Analysis
-
max time kernel
146s -
max time network
157s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
19-07-2020 19:28
Static task
static1
Behavioral task
behavioral1
Sample
zeus 1_1.2.1.7.vir.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
zeus 1_1.2.1.7.vir.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
zeus 1_1.2.1.7.vir.exe
-
Size
39KB
-
MD5
0898b37a366f3aeec04a86151e1035e4
-
SHA1
980f5ac4d9b44591ddf91597554622a9e21eca96
-
SHA256
d6e2e79e31eb5e0d8144deca05e9caffd7b78133d12f6a408edc7a86163c4d99
-
SHA512
7bb0e9459fe8322034c294cc9e40ebac4e16f3322b0e3f49a609fbee24df206d8e270093d676c00467a127d7e534a8e3f5d3ade081c3d097976408f796b92511
Score
10/10
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List svchost.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\svchost.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe:*:Enabled:svchost.exe" svchost.exe -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe" svchost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
zeus 1_1.2.1.7.vir.execmd.exedescription pid process target process PID 1016 wrote to memory of 1040 1016 zeus 1_1.2.1.7.vir.exe cmd.exe PID 1016 wrote to memory of 1040 1016 zeus 1_1.2.1.7.vir.exe cmd.exe PID 1016 wrote to memory of 1040 1016 zeus 1_1.2.1.7.vir.exe cmd.exe PID 1016 wrote to memory of 1040 1016 zeus 1_1.2.1.7.vir.exe cmd.exe PID 1016 wrote to memory of 604 1016 zeus 1_1.2.1.7.vir.exe cmd.exe PID 1016 wrote to memory of 604 1016 zeus 1_1.2.1.7.vir.exe cmd.exe PID 1016 wrote to memory of 604 1016 zeus 1_1.2.1.7.vir.exe cmd.exe PID 1016 wrote to memory of 604 1016 zeus 1_1.2.1.7.vir.exe cmd.exe PID 604 wrote to memory of 1420 604 cmd.exe svchost.exe PID 604 wrote to memory of 1420 604 cmd.exe svchost.exe PID 604 wrote to memory of 1420 604 cmd.exe svchost.exe PID 604 wrote to memory of 1420 604 cmd.exe svchost.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 604 cmd.exe 604 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 1420 svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\zeus 1_1.2.1.7.vir.exe"C:\Users\Admin\AppData\Local\Temp\zeus 1_1.2.1.7.vir.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c copy "C:\Users\Admin\AppData\Local\Temp\zeus 1_1.2.1.7.vir.exe" "C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\svchost.exe3⤵
- Modifies firewall policy service
- Modifies WinLogon for persistence
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe
-
\Users\Admin\AppData\Local\Temp\svchost.exe
-
\Users\Admin\AppData\Local\Temp\svchost.exe
-
memory/604-1-0x0000000000000000-mapping.dmp
-
memory/1040-0-0x0000000000000000-mapping.dmp
-
memory/1420-5-0x0000000000000000-mapping.dmp