Analysis
-
max time kernel
58s -
max time network
72s -
platform
windows7_x64 -
resource
win7 -
submitted
19-07-2020 19:46
Static task
static1
Behavioral task
behavioral1
Sample
zeus 1_1.3.2.1.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
zeus 1_1.3.2.1.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
zeus 1_1.3.2.1.vir.exe
-
Size
116KB
-
MD5
6c2d8d645f55e92eff8e1e2d8a065bff
-
SHA1
929a5ebdcf4c00d8365f5b7da01e5d3192f382c5
-
SHA256
66114ad746cfa51414a75a808c7dcde250c15fbd63289c589449658068a73418
-
SHA512
88615fe49e2399477b0ce5dea48642ce6870582dfe9a35ebf8a4ea93ddf3a7259503ab35c92b42a6f7616e8a08a18f49829f49e12b490bbb9935fe95dcf6e767
Score
10/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
zeus 1_1.3.2.1.vir.exedescription pid process target process PID 1456 wrote to memory of 1484 1456 zeus 1_1.3.2.1.vir.exe zeus 1_1.3.2.1.vir.exe PID 1456 wrote to memory of 1484 1456 zeus 1_1.3.2.1.vir.exe zeus 1_1.3.2.1.vir.exe PID 1456 wrote to memory of 1484 1456 zeus 1_1.3.2.1.vir.exe zeus 1_1.3.2.1.vir.exe PID 1456 wrote to memory of 1484 1456 zeus 1_1.3.2.1.vir.exe zeus 1_1.3.2.1.vir.exe PID 1456 wrote to memory of 1484 1456 zeus 1_1.3.2.1.vir.exe zeus 1_1.3.2.1.vir.exe PID 1456 wrote to memory of 1484 1456 zeus 1_1.3.2.1.vir.exe zeus 1_1.3.2.1.vir.exe PID 1456 wrote to memory of 1484 1456 zeus 1_1.3.2.1.vir.exe zeus 1_1.3.2.1.vir.exe PID 1456 wrote to memory of 1484 1456 zeus 1_1.3.2.1.vir.exe zeus 1_1.3.2.1.vir.exe PID 1456 wrote to memory of 1484 1456 zeus 1_1.3.2.1.vir.exe zeus 1_1.3.2.1.vir.exe PID 1456 wrote to memory of 1484 1456 zeus 1_1.3.2.1.vir.exe zeus 1_1.3.2.1.vir.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
zeus 1_1.3.2.1.vir.exedescription pid process target process PID 1456 set thread context of 1484 1456 zeus 1_1.3.2.1.vir.exe zeus 1_1.3.2.1.vir.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
zeus 1_1.3.2.1.vir.exepid process 1484 zeus 1_1.3.2.1.vir.exe 1484 zeus 1_1.3.2.1.vir.exe -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
zeus 1_1.3.2.1.vir.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "userinit.exe,C:\\Windows\\system32\\sdra64.exe," zeus 1_1.3.2.1.vir.exe -
Drops file in System32 directory 2 IoCs
Processes:
zeus 1_1.3.2.1.vir.exedescription ioc process File opened for modification C:\Windows\SysWOW64\sdra64.exe zeus 1_1.3.2.1.vir.exe File created C:\Windows\SysWOW64\sdra64.exe zeus 1_1.3.2.1.vir.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\zeus 1_1.3.2.1.vir.exe"C:\Users\Admin\AppData\Local\Temp\zeus 1_1.3.2.1.vir.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\zeus 1_1.3.2.1.vir.exe"C:\Users\Admin\AppData\Local\Temp\zeus 1_1.3.2.1.vir.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Modifies WinLogon for persistence
- Drops file in System32 directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1484-0-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1484-1-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1484-2-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1484-4-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1484-5-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1484-6-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1484-7-0x0000000000407084-mapping.dmp
-
memory/1484-8-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB