	zeus 1_1.4.1.2.vir.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

zeus 1_1.4.1.2.vir.exe

description	pid	process	target process
PID 112 wrote to memory of 1616	112	zeus 1_1.4.1.2.vir.exe	zeus 1_1.4.1.2.vir.exe
PID 112 wrote to memory of 1616	112	zeus 1_1.4.1.2.vir.exe	zeus 1_1.4.1.2.vir.exe
PID 112 wrote to memory of 1616	112	zeus 1_1.4.1.2.vir.exe	zeus 1_1.4.1.2.vir.exe
PID 112 wrote to memory of 1616	112	zeus 1_1.4.1.2.vir.exe	zeus 1_1.4.1.2.vir.exe
PID 112 wrote to memory of 1616	112	zeus 1_1.4.1.2.vir.exe	zeus 1_1.4.1.2.vir.exe
PID 112 wrote to memory of 1616	112	zeus 1_1.4.1.2.vir.exe	zeus 1_1.4.1.2.vir.exe
PID 112 wrote to memory of 1616	112	zeus 1_1.4.1.2.vir.exe	zeus 1_1.4.1.2.vir.exe
PID 112 wrote to memory of 1616	112	zeus 1_1.4.1.2.vir.exe	zeus 1_1.4.1.2.vir.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

zeus 1_1.4.1.2.vir.exe

description pid process target process

PID 112 set thread context of 1616 112 zeus 1_1.4.1.2.vir.exe zeus 1_1.4.1.2.vir.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

zeus 1_1.4.1.2.vir.exe

description pid process

Token: SeDebugPrivilege 1616 zeus 1_1.4.1.2.vir.exe

description	pid	process	target process
PID 112 set thread context of 1616	112	zeus 1_1.4.1.2.vir.exe	zeus 1_1.4.1.2.vir.exe

description	pid	process
Token: SeDebugPrivilege	1616	zeus 1_1.4.1.2.vir.exe

C:\Users\Admin\AppData\Local\Temp\zeus 1_1.4.1.2.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zeus 1_1.4.1.2.vir.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:112

C:\Users\Admin\AppData\Local\Temp\zeus 1_1.4.1.2.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zeus 1_1.4.1.2.vir.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Modifies WinLogon for persistence
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1616

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1616-1-0x000000000040A632-mapping.dmp

Download
memory/1616-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1616-2-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing