flawedammyy | 43834f452190b6f36ce8bb603b76e44feb45761eb70eae5dee2ac8db17d560ee

Analysis

max time kernel
66s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
18/10/2022, 03:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1813cdbea071efd7e0b261e0b1f47635.exe
Size

7.6MB
MD5

1813cdbea071efd7e0b261e0b1f47635
SHA1

cb7bfedfa84c2de310fdf36b6fac39c6d8a6c971
SHA256

43834f452190b6f36ce8bb603b76e44feb45761eb70eae5dee2ac8db17d560ee
SHA512

a5ac24cff7a276acc8d629dcb170c51ee8c1d65960f0fbf105a775264a63264bfb126008e5ea4daba812ef1d79881bda3e077bb1349166d474a609dd06e65b77
SSDEEP

196608:4AId0+vNSQpice0XxZcTjfKYQGj8jFDO/3V1hoGv:4zm+v9eeQjCBnjNO/FTXv

Score

10^/10

flawedammyy discovery evasion persistence trojan upx

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
860	1813cdbea071efd7e0b261e0b1f47635.tmp
1748	SuporteZeus.exe

Modifies Windows Firewall 1 TTPs 7 IoCs

evasion

Modify Existing Service

T1031

pid	Process
4776	NETSH.exe
4768	NETSH.exe
3416	NETSH.exe
4556	NETSH.exe
4432	NETSH.exe
4492	NETSH.exe
4916	NETSH.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0004000000016296-139.dat	upx
behavioral2/files/0x0004000000016296-140.dat	upx
behavioral2/memory/1748-141-0x0000000000EA0000-0x0000000000FFE000-memory.dmp	upx
behavioral2/memory/1748-157-0x0000000000EA0000-0x0000000000FFE000-memory.dmp	upx
behavioral2/memory/1748-194-0x0000000000EA0000-0x0000000000FFE000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/1748-141-0x0000000000EA0000-0x0000000000FFE000-memory.dmp	autoit_exe
behavioral2/memory/1748-157-0x0000000000EA0000-0x0000000000FFE000-memory.dmp	autoit_exe
behavioral2/memory/1748-194-0x0000000000EA0000-0x0000000000FFE000-memory.dmp	autoit_exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\curl\libcurl.dll	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\is-U3T9T.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\curl\is-PSGR5.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\curl\is-T981M.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\unins000.dat	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\is-KTI2B.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\is-O9BFG.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\WinNT:\admin, user	SuporteZeus.exe
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\AnyDesk.exe	1813cdbea071efd7e0b261e0b1f47635.tmp
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\AtualizadorZeus.exe	1813cdbea071efd7e0b261e0b1f47635.tmp
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\GerenciadorZeus.exe	1813cdbea071efd7e0b261e0b1f47635.tmp
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\curl\curl.exe	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\unins000.dat	1813cdbea071efd7e0b261e0b1f47635.tmp
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\VncZeusTecnologia.exe	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\is-5B7O2.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\is-3F63D.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\debugZT_SuporteZeus.exe.log	SuporteZeus.exe
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\winmgmts:\XZIOFAVD\root\cimv2	SuporteZeus.exe
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\WinNT:\ztadmin, user	SuporteZeus.exe
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\DOWNLOADS\599A.tmp	SuporteZeus.exe
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\SuporteZeus.exe	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\is-HAKNE.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\is-N9Q89.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\curl\is-DJS36.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\curl\is-QLE9A.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4164	SC.exe
820	SC.exe
1260	SC.exe
1652	SC.exe
1856	SC.exe
2532	SC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3512	SCHTASKS.exe
2692	SCHTASKS.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
2596	taskkill.exe
4876	taskkill.exe
2620	taskkill.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\winmgmts:\XZIOFAVD\root\cimv2	SuporteZeus.exe
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\WinNT:\ztadmin, user	SuporteZeus.exe
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\WinNT:\admin, user	SuporteZeus.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
860	1813cdbea071efd7e0b261e0b1f47635.tmp
860	1813cdbea071efd7e0b261e0b1f47635.tmp
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe
1748	SuporteZeus.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2596	taskkill.exe
Token: SeDebugPrivilege	4876	taskkill.exe
Token: SeIncreaseQuotaPrivilege	4536	WMIC.exe
Token: SeSecurityPrivilege	4536	WMIC.exe
Token: SeTakeOwnershipPrivilege	4536	WMIC.exe
Token: SeLoadDriverPrivilege	4536	WMIC.exe
Token: SeSystemProfilePrivilege	4536	WMIC.exe
Token: SeSystemtimePrivilege	4536	WMIC.exe
Token: SeProfSingleProcessPrivilege	4536	WMIC.exe
Token: SeIncBasePriorityPrivilege	4536	WMIC.exe
Token: SeCreatePagefilePrivilege	4536	WMIC.exe
Token: SeBackupPrivilege	4536	WMIC.exe
Token: SeRestorePrivilege	4536	WMIC.exe
Token: SeShutdownPrivilege	4536	WMIC.exe
Token: SeDebugPrivilege	4536	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4536	WMIC.exe
Token: SeRemoteShutdownPrivilege	4536	WMIC.exe
Token: SeUndockPrivilege	4536	WMIC.exe
Token: SeManageVolumePrivilege	4536	WMIC.exe
Token: 33	4536	WMIC.exe
Token: 34	4536	WMIC.exe
Token: 35	4536	WMIC.exe
Token: 36	4536	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4536	WMIC.exe
Token: SeSecurityPrivilege	4536	WMIC.exe
Token: SeTakeOwnershipPrivilege	4536	WMIC.exe
Token: SeLoadDriverPrivilege	4536	WMIC.exe
Token: SeSystemProfilePrivilege	4536	WMIC.exe
Token: SeSystemtimePrivilege	4536	WMIC.exe
Token: SeProfSingleProcessPrivilege	4536	WMIC.exe
Token: SeIncBasePriorityPrivilege	4536	WMIC.exe
Token: SeCreatePagefilePrivilege	4536	WMIC.exe
Token: SeBackupPrivilege	4536	WMIC.exe
Token: SeRestorePrivilege	4536	WMIC.exe
Token: SeShutdownPrivilege	4536	WMIC.exe
Token: SeDebugPrivilege	4536	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4536	WMIC.exe
Token: SeRemoteShutdownPrivilege	4536	WMIC.exe
Token: SeUndockPrivilege	4536	WMIC.exe
Token: SeManageVolumePrivilege	4536	WMIC.exe
Token: 33	4536	WMIC.exe
Token: 34	4536	WMIC.exe
Token: 35	4536	WMIC.exe
Token: 36	4536	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4284	wmic.exe
Token: SeSecurityPrivilege	4284	wmic.exe
Token: SeTakeOwnershipPrivilege	4284	wmic.exe
Token: SeLoadDriverPrivilege	4284	wmic.exe
Token: SeSystemProfilePrivilege	4284	wmic.exe
Token: SeSystemtimePrivilege	4284	wmic.exe
Token: SeProfSingleProcessPrivilege	4284	wmic.exe
Token: SeIncBasePriorityPrivilege	4284	wmic.exe
Token: SeCreatePagefilePrivilege	4284	wmic.exe
Token: SeBackupPrivilege	4284	wmic.exe
Token: SeRestorePrivilege	4284	wmic.exe
Token: SeShutdownPrivilege	4284	wmic.exe
Token: SeDebugPrivilege	4284	wmic.exe
Token: SeSystemEnvironmentPrivilege	4284	wmic.exe
Token: SeRemoteShutdownPrivilege	4284	wmic.exe
Token: SeUndockPrivilege	4284	wmic.exe
Token: SeManageVolumePrivilege	4284	wmic.exe
Token: 33	4284	wmic.exe
Token: 34	4284	wmic.exe
Token: 35	4284	wmic.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
860	1813cdbea071efd7e0b261e0b1f47635.tmp
860	1813cdbea071efd7e0b261e0b1f47635.tmp

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
860	1813cdbea071efd7e0b261e0b1f47635.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4828 wrote to memory of 860	4828	1813cdbea071efd7e0b261e0b1f47635.exe	82
PID 4828 wrote to memory of 860	4828	1813cdbea071efd7e0b261e0b1f47635.exe	82
PID 4828 wrote to memory of 860	4828	1813cdbea071efd7e0b261e0b1f47635.exe	82
PID 860 wrote to memory of 1748	860	1813cdbea071efd7e0b261e0b1f47635.tmp	83
PID 860 wrote to memory of 1748	860	1813cdbea071efd7e0b261e0b1f47635.tmp	83
PID 860 wrote to memory of 1748	860	1813cdbea071efd7e0b261e0b1f47635.tmp	83
PID 1748 wrote to memory of 1652	1748	SuporteZeus.exe	88
PID 1748 wrote to memory of 1652	1748	SuporteZeus.exe	88
PID 1748 wrote to memory of 1652	1748	SuporteZeus.exe	88
PID 1748 wrote to memory of 3344	1748	SuporteZeus.exe	90
PID 1748 wrote to memory of 3344	1748	SuporteZeus.exe	90
PID 1748 wrote to memory of 3344	1748	SuporteZeus.exe	90
PID 1748 wrote to memory of 3628	1748	SuporteZeus.exe	93
PID 1748 wrote to memory of 3628	1748	SuporteZeus.exe	93
PID 1748 wrote to memory of 3628	1748	SuporteZeus.exe	93
PID 1748 wrote to memory of 3952	1748	SuporteZeus.exe	95
PID 1748 wrote to memory of 3952	1748	SuporteZeus.exe	95
PID 1748 wrote to memory of 3952	1748	SuporteZeus.exe	95
PID 1748 wrote to memory of 3532	1748	SuporteZeus.exe	97
PID 1748 wrote to memory of 3532	1748	SuporteZeus.exe	97
PID 1748 wrote to memory of 3532	1748	SuporteZeus.exe	97
PID 1748 wrote to memory of 4192	1748	SuporteZeus.exe	99
PID 1748 wrote to memory of 4192	1748	SuporteZeus.exe	99
PID 1748 wrote to memory of 4192	1748	SuporteZeus.exe	99
PID 1748 wrote to memory of 5040	1748	SuporteZeus.exe	101
PID 1748 wrote to memory of 5040	1748	SuporteZeus.exe	101
PID 1748 wrote to memory of 5040	1748	SuporteZeus.exe	101
PID 1748 wrote to memory of 2776	1748	SuporteZeus.exe	103
PID 1748 wrote to memory of 2776	1748	SuporteZeus.exe	103
PID 1748 wrote to memory of 2776	1748	SuporteZeus.exe	103
PID 1748 wrote to memory of 744	1748	SuporteZeus.exe	105
PID 1748 wrote to memory of 744	1748	SuporteZeus.exe	105
PID 1748 wrote to memory of 744	1748	SuporteZeus.exe	105
PID 1748 wrote to memory of 4492	1748	SuporteZeus.exe	107
PID 1748 wrote to memory of 4492	1748	SuporteZeus.exe	107
PID 1748 wrote to memory of 4492	1748	SuporteZeus.exe	107
PID 1748 wrote to memory of 4916	1748	SuporteZeus.exe	111
PID 1748 wrote to memory of 4916	1748	SuporteZeus.exe	111
PID 1748 wrote to memory of 4916	1748	SuporteZeus.exe	111
PID 1748 wrote to memory of 2596	1748	SuporteZeus.exe	113
PID 1748 wrote to memory of 2596	1748	SuporteZeus.exe	113
PID 1748 wrote to memory of 2596	1748	SuporteZeus.exe	113
PID 1748 wrote to memory of 4876	1748	SuporteZeus.exe	115
PID 1748 wrote to memory of 4876	1748	SuporteZeus.exe	115
PID 1748 wrote to memory of 4876	1748	SuporteZeus.exe	115
PID 1748 wrote to memory of 2620	1748	SuporteZeus.exe	117
PID 1748 wrote to memory of 2620	1748	SuporteZeus.exe	117
PID 1748 wrote to memory of 2620	1748	SuporteZeus.exe	117
PID 1748 wrote to memory of 1856	1748	SuporteZeus.exe	119
PID 1748 wrote to memory of 1856	1748	SuporteZeus.exe	119
PID 1748 wrote to memory of 1856	1748	SuporteZeus.exe	119
PID 1748 wrote to memory of 3724	1748	SuporteZeus.exe	121
PID 1748 wrote to memory of 3724	1748	SuporteZeus.exe	121
PID 1748 wrote to memory of 3724	1748	SuporteZeus.exe	121
PID 3724 wrote to memory of 3912	3724	NET.exe	123
PID 3724 wrote to memory of 3912	3724	NET.exe	123
PID 3724 wrote to memory of 3912	3724	NET.exe	123
PID 1748 wrote to memory of 940	1748	SuporteZeus.exe	124
PID 1748 wrote to memory of 940	1748	SuporteZeus.exe	124
PID 1748 wrote to memory of 940	1748	SuporteZeus.exe	124
PID 940 wrote to memory of 384	940	NET.exe	126
PID 940 wrote to memory of 384	940	NET.exe	126
PID 940 wrote to memory of 384	940	NET.exe	126
PID 1748 wrote to memory of 4536	1748	SuporteZeus.exe	127

C:\Users\Admin\AppData\Local\Temp\1813cdbea071efd7e0b261e0b1f47635.exe
"C:\Users\Admin\AppData\Local\Temp\1813cdbea071efd7e0b261e0b1f47635.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Users\Admin\AppData\Local\Temp\is-VU2TB.tmp\1813cdbea071efd7e0b261e0b1f47635.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-VU2TB.tmp\1813cdbea071efd7e0b261e0b1f47635.tmp" /SL5="$D007E,7763926,67584,C:\Users\Admin\AppData\Local\Temp\1813cdbea071efd7e0b261e0b1f47635.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Program Files (x86)\Zeus Tecnologia STI\SuporteZeus.exe
    "C:\Program Files (x86)\Zeus Tecnologia STI\SuporteZeus.exe" -STIconfig
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1748
  - - C:\Windows\SysWOW64\SC.exe
      SC stop "AmmyyAdmin"
      4⤵
      Launches sc.exe
      PID:1652
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /End /TN ZeusTecSTI
      4⤵
      PID:3344
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /End /TN ZeusTecSTI
      4⤵
      PID:3628
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /End /TN ZeusTecnologia\ZeusTecSTI
      4⤵
      PID:3952
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /End /TN ZeusTecnologia\ZeusTecINV
      4⤵
      PID:3532
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /delete /F /TN "Zeus Tecnologia STI"
      4⤵
      PID:4192
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /delete /F /TN ZeusTecSTI
      4⤵
      PID:5040
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /delete /F /TN ZeusTecnologia\ZeusTecINV
      4⤵
      PID:2776
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /delete /F /TN ZeusTecnologia\ZeusTecSTI
      4⤵
      PID:744
  - - C:\Windows\SysWOW64\NETSH.exe
      NETSH advfirewall firewall delete rule name="ZeusAtualiza"
      4⤵
      Modifies Windows Firewall
      PID:4492
  - - C:\Windows\SysWOW64\NETSH.exe
      NETSH advfirewall firewall delete rule name="ZeusAmmyyAdm"
      4⤵
      Modifies Windows Firewall
      PID:4916
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill -f -im AmmyyAdmin.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2596
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill -f -im AtualizadorZeus.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4876
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill -f -im gerenciadorZeus.exe
      4⤵
      Kills process with taskkill
      PID:2620
  - - C:\Windows\SysWOW64\SC.exe
      SC delete "AmmyyAdmin"
      4⤵
      Launches sc.exe
      PID:1856
  - - C:\Windows\SysWOW64\NET.exe
      NET USER "zeustec" /ADD
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3724
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 USER "zeustec" /ADD
        5⤵
        
        PID:3912
  - - C:\Windows\SysWOW64\NET.exe
      NET USER "zeustec" "Zeus!2125"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:940
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 USER "zeustec" "Zeus!2125"
        5⤵
        
        PID:384
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC USERACCOUNT WHERE "Name='zeustec' and Domain='XZIOFAVD'" SET PasswordExpires=FALSE
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4536
  - - C:\Windows\SysWOW64\net.exe
      net users zeustec /fullname:"ZeusTecnologia"
      4⤵
      PID:4760
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 users zeustec /fullname:"ZeusTecnologia"
        5⤵
        
        PID:4940
  - - C:\Windows\SysWOW64\NET.exe
      NET LOCALGROUP "Administrators" "zeustec" /ADD
      4⤵
      PID:4432
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 LOCALGROUP "Administrators" "zeustec" /ADD
        5⤵
        
        PID:3868
  - - C:\Windows\SysWOW64\NET.exe
      NET LOCALGROUP "Remote Desktop Users" "zeustec" /ADD
      4⤵
      PID:2532
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" "zeustec" /ADD
        5⤵
        
        PID:3532
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic useraccount where name="admin" call rename "ZTadmin"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4284
  - - C:\Windows\SysWOW64\NET.exe
      NET USER "ztadmin" /ADD
      4⤵
      PID:5016
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 USER "ztadmin" /ADD
        5⤵
        
        PID:3960
  - - C:\Windows\SysWOW64\NET.exe
      NET USER "ztadmin" "Cliente@3456"
      4⤵
      PID:2488
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 USER "ztadmin" "Cliente@3456"
        5⤵
        
        PID:3752
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC USERACCOUNT WHERE "Name='ztadmin' and Domain='XZIOFAVD'" SET PasswordExpires=FALSE
      4⤵
      PID:1648
  - - C:\Windows\SysWOW64\net.exe
      net users ztadmin /fullname:"ZTAdmin"
      4⤵
      PID:2224
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 users ztadmin /fullname:"ZTAdmin"
        5⤵
        
        PID:4492
  - - C:\Windows\SysWOW64\NET.exe
      NET LOCALGROUP "Administrators" "ztadmin" /ADD
      4⤵
      PID:1572
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 LOCALGROUP "Administrators" "ztadmin" /ADD
        5⤵
        
        PID:3276
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Program Files (x86)\Zeus Tecnologia STI\DOWNLOADS" /T /E /C /P Users:F
      4⤵
      PID:4460
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg -x -monitor-timeout-ac 15
      4⤵
      PID:4640
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg -x -standby-timeout-ac 0
      4⤵
      PID:4876
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /ru system /create /sc daily /st 12:30 /RI 10 /DU 00:18 /K /tn ZeusTecnologia\ZeusTecSTI /tr "'C:\Program Files (x86)\Zeus Tecnologia STI\atualizadorZeus.exe' -STI" /f /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:2692
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /ru system /create /sc daily /st 12:50 /tn ZeusTecnologia\ZeusTecINV /tr "'C:\Program Files (x86)\Zeus Tecnologia STI\SuporteZeus.exe' -INV" /f /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:3512
  - - C:\Windows\SysWOW64\NETSH.exe
      NETSH advfirewall firewall add rule name="ZeusAtualiza" dir=IN action=ALLOW program="C:\Program Files (x86)\Zeus Tecnologia STI\atualizadorZeus.exe" enable=YES profile=ANY description="Atualizador - Zeus Tecnologia"
      4⤵
      Modifies Windows Firewall
      PID:4776
  - - C:\Windows\SysWOW64\NETSH.exe
      NETSH advfirewall firewall add rule name="ZeusAmmyyAdm" dir=IN action=ALLOW program="C:\Program Files (x86)\Zeus Tecnologia STI\AmmyyAdmin.exe" enable=YES profile=ANY description="Ammyy Admin - Zeus Tecnologia"
      4⤵
      Modifies Windows Firewall
      PID:4768
  - - C:\Windows\SysWOW64\NETSH.exe
      NETSH advfirewall firewall set rule GROUP="Descoberta de Rede" NEW enable=YES
      4⤵
      Modifies Windows Firewall
      PID:3416
  - - C:\Windows\SysWOW64\NETSH.exe
      NETSH advfirewall firewall set rule GROUP="Network Discovery" NEW enable=YES
      4⤵
      Modifies Windows Firewall
      PID:4556
  - - C:\Windows\SysWOW64\NETSH.exe
      NETSH advfirewall firewall set rule GROUP="Área de Trabalho Remota" NEW enable=YES
      4⤵
      Modifies Windows Firewall
      PID:4432
  - - C:\Windows\SysWOW64\SC.exe
      SC create "AmmyyAdmin" binPath= "\"C:\Program Files (x86)\Zeus Tecnologia STI\AmmyyAdmin.exe\" -service" DisplayName= "Ammyy Admin" start= auto
      4⤵
      Launches sc.exe
      PID:2532
  - - C:\Windows\SysWOW64\SC.exe
      SC description "AmmyyAdmin" "Sistema de suporte remoto utilizado pela www.ZeusTecnologia.com.br"
      4⤵
      Launches sc.exe
      PID:4164
  - - C:\Windows\SysWOW64\SC.exe
      SC failure "AmmyyAdmin" reset=60 actions=restart/60000
      4⤵
      Launches sc.exe
      PID:820
  - - C:\Windows\SysWOW64\SC.exe
      SC start "AmmyyAdmin" | findstr "RUNNING START_PENDING"
      4⤵
      Launches sc.exe
      PID:1260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Account Manipulation

T1098

Modify Existing Service

T1031

New Service

T1050

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Credential Access

Account Manipulation

T1098

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Zeus Tecnologia STI\SuporteZeus.exe

Filesize
610KB

MD5
f07db1e2a512171311f40d080034ba01

SHA1
2296ad3bc8807dfa775d43d58c8d3b52d19dd7e2

SHA256
f3e997e126aaec0734a6f2a5d68e3d3ec58cc863705cc3991989cc8183af283e

SHA512
a8e4e28ff8332bc84471f1dfd02a9c519eda796196d4ce143bd3a7f94d91c2dab1a591996ece81de3f0e2fff2491efc66be611bd802857bb56b024240ad4026b

Download Submit
C:\Program Files (x86)\Zeus Tecnologia STI\SuporteZeus.exe

Filesize
610KB

MD5
f07db1e2a512171311f40d080034ba01

SHA1
2296ad3bc8807dfa775d43d58c8d3b52d19dd7e2

SHA256
f3e997e126aaec0734a6f2a5d68e3d3ec58cc863705cc3991989cc8183af283e

SHA512
a8e4e28ff8332bc84471f1dfd02a9c519eda796196d4ce143bd3a7f94d91c2dab1a591996ece81de3f0e2fff2491efc66be611bd802857bb56b024240ad4026b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VU2TB.tmp\1813cdbea071efd7e0b261e0b1f47635.tmp

Filesize
711KB

MD5
478fbeed5ddcc14317065fafc3c19928

SHA1
8a680ce343453e2407444894055e9630f0c36017

SHA256
20d3b66b3d08b16204a6471c1eba6e682765a5397f33a1f4607725db3ea6cd2d

SHA512
6165a7f11184fc8cc52dbe4ed1f412895f5abc308c1b1f9c793d465ddbae4406a656127b40a15591b26fa737e5d7015c9e927fbfadb095e462d2a1cba1fa417d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VU2TB.tmp\1813cdbea071efd7e0b261e0b1f47635.tmp

Filesize
711KB

MD5
478fbeed5ddcc14317065fafc3c19928

SHA1
8a680ce343453e2407444894055e9630f0c36017

SHA256
20d3b66b3d08b16204a6471c1eba6e682765a5397f33a1f4607725db3ea6cd2d

SHA512
6165a7f11184fc8cc52dbe4ed1f412895f5abc308c1b1f9c793d465ddbae4406a656127b40a15591b26fa737e5d7015c9e927fbfadb095e462d2a1cba1fa417d

Download Submit
memory/1748-157-0x0000000000EA0000-0x0000000000FFE000-memory.dmp

Filesize
1.4MB

Download
memory/1748-194-0x0000000000EA0000-0x0000000000FFE000-memory.dmp

Filesize
1.4MB

Download
memory/1748-141-0x0000000000EA0000-0x0000000000FFE000-memory.dmp

Filesize
1.4MB

Download
memory/4828-132-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4828-145-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4828-136-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4828-195-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download