Analysis
-
max time kernel
151s -
max time network
45s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
19-07-2020 19:25
Static task
static1
Behavioral task
behavioral1
Sample
zeus 2_2.0.3.1.vir.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
zeus 2_2.0.3.1.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
zeus 2_2.0.3.1.vir.exe
-
Size
149KB
-
MD5
a4fad2f8844d008eea0519128c5145e4
-
SHA1
752fbb7202fde75f4210710db567bbd337f80d93
-
SHA256
ae68aa53a27732eb0803f205fee19d3ca3e8bce7c0ac03d3fb30ab89a46626de
-
SHA512
86122cff5375ed64dbc9319a94698f9029a96e4379cd37742556da05f9d4a71eeefe52383cbe978af3d6e1a60e65352d85d14c2844bd4eee6d8af6f959f0a99d
Score
8/10
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
Processes:
zeus 2_2.0.3.1.vir.exepid process 1008 zeus 2_2.0.3.1.vir.exe 1008 zeus 2_2.0.3.1.vir.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
hioho.exepid process 1340 hioho.exe 1340 hioho.exe 1340 hioho.exe 1340 hioho.exe 1340 hioho.exe 1340 hioho.exe 1340 hioho.exe 1340 hioho.exe 1340 hioho.exe 1340 hioho.exe 1340 hioho.exe 1340 hioho.exe 1340 hioho.exe 1340 hioho.exe 1340 hioho.exe 1340 hioho.exe 1340 hioho.exe 1340 hioho.exe 1340 hioho.exe 1340 hioho.exe 1340 hioho.exe 1340 hioho.exe 1340 hioho.exe 1340 hioho.exe 1340 hioho.exe 1340 hioho.exe 1340 hioho.exe 1340 hioho.exe 1340 hioho.exe 1340 hioho.exe 1340 hioho.exe 1340 hioho.exe 1340 hioho.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 280 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
hioho.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\Currentversion\Run hioho.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\{86DD9316-8C13-4EBF-FFC2-9202C8CBA830} = "C:\\Users\\Admin\\AppData\\Roaming\\Biloz\\hioho.exe" hioho.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
zeus 2_2.0.3.1.vir.exedescription pid process Token: SeSecurityPrivilege 1008 zeus 2_2.0.3.1.vir.exe Token: SeSecurityPrivilege 1008 zeus 2_2.0.3.1.vir.exe Token: SeSecurityPrivilege 1008 zeus 2_2.0.3.1.vir.exe -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
zeus 2_2.0.3.1.vir.exehioho.exedescription pid process target process PID 1008 wrote to memory of 1340 1008 zeus 2_2.0.3.1.vir.exe hioho.exe PID 1008 wrote to memory of 1340 1008 zeus 2_2.0.3.1.vir.exe hioho.exe PID 1008 wrote to memory of 1340 1008 zeus 2_2.0.3.1.vir.exe hioho.exe PID 1008 wrote to memory of 1340 1008 zeus 2_2.0.3.1.vir.exe hioho.exe PID 1340 wrote to memory of 1196 1340 hioho.exe taskhost.exe PID 1340 wrote to memory of 1196 1340 hioho.exe taskhost.exe PID 1340 wrote to memory of 1196 1340 hioho.exe taskhost.exe PID 1340 wrote to memory of 1196 1340 hioho.exe taskhost.exe PID 1340 wrote to memory of 1196 1340 hioho.exe taskhost.exe PID 1340 wrote to memory of 1304 1340 hioho.exe Dwm.exe PID 1340 wrote to memory of 1304 1340 hioho.exe Dwm.exe PID 1340 wrote to memory of 1304 1340 hioho.exe Dwm.exe PID 1340 wrote to memory of 1304 1340 hioho.exe Dwm.exe PID 1340 wrote to memory of 1304 1340 hioho.exe Dwm.exe PID 1340 wrote to memory of 1348 1340 hioho.exe Explorer.EXE PID 1340 wrote to memory of 1348 1340 hioho.exe Explorer.EXE PID 1340 wrote to memory of 1348 1340 hioho.exe Explorer.EXE PID 1340 wrote to memory of 1348 1340 hioho.exe Explorer.EXE PID 1340 wrote to memory of 1348 1340 hioho.exe Explorer.EXE PID 1340 wrote to memory of 1008 1340 hioho.exe zeus 2_2.0.3.1.vir.exe PID 1340 wrote to memory of 1008 1340 hioho.exe zeus 2_2.0.3.1.vir.exe PID 1340 wrote to memory of 1008 1340 hioho.exe zeus 2_2.0.3.1.vir.exe PID 1340 wrote to memory of 1008 1340 hioho.exe zeus 2_2.0.3.1.vir.exe PID 1340 wrote to memory of 1008 1340 hioho.exe zeus 2_2.0.3.1.vir.exe PID 1008 wrote to memory of 280 1008 zeus 2_2.0.3.1.vir.exe cmd.exe PID 1008 wrote to memory of 280 1008 zeus 2_2.0.3.1.vir.exe cmd.exe PID 1008 wrote to memory of 280 1008 zeus 2_2.0.3.1.vir.exe cmd.exe PID 1008 wrote to memory of 280 1008 zeus 2_2.0.3.1.vir.exe cmd.exe PID 1008 wrote to memory of 280 1008 zeus 2_2.0.3.1.vir.exe cmd.exe PID 1008 wrote to memory of 280 1008 zeus 2_2.0.3.1.vir.exe cmd.exe PID 1008 wrote to memory of 280 1008 zeus 2_2.0.3.1.vir.exe cmd.exe PID 1008 wrote to memory of 280 1008 zeus 2_2.0.3.1.vir.exe cmd.exe PID 1008 wrote to memory of 280 1008 zeus 2_2.0.3.1.vir.exe cmd.exe PID 1340 wrote to memory of 1544 1340 hioho.exe DllHost.exe PID 1340 wrote to memory of 1544 1340 hioho.exe DllHost.exe PID 1340 wrote to memory of 1544 1340 hioho.exe DllHost.exe PID 1340 wrote to memory of 1544 1340 hioho.exe DllHost.exe PID 1340 wrote to memory of 1544 1340 hioho.exe DllHost.exe PID 1340 wrote to memory of 1384 1340 hioho.exe DllHost.exe PID 1340 wrote to memory of 1384 1340 hioho.exe DllHost.exe PID 1340 wrote to memory of 1384 1340 hioho.exe DllHost.exe PID 1340 wrote to memory of 1384 1340 hioho.exe DllHost.exe PID 1340 wrote to memory of 1384 1340 hioho.exe DllHost.exe PID 1340 wrote to memory of 1860 1340 hioho.exe DllHost.exe PID 1340 wrote to memory of 1860 1340 hioho.exe DllHost.exe PID 1340 wrote to memory of 1860 1340 hioho.exe DllHost.exe PID 1340 wrote to memory of 1860 1340 hioho.exe DllHost.exe PID 1340 wrote to memory of 1860 1340 hioho.exe DllHost.exe -
Executes dropped EXE 1 IoCs
Processes:
hioho.exepid process 1340 hioho.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
zeus 2_2.0.3.1.vir.exedescription pid process target process PID 1008 set thread context of 280 1008 zeus 2_2.0.3.1.vir.exe cmd.exe -
Processes:
zeus 2_2.0.3.1.vir.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" zeus 2_2.0.3.1.vir.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Privacy zeus 2_2.0.3.1.vir.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\zeus 2_2.0.3.1.vir.exe"C:\Users\Admin\AppData\Local\Temp\zeus 2_2.0.3.1.vir.exe"2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
-
C:\Users\Admin\AppData\Roaming\Biloz\hioho.exe"C:\Users\Admin\AppData\Roaming\Biloz\hioho.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpe9569600.bat"3⤵
- Deletes itself
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpe9569600.bat
-
C:\Users\Admin\AppData\Roaming\Biloz\hioho.exe
-
C:\Users\Admin\AppData\Roaming\Biloz\hioho.exe
-
C:\Users\Admin\AppData\Roaming\Dyce\gabu.avu
-
\Users\Admin\AppData\Roaming\Biloz\hioho.exe
-
\Users\Admin\AppData\Roaming\Biloz\hioho.exe
-
memory/280-6-0x0000000000050000-0x000000000006E000-memory.dmpFilesize
120KB
-
memory/280-7-0x000000000005746E-mapping.dmp
-
memory/1340-2-0x0000000000000000-mapping.dmp