Analysis
-
max time kernel
151s -
max time network
104s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
19-07-2020 16:34
Static task
static1
Behavioral task
behavioral1
Sample
zeus 2_2.1.0.2.vir.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
zeus 2_2.1.0.2.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
zeus 2_2.1.0.2.vir.exe
-
Size
220KB
-
MD5
233191fe9b7daea48764f00e9e2e55b5
-
SHA1
35395eb855503662708286251db2dcfde324cc9e
-
SHA256
857dcf87ce9465da45451d75d0c780115b543b004992117e48c9d9498ddee64a
-
SHA512
82af57478e5a32fac703c581ae1c32b74067f75e6b06624fe727aba73833c88e57deb44725709077df5d8d8af767111a97d11057169951fa053b78700645c1ab
Score
8/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
meob.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\Currentversion\Run meob.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7AAC219C-83D8-6B33-2029-0E6216FB91CE} = "C:\\Users\\Admin\\AppData\\Roaming\\Ohgy\\meob.exe" meob.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
zeus 2_2.1.0.2.vir.exemeob.exedescription pid process target process PID 1092 set thread context of 240 1092 zeus 2_2.1.0.2.vir.exe zeus 2_2.1.0.2.vir.exe PID 304 set thread context of 1052 304 meob.exe meob.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
zeus 2_2.1.0.2.vir.execmd.exedescription pid process Token: SeSecurityPrivilege 240 zeus 2_2.1.0.2.vir.exe Token: SeSecurityPrivilege 240 zeus 2_2.1.0.2.vir.exe Token: SeSecurityPrivilege 240 zeus 2_2.1.0.2.vir.exe Token: SeSecurityPrivilege 1532 cmd.exe Token: SeSecurityPrivilege 1532 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
meob.exemeob.exepid process 304 meob.exe 1052 meob.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
meob.exepid process 1052 meob.exe 1052 meob.exe 1052 meob.exe 1052 meob.exe 1052 meob.exe 1052 meob.exe 1052 meob.exe 1052 meob.exe 1052 meob.exe 1052 meob.exe 1052 meob.exe 1052 meob.exe 1052 meob.exe 1052 meob.exe 1052 meob.exe 1052 meob.exe 1052 meob.exe 1052 meob.exe 1052 meob.exe 1052 meob.exe 1052 meob.exe 1052 meob.exe 1052 meob.exe 1052 meob.exe 1052 meob.exe 1052 meob.exe 1052 meob.exe 1052 meob.exe 1052 meob.exe 1052 meob.exe 1052 meob.exe 1052 meob.exe -
Processes:
zeus 2_2.1.0.2.vir.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Privacy zeus 2_2.1.0.2.vir.exe Set value (int) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" zeus 2_2.1.0.2.vir.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
zeus 2_2.1.0.2.vir.exemeob.exepid process 1092 zeus 2_2.1.0.2.vir.exe 304 meob.exe -
Suspicious use of WriteProcessMemory 81 IoCs
Processes:
zeus 2_2.1.0.2.vir.exezeus 2_2.1.0.2.vir.exemeob.exemeob.exedescription pid process target process PID 1092 wrote to memory of 240 1092 zeus 2_2.1.0.2.vir.exe zeus 2_2.1.0.2.vir.exe PID 1092 wrote to memory of 240 1092 zeus 2_2.1.0.2.vir.exe zeus 2_2.1.0.2.vir.exe PID 1092 wrote to memory of 240 1092 zeus 2_2.1.0.2.vir.exe zeus 2_2.1.0.2.vir.exe PID 1092 wrote to memory of 240 1092 zeus 2_2.1.0.2.vir.exe zeus 2_2.1.0.2.vir.exe PID 1092 wrote to memory of 240 1092 zeus 2_2.1.0.2.vir.exe zeus 2_2.1.0.2.vir.exe PID 1092 wrote to memory of 240 1092 zeus 2_2.1.0.2.vir.exe zeus 2_2.1.0.2.vir.exe PID 1092 wrote to memory of 240 1092 zeus 2_2.1.0.2.vir.exe zeus 2_2.1.0.2.vir.exe PID 1092 wrote to memory of 240 1092 zeus 2_2.1.0.2.vir.exe zeus 2_2.1.0.2.vir.exe PID 1092 wrote to memory of 240 1092 zeus 2_2.1.0.2.vir.exe zeus 2_2.1.0.2.vir.exe PID 240 wrote to memory of 304 240 zeus 2_2.1.0.2.vir.exe meob.exe PID 240 wrote to memory of 304 240 zeus 2_2.1.0.2.vir.exe meob.exe PID 240 wrote to memory of 304 240 zeus 2_2.1.0.2.vir.exe meob.exe PID 240 wrote to memory of 304 240 zeus 2_2.1.0.2.vir.exe meob.exe PID 304 wrote to memory of 1052 304 meob.exe meob.exe PID 304 wrote to memory of 1052 304 meob.exe meob.exe PID 304 wrote to memory of 1052 304 meob.exe meob.exe PID 304 wrote to memory of 1052 304 meob.exe meob.exe PID 304 wrote to memory of 1052 304 meob.exe meob.exe PID 304 wrote to memory of 1052 304 meob.exe meob.exe PID 304 wrote to memory of 1052 304 meob.exe meob.exe PID 304 wrote to memory of 1052 304 meob.exe meob.exe PID 304 wrote to memory of 1052 304 meob.exe meob.exe PID 1052 wrote to memory of 1084 1052 meob.exe taskhost.exe PID 1052 wrote to memory of 1084 1052 meob.exe taskhost.exe PID 1052 wrote to memory of 1084 1052 meob.exe taskhost.exe PID 1052 wrote to memory of 1084 1052 meob.exe taskhost.exe PID 1052 wrote to memory of 1084 1052 meob.exe taskhost.exe PID 1052 wrote to memory of 1156 1052 meob.exe Dwm.exe PID 1052 wrote to memory of 1156 1052 meob.exe Dwm.exe PID 1052 wrote to memory of 1156 1052 meob.exe Dwm.exe PID 1052 wrote to memory of 1156 1052 meob.exe Dwm.exe PID 1052 wrote to memory of 1156 1052 meob.exe Dwm.exe PID 1052 wrote to memory of 1192 1052 meob.exe Explorer.EXE PID 1052 wrote to memory of 1192 1052 meob.exe Explorer.EXE PID 1052 wrote to memory of 1192 1052 meob.exe Explorer.EXE PID 1052 wrote to memory of 1192 1052 meob.exe Explorer.EXE PID 1052 wrote to memory of 1192 1052 meob.exe Explorer.EXE PID 1052 wrote to memory of 240 1052 meob.exe zeus 2_2.1.0.2.vir.exe PID 1052 wrote to memory of 240 1052 meob.exe zeus 2_2.1.0.2.vir.exe PID 1052 wrote to memory of 240 1052 meob.exe zeus 2_2.1.0.2.vir.exe PID 1052 wrote to memory of 240 1052 meob.exe zeus 2_2.1.0.2.vir.exe PID 1052 wrote to memory of 240 1052 meob.exe zeus 2_2.1.0.2.vir.exe PID 240 wrote to memory of 1532 240 zeus 2_2.1.0.2.vir.exe cmd.exe PID 240 wrote to memory of 1532 240 zeus 2_2.1.0.2.vir.exe cmd.exe PID 240 wrote to memory of 1532 240 zeus 2_2.1.0.2.vir.exe cmd.exe PID 240 wrote to memory of 1532 240 zeus 2_2.1.0.2.vir.exe cmd.exe PID 1052 wrote to memory of 1532 1052 meob.exe cmd.exe PID 1052 wrote to memory of 1532 1052 meob.exe cmd.exe PID 1052 wrote to memory of 1532 1052 meob.exe cmd.exe PID 1052 wrote to memory of 1532 1052 meob.exe cmd.exe PID 1052 wrote to memory of 1532 1052 meob.exe cmd.exe PID 1052 wrote to memory of 1676 1052 meob.exe conhost.exe PID 1052 wrote to memory of 1676 1052 meob.exe conhost.exe PID 1052 wrote to memory of 1676 1052 meob.exe conhost.exe PID 1052 wrote to memory of 1676 1052 meob.exe conhost.exe PID 1052 wrote to memory of 1676 1052 meob.exe conhost.exe PID 1052 wrote to memory of 856 1052 meob.exe DllHost.exe PID 1052 wrote to memory of 856 1052 meob.exe DllHost.exe PID 1052 wrote to memory of 856 1052 meob.exe DllHost.exe PID 1052 wrote to memory of 856 1052 meob.exe DllHost.exe PID 1052 wrote to memory of 856 1052 meob.exe DllHost.exe PID 1052 wrote to memory of 1576 1052 meob.exe DllHost.exe PID 1052 wrote to memory of 1576 1052 meob.exe DllHost.exe PID 1052 wrote to memory of 1576 1052 meob.exe DllHost.exe -
Loads dropped DLL 2 IoCs
Processes:
zeus 2_2.1.0.2.vir.exepid process 240 zeus 2_2.1.0.2.vir.exe 240 zeus 2_2.1.0.2.vir.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1532 cmd.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\zeus 2_2.1.0.2.vir.exe"C:\Users\Admin\AppData\Local\Temp\zeus 2_2.1.0.2.vir.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\zeus 2_2.1.0.2.vir.exe"C:\Users\Admin\AppData\Local\Temp\zeus 2_2.1.0.2.vir.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Ohgy\meob.exe"C:\Users\Admin\AppData\Roaming\Ohgy\meob.exe"4⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Ohgy\meob.exeC:\Users\Admin\AppData\Roaming\Ohgy\meob.exe5⤵
- Adds Run key to start application
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpdeae2663.bat"4⤵
- Suspicious use of AdjustPrivilegeToken
- Deletes itself
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "206245032-14744342218195546971787629979-1527770384-1797371795-1395956770543209654"1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpdeae2663.bat
-
C:\Users\Admin\AppData\Roaming\Ohgy\meob.exe
-
C:\Users\Admin\AppData\Roaming\Ohgy\meob.exe
-
C:\Users\Admin\AppData\Roaming\Ohgy\meob.exe
-
C:\Users\Admin\AppData\Roaming\Qiis\hopyb.iba
-
\Users\Admin\AppData\Roaming\Ohgy\meob.exe
-
\Users\Admin\AppData\Roaming\Ohgy\meob.exe
-
memory/240-2-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/240-4-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/240-16-0x000000000041A39E-mapping.dmp
-
memory/240-3-0x000000000041A39E-mapping.dmp
-
memory/304-7-0x0000000000000000-mapping.dmp
-
memory/1052-13-0x000000000041A39E-mapping.dmp
-
memory/1532-17-0x0000000000000000-mapping.dmp
-
memory/1532-18-0x0000000000000000-mapping.dmp