ae68aa53a27732eb0803f205fee19d3ca3e8bce7c0ac03d3fb30ab89a46626de

General

Target

zeus 2_2.0.3.1.vir.exe
Size

149KB
MD5

a4fad2f8844d008eea0519128c5145e4
SHA1

752fbb7202fde75f4210710db567bbd337f80d93
SHA256

ae68aa53a27732eb0803f205fee19d3ca3e8bce7c0ac03d3fb30ab89a46626de
SHA512

86122cff5375ed64dbc9319a94698f9029a96e4379cd37742556da05f9d4a71eeefe52383cbe978af3d6e1a60e65352d85d14c2844bd4eee6d8af6f959f0a99d

Score

8^/10

persistence

Malware Config

Signatures

Loads dropped DLL 2 IoCs

Processes:

zeus 2_2.0.3.1.vir.exe

pid process

1008 zeus 2_2.0.3.1.vir.exe
1008 zeus 2_2.0.3.1.vir.exe

pid	process
1008	zeus 2_2.0.3.1.vir.exe
1008	zeus 2_2.0.3.1.vir.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

hioho.exe

pid	process
1340	hioho.exe
1340	hioho.exe
1340	hioho.exe
1340	hioho.exe
1340	hioho.exe
1340	hioho.exe
1340	hioho.exe
1340	hioho.exe
1340	hioho.exe
1340	hioho.exe
1340	hioho.exe
1340	hioho.exe
1340	hioho.exe
1340	hioho.exe
1340	hioho.exe
1340	hioho.exe
1340	hioho.exe
1340	hioho.exe
1340	hioho.exe
1340	hioho.exe
1340	hioho.exe
1340	hioho.exe
1340	hioho.exe
1340	hioho.exe
1340	hioho.exe
1340	hioho.exe
1340	hioho.exe
1340	hioho.exe
1340	hioho.exe
1340	hioho.exe
1340	hioho.exe
1340	hioho.exe
1340	hioho.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

280 cmd.exe

pid	process
280	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

hioho.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\Currentversion\Run	hioho.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\{86DD9316-8C13-4EBF-FFC2-9202C8CBA830} = "C:\\Users\\Admin\\AppData\\Roaming\\Biloz\\hioho.exe"	hioho.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

zeus 2_2.0.3.1.vir.exe

description	pid	process
Token: SeSecurityPrivilege	1008	zeus 2_2.0.3.1.vir.exe
Token: SeSecurityPrivilege	1008	zeus 2_2.0.3.1.vir.exe
Token: SeSecurityPrivilege	1008	zeus 2_2.0.3.1.vir.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

zeus 2_2.0.3.1.vir.exehioho.exe

description	pid	process	target process
PID 1008 wrote to memory of 1340	1008	zeus 2_2.0.3.1.vir.exe	hioho.exe
PID 1008 wrote to memory of 1340	1008	zeus 2_2.0.3.1.vir.exe	hioho.exe
PID 1008 wrote to memory of 1340	1008	zeus 2_2.0.3.1.vir.exe	hioho.exe
PID 1008 wrote to memory of 1340	1008	zeus 2_2.0.3.1.vir.exe	hioho.exe
PID 1340 wrote to memory of 1196	1340	hioho.exe	taskhost.exe
PID 1340 wrote to memory of 1196	1340	hioho.exe	taskhost.exe
PID 1340 wrote to memory of 1196	1340	hioho.exe	taskhost.exe
PID 1340 wrote to memory of 1196	1340	hioho.exe	taskhost.exe
PID 1340 wrote to memory of 1196	1340	hioho.exe	taskhost.exe
PID 1340 wrote to memory of 1304	1340	hioho.exe	Dwm.exe
PID 1340 wrote to memory of 1304	1340	hioho.exe	Dwm.exe
PID 1340 wrote to memory of 1304	1340	hioho.exe	Dwm.exe
PID 1340 wrote to memory of 1304	1340	hioho.exe	Dwm.exe
PID 1340 wrote to memory of 1304	1340	hioho.exe	Dwm.exe
PID 1340 wrote to memory of 1348	1340	hioho.exe	Explorer.EXE
PID 1340 wrote to memory of 1348	1340	hioho.exe	Explorer.EXE
PID 1340 wrote to memory of 1348	1340	hioho.exe	Explorer.EXE
PID 1340 wrote to memory of 1348	1340	hioho.exe	Explorer.EXE
PID 1340 wrote to memory of 1348	1340	hioho.exe	Explorer.EXE
PID 1340 wrote to memory of 1008	1340	hioho.exe	zeus 2_2.0.3.1.vir.exe
PID 1340 wrote to memory of 1008	1340	hioho.exe	zeus 2_2.0.3.1.vir.exe
PID 1340 wrote to memory of 1008	1340	hioho.exe	zeus 2_2.0.3.1.vir.exe
PID 1340 wrote to memory of 1008	1340	hioho.exe	zeus 2_2.0.3.1.vir.exe
PID 1340 wrote to memory of 1008	1340	hioho.exe	zeus 2_2.0.3.1.vir.exe
PID 1008 wrote to memory of 280	1008	zeus 2_2.0.3.1.vir.exe	cmd.exe
PID 1008 wrote to memory of 280	1008	zeus 2_2.0.3.1.vir.exe	cmd.exe
PID 1008 wrote to memory of 280	1008	zeus 2_2.0.3.1.vir.exe	cmd.exe
PID 1008 wrote to memory of 280	1008	zeus 2_2.0.3.1.vir.exe	cmd.exe
PID 1008 wrote to memory of 280	1008	zeus 2_2.0.3.1.vir.exe	cmd.exe
PID 1008 wrote to memory of 280	1008	zeus 2_2.0.3.1.vir.exe	cmd.exe
PID 1008 wrote to memory of 280	1008	zeus 2_2.0.3.1.vir.exe	cmd.exe
PID 1008 wrote to memory of 280	1008	zeus 2_2.0.3.1.vir.exe	cmd.exe
PID 1008 wrote to memory of 280	1008	zeus 2_2.0.3.1.vir.exe	cmd.exe
PID 1340 wrote to memory of 1544	1340	hioho.exe	DllHost.exe
PID 1340 wrote to memory of 1544	1340	hioho.exe	DllHost.exe
PID 1340 wrote to memory of 1544	1340	hioho.exe	DllHost.exe
PID 1340 wrote to memory of 1544	1340	hioho.exe	DllHost.exe
PID 1340 wrote to memory of 1544	1340	hioho.exe	DllHost.exe
PID 1340 wrote to memory of 1384	1340	hioho.exe	DllHost.exe
PID 1340 wrote to memory of 1384	1340	hioho.exe	DllHost.exe
PID 1340 wrote to memory of 1384	1340	hioho.exe	DllHost.exe
PID 1340 wrote to memory of 1384	1340	hioho.exe	DllHost.exe
PID 1340 wrote to memory of 1384	1340	hioho.exe	DllHost.exe
PID 1340 wrote to memory of 1860	1340	hioho.exe	DllHost.exe
PID 1340 wrote to memory of 1860	1340	hioho.exe	DllHost.exe
PID 1340 wrote to memory of 1860	1340	hioho.exe	DllHost.exe
PID 1340 wrote to memory of 1860	1340	hioho.exe	DllHost.exe
PID 1340 wrote to memory of 1860	1340	hioho.exe	DllHost.exe

Executes dropped EXE 1 IoCs

Processes:

hioho.exe

pid process

1340 hioho.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

zeus 2_2.0.3.1.vir.exe

description pid process target process

PID 1008 set thread context of 280 1008 zeus 2_2.0.3.1.vir.exe cmd.exe

description	pid	process	target process
PID 1008 set thread context of 280	1008	zeus 2_2.0.3.1.vir.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

zeus 2_2.0.3.1.vir.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	zeus 2_2.0.3.1.vir.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Privacy	zeus 2_2.0.3.1.vir.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1196

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1304

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1348

C:\Users\Admin\AppData\Local\Temp\zeus 2_2.0.3.1.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zeus 2_2.0.3.1.vir.exe"
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
PID:1008

C:\Users\Admin\AppData\Roaming\Biloz\hioho.exe
"C:\Users\Admin\AppData\Roaming\Biloz\hioho.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1340

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpe9569600.bat"
3⤵
- Deletes itself
PID:280

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1544

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1384

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1860

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpe9569600.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Biloz\hioho.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Biloz\hioho.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Dyce\gabu.avu

Download Submit
\Users\Admin\AppData\Roaming\Biloz\hioho.exe

Download Submit
\Users\Admin\AppData\Roaming\Biloz\hioho.exe

Download Submit
memory/280-6-0x0000000000050000-0x000000000006E000-memory.dmp

Filesize
120KB

Download
memory/280-7-0x000000000005746E-mapping.dmp

Download
memory/1340-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads