d6e2e79e31eb5e0d8144deca05e9caffd7b78133d12f6a408edc7a86163c4d99

General

Target

zeus 1_1.2.1.7.vir.exe
Size

39KB
MD5

0898b37a366f3aeec04a86151e1035e4
SHA1

980f5ac4d9b44591ddf91597554622a9e21eca96
SHA256

d6e2e79e31eb5e0d8144deca05e9caffd7b78133d12f6a408edc7a86163c4d99
SHA512

7bb0e9459fe8322034c294cc9e40ebac4e16f3322b0e3f49a609fbee24df206d8e270093d676c00467a127d7e534a8e3f5d3ade081c3d097976408f796b92511

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\svchost.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe:*:Enabled:svchost.exe"	svchost.exe

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe"	svchost.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

zeus 1_1.2.1.7.vir.execmd.exe

description	pid	process	target process
PID 1016 wrote to memory of 1040	1016	zeus 1_1.2.1.7.vir.exe	cmd.exe
PID 1016 wrote to memory of 1040	1016	zeus 1_1.2.1.7.vir.exe	cmd.exe
PID 1016 wrote to memory of 1040	1016	zeus 1_1.2.1.7.vir.exe	cmd.exe
PID 1016 wrote to memory of 1040	1016	zeus 1_1.2.1.7.vir.exe	cmd.exe
PID 1016 wrote to memory of 604	1016	zeus 1_1.2.1.7.vir.exe	cmd.exe
PID 1016 wrote to memory of 604	1016	zeus 1_1.2.1.7.vir.exe	cmd.exe
PID 1016 wrote to memory of 604	1016	zeus 1_1.2.1.7.vir.exe	cmd.exe
PID 1016 wrote to memory of 604	1016	zeus 1_1.2.1.7.vir.exe	cmd.exe
PID 604 wrote to memory of 1420	604	cmd.exe	svchost.exe
PID 604 wrote to memory of 1420	604	cmd.exe	svchost.exe
PID 604 wrote to memory of 1420	604	cmd.exe	svchost.exe
PID 604 wrote to memory of 1420	604	cmd.exe	svchost.exe

Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

604 cmd.exe
604 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

1420 svchost.exe

pid	process
604	cmd.exe
604	cmd.exe

pid	process
1420	svchost.exe

C:\Users\Admin\AppData\Local\Temp\zeus 1_1.2.1.7.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zeus 1_1.2.1.7.vir.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\SysWOW64\cmd.exe
cmd /c copy "C:\Users\Admin\AppData\Local\Temp\zeus 1_1.2.1.7.vir.exe" "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
2⤵
PID:1040

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
PID:604

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
3⤵
- Modifies firewall policy service
- Modifies WinLogon for persistence
- Executes dropped EXE
PID:1420

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Download Submit
memory/604-1-0x0000000000000000-mapping.dmp

Download
memory/1040-0-0x0000000000000000-mapping.dmp

Download
memory/1420-5-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads