346f18681208a530b460fc9b486aa2eea2e7da0ccbdb1bc0a7df1ddb6f183dd7

General

Target

346f18681208a530b460fc9b486aa2eea2e7da0ccbdb1bc0a7df1ddb6f183dd7.exe
Size

295KB
MD5

b299959ff2c51cbcc847da1646c2f454
SHA1

6a2a34bcd9e48b93094161e5c897f6183b53f4b6
SHA256

346f18681208a530b460fc9b486aa2eea2e7da0ccbdb1bc0a7df1ddb6f183dd7
SHA512

8f8de829f86e0534c827b254bdef041e609fbc27d595bed1d0c2339bd70b38a21e8712532c50905cf436543c034a02b8b3f38e32e9c1b731561a9a5d304a52b8
SSDEEP

6144:KiGtsL8AlqNC+R+1PTG/qm/PgCnmUSFMhl46+M/oI29fKt:xGtsLXt+81PTEn/iUSFM86+rI2it

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

zeujor.exe

pid process

1488 zeujor.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1920 cmd.exe

pid	process
1920	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

346f18681208a530b460fc9b486aa2eea2e7da0ccbdb1bc0a7df1ddb6f183dd7.exe

pid	process
1696	346f18681208a530b460fc9b486aa2eea2e7da0ccbdb1bc0a7df1ddb6f183dd7.exe
1696	346f18681208a530b460fc9b486aa2eea2e7da0ccbdb1bc0a7df1ddb6f183dd7.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zeujor.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\Currentversion\Run	zeujor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7B2FDFC8-3774-AD4D-C411-AE4FF0968D52} = "C:\\Users\\Admin\\AppData\\Roaming\\Aqsaug\\zeujor.exe"	zeujor.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

346f18681208a530b460fc9b486aa2eea2e7da0ccbdb1bc0a7df1ddb6f183dd7.exe

description	pid	process	target process
PID 1696 set thread context of 1920	1696	346f18681208a530b460fc9b486aa2eea2e7da0ccbdb1bc0a7df1ddb6f183dd7.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

346f18681208a530b460fc9b486aa2eea2e7da0ccbdb1bc0a7df1ddb6f183dd7.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Privacy	346f18681208a530b460fc9b486aa2eea2e7da0ccbdb1bc0a7df1ddb6f183dd7.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	346f18681208a530b460fc9b486aa2eea2e7da0ccbdb1bc0a7df1ddb6f183dd7.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

zeujor.exe

pid	process
1488	zeujor.exe
1488	zeujor.exe
1488	zeujor.exe
1488	zeujor.exe
1488	zeujor.exe
1488	zeujor.exe
1488	zeujor.exe
1488	zeujor.exe
1488	zeujor.exe
1488	zeujor.exe
1488	zeujor.exe
1488	zeujor.exe
1488	zeujor.exe
1488	zeujor.exe
1488	zeujor.exe
1488	zeujor.exe
1488	zeujor.exe
1488	zeujor.exe
1488	zeujor.exe
1488	zeujor.exe
1488	zeujor.exe
1488	zeujor.exe
1488	zeujor.exe
1488	zeujor.exe
1488	zeujor.exe
1488	zeujor.exe
1488	zeujor.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

346f18681208a530b460fc9b486aa2eea2e7da0ccbdb1bc0a7df1ddb6f183dd7.exezeujor.exe

pid process

1696 346f18681208a530b460fc9b486aa2eea2e7da0ccbdb1bc0a7df1ddb6f183dd7.exe
1488 zeujor.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

346f18681208a530b460fc9b486aa2eea2e7da0ccbdb1bc0a7df1ddb6f183dd7.exezeujor.exe

description	pid	process	target process
PID 1696 wrote to memory of 1488	1696	346f18681208a530b460fc9b486aa2eea2e7da0ccbdb1bc0a7df1ddb6f183dd7.exe	zeujor.exe
PID 1696 wrote to memory of 1488	1696	346f18681208a530b460fc9b486aa2eea2e7da0ccbdb1bc0a7df1ddb6f183dd7.exe	zeujor.exe
PID 1696 wrote to memory of 1488	1696	346f18681208a530b460fc9b486aa2eea2e7da0ccbdb1bc0a7df1ddb6f183dd7.exe	zeujor.exe
PID 1696 wrote to memory of 1488	1696	346f18681208a530b460fc9b486aa2eea2e7da0ccbdb1bc0a7df1ddb6f183dd7.exe	zeujor.exe
PID 1488 wrote to memory of 1132	1488	zeujor.exe	taskhost.exe
PID 1488 wrote to memory of 1132	1488	zeujor.exe	taskhost.exe
PID 1488 wrote to memory of 1132	1488	zeujor.exe	taskhost.exe
PID 1488 wrote to memory of 1132	1488	zeujor.exe	taskhost.exe
PID 1488 wrote to memory of 1132	1488	zeujor.exe	taskhost.exe
PID 1488 wrote to memory of 1216	1488	zeujor.exe	Dwm.exe
PID 1488 wrote to memory of 1216	1488	zeujor.exe	Dwm.exe
PID 1488 wrote to memory of 1216	1488	zeujor.exe	Dwm.exe
PID 1488 wrote to memory of 1216	1488	zeujor.exe	Dwm.exe
PID 1488 wrote to memory of 1216	1488	zeujor.exe	Dwm.exe
PID 1488 wrote to memory of 1264	1488	zeujor.exe	Explorer.EXE
PID 1488 wrote to memory of 1264	1488	zeujor.exe	Explorer.EXE
PID 1488 wrote to memory of 1264	1488	zeujor.exe	Explorer.EXE
PID 1488 wrote to memory of 1264	1488	zeujor.exe	Explorer.EXE
PID 1488 wrote to memory of 1264	1488	zeujor.exe	Explorer.EXE
PID 1488 wrote to memory of 1696	1488	zeujor.exe	346f18681208a530b460fc9b486aa2eea2e7da0ccbdb1bc0a7df1ddb6f183dd7.exe
PID 1488 wrote to memory of 1696	1488	zeujor.exe	346f18681208a530b460fc9b486aa2eea2e7da0ccbdb1bc0a7df1ddb6f183dd7.exe
PID 1488 wrote to memory of 1696	1488	zeujor.exe	346f18681208a530b460fc9b486aa2eea2e7da0ccbdb1bc0a7df1ddb6f183dd7.exe
PID 1488 wrote to memory of 1696	1488	zeujor.exe	346f18681208a530b460fc9b486aa2eea2e7da0ccbdb1bc0a7df1ddb6f183dd7.exe
PID 1488 wrote to memory of 1696	1488	zeujor.exe	346f18681208a530b460fc9b486aa2eea2e7da0ccbdb1bc0a7df1ddb6f183dd7.exe
PID 1696 wrote to memory of 1920	1696	346f18681208a530b460fc9b486aa2eea2e7da0ccbdb1bc0a7df1ddb6f183dd7.exe	cmd.exe
PID 1696 wrote to memory of 1920	1696	346f18681208a530b460fc9b486aa2eea2e7da0ccbdb1bc0a7df1ddb6f183dd7.exe	cmd.exe
PID 1696 wrote to memory of 1920	1696	346f18681208a530b460fc9b486aa2eea2e7da0ccbdb1bc0a7df1ddb6f183dd7.exe	cmd.exe
PID 1696 wrote to memory of 1920	1696	346f18681208a530b460fc9b486aa2eea2e7da0ccbdb1bc0a7df1ddb6f183dd7.exe	cmd.exe
PID 1696 wrote to memory of 1920	1696	346f18681208a530b460fc9b486aa2eea2e7da0ccbdb1bc0a7df1ddb6f183dd7.exe	cmd.exe
PID 1696 wrote to memory of 1920	1696	346f18681208a530b460fc9b486aa2eea2e7da0ccbdb1bc0a7df1ddb6f183dd7.exe	cmd.exe
PID 1696 wrote to memory of 1920	1696	346f18681208a530b460fc9b486aa2eea2e7da0ccbdb1bc0a7df1ddb6f183dd7.exe	cmd.exe
PID 1696 wrote to memory of 1920	1696	346f18681208a530b460fc9b486aa2eea2e7da0ccbdb1bc0a7df1ddb6f183dd7.exe	cmd.exe
PID 1696 wrote to memory of 1920	1696	346f18681208a530b460fc9b486aa2eea2e7da0ccbdb1bc0a7df1ddb6f183dd7.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1264

C:\Users\Admin\AppData\Local\Temp\346f18681208a530b460fc9b486aa2eea2e7da0ccbdb1bc0a7df1ddb6f183dd7.exe
"C:\Users\Admin\AppData\Local\Temp\346f18681208a530b460fc9b486aa2eea2e7da0ccbdb1bc0a7df1ddb6f183dd7.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1696

C:\Users\Admin\AppData\Roaming\Aqsaug\zeujor.exe
"C:\Users\Admin\AppData\Roaming\Aqsaug\zeujor.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpb9bc2e55.bat"
3⤵
- Deletes itself
PID:1920

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1216

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1132

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpb9bc2e55.bat

Filesize
307B

MD5
f07e9025ec42878a0745e6c02a89fafb

SHA1
8efa98c629c2407c5d49d3dd87889d5350925f66

SHA256
3121a9546e08926829a3ada3fbf216bc706af4a18900bf8573057deddd0f7ac7

SHA512
0afdfaebeeb7ff6147b458814f0c2c7b5f2842651d0a5e12754e1b7b4da912e82562fd1318f5accc51662b6fd145eeb52899e3e5f28e110ef0e3a4c6d65574c3

Download Submit
C:\Users\Admin\AppData\Roaming\Aqsaug\zeujor.exe

Filesize
295KB

MD5
9a319e59f8abe1edf6ef73bea43babc3

SHA1
2a5a37492c01469d0c91d87ced2037652e52babb

SHA256
9ac35258a82443e75c26e08548240392f3a2be237fe444bee4ae3c592a50173b

SHA512
583634092b84de7f6d908420192e08ad2b3529be0c0ee25b6b0978e1f413fc8eaef4253daf5a8f74e5770339cdf6a01667b6b8da0e8f1eeb0e80ac18924a6c00

Download Submit
C:\Users\Admin\AppData\Roaming\Aqsaug\zeujor.exe

Filesize
295KB

MD5
9a319e59f8abe1edf6ef73bea43babc3

SHA1
2a5a37492c01469d0c91d87ced2037652e52babb

SHA256
9ac35258a82443e75c26e08548240392f3a2be237fe444bee4ae3c592a50173b

SHA512
583634092b84de7f6d908420192e08ad2b3529be0c0ee25b6b0978e1f413fc8eaef4253daf5a8f74e5770339cdf6a01667b6b8da0e8f1eeb0e80ac18924a6c00

Download Submit
\Users\Admin\AppData\Roaming\Aqsaug\zeujor.exe

Filesize
295KB

MD5
9a319e59f8abe1edf6ef73bea43babc3

SHA1
2a5a37492c01469d0c91d87ced2037652e52babb

SHA256
9ac35258a82443e75c26e08548240392f3a2be237fe444bee4ae3c592a50173b

SHA512
583634092b84de7f6d908420192e08ad2b3529be0c0ee25b6b0978e1f413fc8eaef4253daf5a8f74e5770339cdf6a01667b6b8da0e8f1eeb0e80ac18924a6c00

Download Submit
\Users\Admin\AppData\Roaming\Aqsaug\zeujor.exe

Filesize
295KB

MD5
9a319e59f8abe1edf6ef73bea43babc3

SHA1
2a5a37492c01469d0c91d87ced2037652e52babb

SHA256
9ac35258a82443e75c26e08548240392f3a2be237fe444bee4ae3c592a50173b

SHA512
583634092b84de7f6d908420192e08ad2b3529be0c0ee25b6b0978e1f413fc8eaef4253daf5a8f74e5770339cdf6a01667b6b8da0e8f1eeb0e80ac18924a6c00

Download Submit
memory/1132-69-0x0000000001B90000-0x0000000001BD4000-memory.dmp

Filesize
272KB

Download
memory/1132-70-0x0000000001B90000-0x0000000001BD4000-memory.dmp

Filesize
272KB

Download
memory/1132-68-0x0000000001B90000-0x0000000001BD4000-memory.dmp

Filesize
272KB

Download
memory/1132-66-0x0000000001B90000-0x0000000001BD4000-memory.dmp

Filesize
272KB

Download
memory/1132-71-0x0000000001B90000-0x0000000001BD4000-memory.dmp

Filesize
272KB

Download
memory/1216-76-0x0000000001E00000-0x0000000001E44000-memory.dmp

Filesize
272KB

Download
memory/1216-74-0x0000000001E00000-0x0000000001E44000-memory.dmp

Filesize
272KB

Download
memory/1216-75-0x0000000001E00000-0x0000000001E44000-memory.dmp

Filesize
272KB

Download
memory/1216-77-0x0000000001E00000-0x0000000001E44000-memory.dmp

Filesize
272KB

Download
memory/1264-80-0x0000000002710000-0x0000000002754000-memory.dmp

Filesize
272KB

Download
memory/1264-82-0x0000000002710000-0x0000000002754000-memory.dmp

Filesize
272KB

Download
memory/1264-83-0x0000000002710000-0x0000000002754000-memory.dmp

Filesize
272KB

Download
memory/1264-81-0x0000000002710000-0x0000000002754000-memory.dmp

Filesize
272KB

Download
memory/1488-92-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1488-91-0x0000000000320000-0x000000000036E000-memory.dmp

Filesize
312KB

Download
memory/1488-90-0x00000000002D0000-0x0000000000314000-memory.dmp

Filesize
272KB

Download
memory/1488-62-0x0000000000000000-mapping.dmp

Download
memory/1696-88-0x0000000001F60000-0x0000000001FA4000-memory.dmp

Filesize
272KB

Download
memory/1696-93-0x0000000001F60000-0x0000000001FAE000-memory.dmp

Filesize
312KB

Download
memory/1696-86-0x0000000001F60000-0x0000000001FA4000-memory.dmp

Filesize
272KB

Download
memory/1696-87-0x0000000001F60000-0x0000000001FA4000-memory.dmp

Filesize
272KB

Download
memory/1696-89-0x0000000001F60000-0x0000000001FA4000-memory.dmp

Filesize
272KB

Download
memory/1696-56-0x00000000002F0000-0x000000000033E000-memory.dmp

Filesize
312KB

Download
memory/1696-57-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1696-58-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1696-60-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1696-54-0x0000000076941000-0x0000000076943000-memory.dmp

Filesize
8KB

Download
memory/1696-55-0x0000000000280000-0x00000000002C4000-memory.dmp

Filesize
272KB

Download
memory/1696-104-0x0000000001F60000-0x0000000001FA4000-memory.dmp

Filesize
272KB

Download
memory/1696-103-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1696-102-0x00000000002F0000-0x000000000033E000-memory.dmp

Filesize
312KB

Download
memory/1920-101-0x0000000000074E01-mapping.dmp

Download
memory/1920-100-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1920-98-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1920-99-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1920-96-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1920-107-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads