flawedammyy | 43834f452190b6f36ce8bb603b76e44feb45761eb70eae5dee2ac8db17d560ee

Analysis

max time kernel
163s
max time network
172s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
28/11/2022, 23:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1813cdbea071efd7e0b261e0b1f47635.exe
Size

7.6MB
MD5

1813cdbea071efd7e0b261e0b1f47635
SHA1

cb7bfedfa84c2de310fdf36b6fac39c6d8a6c971
SHA256

43834f452190b6f36ce8bb603b76e44feb45761eb70eae5dee2ac8db17d560ee
SHA512

a5ac24cff7a276acc8d629dcb170c51ee8c1d65960f0fbf105a775264a63264bfb126008e5ea4daba812ef1d79881bda3e077bb1349166d474a609dd06e65b77
SSDEEP

196608:4AId0+vNSQpice0XxZcTjfKYQGj8jFDO/3V1hoGv:4zm+v9eeQjCBnjNO/FTXv

Score

10^/10

flawedammyy discovery evasion trojan upx

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Executes dropped EXE 2 IoCs

pid	Process
1552	1813cdbea071efd7e0b261e0b1f47635.tmp
1172	SuporteZeus.exe

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1372	NETSH.exe
740	NETSH.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000012333-65.dat	upx
behavioral1/files/0x0008000000012333-66.dat	upx
behavioral1/files/0x0008000000012333-69.dat	upx
behavioral1/files/0x0008000000012333-71.dat	upx
behavioral1/memory/1172-76-0x0000000000FC0000-0x000000000111E000-memory.dmp	upx
behavioral1/files/0x0008000000012333-77.dat	upx
behavioral1/memory/1172-79-0x0000000000FC0000-0x000000000111E000-memory.dmp	upx

Loads dropped DLL 5 IoCs

pid	Process
1532	1813cdbea071efd7e0b261e0b1f47635.exe
1552	1813cdbea071efd7e0b261e0b1f47635.tmp
1552	1813cdbea071efd7e0b261e0b1f47635.tmp
1552	1813cdbea071efd7e0b261e0b1f47635.tmp
1552	1813cdbea071efd7e0b261e0b1f47635.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\curl\curl.exe	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\unins000.dat	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\is-JDQP0.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\is-CIF6T.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\winmgmts:\VUIIVLGQ\root\cimv2	SuporteZeus.exe
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\curl\libcurl.dll	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\is-C8USN.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\curl\is-P5OM1.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\curl\is-MOE8I.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\debugZT_SuporteZeus.exe.log	SuporteZeus.exe
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\AnyDesk.exe	1813cdbea071efd7e0b261e0b1f47635.tmp
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\SuporteZeus.exe	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\is-5FEDQ.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\is-HKLCA.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\unins000.dat	1813cdbea071efd7e0b261e0b1f47635.tmp
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\AtualizadorZeus.exe	1813cdbea071efd7e0b261e0b1f47635.tmp
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\VncZeusTecnologia.exe	1813cdbea071efd7e0b261e0b1f47635.tmp
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\GerenciadorZeus.exe	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\is-GRPA2.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\is-IE4R3.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\curl\is-K9094.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\curl\is-4I5UI.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
940	SC.exe
1832	SC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 3 IoCs

evasion

pid	Process
1656	taskkill.exe
572	taskkill.exe
1884	taskkill.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	SuporteZeus.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	SuporteZeus.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	SuporteZeus.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	SuporteZeus.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	SuporteZeus.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\winmgmts:\VUIIVLGQ\root\cimv2	SuporteZeus.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1552	1813cdbea071efd7e0b261e0b1f47635.tmp
1552	1813cdbea071efd7e0b261e0b1f47635.tmp
1172	SuporteZeus.exe
1172	SuporteZeus.exe
1172	SuporteZeus.exe
1172	SuporteZeus.exe
1172	SuporteZeus.exe
1172	SuporteZeus.exe
1172	SuporteZeus.exe
1172	SuporteZeus.exe
1172	SuporteZeus.exe
1172	SuporteZeus.exe
1172	SuporteZeus.exe
1172	SuporteZeus.exe
1172	SuporteZeus.exe
1172	SuporteZeus.exe
1172	SuporteZeus.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	1656	taskkill.exe
Token: SeDebugPrivilege	572	taskkill.exe
Token: SeDebugPrivilege	1884	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2020	WMIC.exe
Token: SeSecurityPrivilege	2020	WMIC.exe
Token: SeTakeOwnershipPrivilege	2020	WMIC.exe
Token: SeLoadDriverPrivilege	2020	WMIC.exe
Token: SeSystemProfilePrivilege	2020	WMIC.exe
Token: SeSystemtimePrivilege	2020	WMIC.exe
Token: SeProfSingleProcessPrivilege	2020	WMIC.exe
Token: SeIncBasePriorityPrivilege	2020	WMIC.exe
Token: SeCreatePagefilePrivilege	2020	WMIC.exe
Token: SeBackupPrivilege	2020	WMIC.exe
Token: SeRestorePrivilege	2020	WMIC.exe
Token: SeShutdownPrivilege	2020	WMIC.exe
Token: SeDebugPrivilege	2020	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2020	WMIC.exe
Token: SeRemoteShutdownPrivilege	2020	WMIC.exe
Token: SeUndockPrivilege	2020	WMIC.exe
Token: SeManageVolumePrivilege	2020	WMIC.exe
Token: 33	2020	WMIC.exe
Token: 34	2020	WMIC.exe
Token: 35	2020	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2020	WMIC.exe
Token: SeSecurityPrivilege	2020	WMIC.exe
Token: SeTakeOwnershipPrivilege	2020	WMIC.exe
Token: SeLoadDriverPrivilege	2020	WMIC.exe
Token: SeSystemProfilePrivilege	2020	WMIC.exe
Token: SeSystemtimePrivilege	2020	WMIC.exe
Token: SeProfSingleProcessPrivilege	2020	WMIC.exe
Token: SeIncBasePriorityPrivilege	2020	WMIC.exe
Token: SeCreatePagefilePrivilege	2020	WMIC.exe
Token: SeBackupPrivilege	2020	WMIC.exe
Token: SeRestorePrivilege	2020	WMIC.exe
Token: SeShutdownPrivilege	2020	WMIC.exe
Token: SeDebugPrivilege	2020	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2020	WMIC.exe
Token: SeRemoteShutdownPrivilege	2020	WMIC.exe
Token: SeUndockPrivilege	2020	WMIC.exe
Token: SeManageVolumePrivilege	2020	WMIC.exe
Token: 33	2020	WMIC.exe
Token: 34	2020	WMIC.exe
Token: 35	2020	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1552	1813cdbea071efd7e0b261e0b1f47635.tmp
1552	1813cdbea071efd7e0b261e0b1f47635.tmp

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1552	1813cdbea071efd7e0b261e0b1f47635.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 1552	1532	1813cdbea071efd7e0b261e0b1f47635.exe	28
PID 1532 wrote to memory of 1552	1532	1813cdbea071efd7e0b261e0b1f47635.exe	28
PID 1532 wrote to memory of 1552	1532	1813cdbea071efd7e0b261e0b1f47635.exe	28
PID 1532 wrote to memory of 1552	1532	1813cdbea071efd7e0b261e0b1f47635.exe	28
PID 1532 wrote to memory of 1552	1532	1813cdbea071efd7e0b261e0b1f47635.exe	28
PID 1532 wrote to memory of 1552	1532	1813cdbea071efd7e0b261e0b1f47635.exe	28
PID 1532 wrote to memory of 1552	1532	1813cdbea071efd7e0b261e0b1f47635.exe	28
PID 1552 wrote to memory of 1172	1552	1813cdbea071efd7e0b261e0b1f47635.tmp	29
PID 1552 wrote to memory of 1172	1552	1813cdbea071efd7e0b261e0b1f47635.tmp	29
PID 1552 wrote to memory of 1172	1552	1813cdbea071efd7e0b261e0b1f47635.tmp	29
PID 1552 wrote to memory of 1172	1552	1813cdbea071efd7e0b261e0b1f47635.tmp	29
PID 1172 wrote to memory of 940	1172	SuporteZeus.exe	33
PID 1172 wrote to memory of 940	1172	SuporteZeus.exe	33
PID 1172 wrote to memory of 940	1172	SuporteZeus.exe	33
PID 1172 wrote to memory of 940	1172	SuporteZeus.exe	33
PID 1172 wrote to memory of 1712	1172	SuporteZeus.exe	35
PID 1172 wrote to memory of 1712	1172	SuporteZeus.exe	35
PID 1172 wrote to memory of 1712	1172	SuporteZeus.exe	35
PID 1172 wrote to memory of 1712	1172	SuporteZeus.exe	35
PID 1172 wrote to memory of 1752	1172	SuporteZeus.exe	37
PID 1172 wrote to memory of 1752	1172	SuporteZeus.exe	37
PID 1172 wrote to memory of 1752	1172	SuporteZeus.exe	37
PID 1172 wrote to memory of 1752	1172	SuporteZeus.exe	37
PID 1172 wrote to memory of 1428	1172	SuporteZeus.exe	39
PID 1172 wrote to memory of 1428	1172	SuporteZeus.exe	39
PID 1172 wrote to memory of 1428	1172	SuporteZeus.exe	39
PID 1172 wrote to memory of 1428	1172	SuporteZeus.exe	39
PID 1172 wrote to memory of 1716	1172	SuporteZeus.exe	41
PID 1172 wrote to memory of 1716	1172	SuporteZeus.exe	41
PID 1172 wrote to memory of 1716	1172	SuporteZeus.exe	41
PID 1172 wrote to memory of 1716	1172	SuporteZeus.exe	41
PID 1172 wrote to memory of 1876	1172	SuporteZeus.exe	43
PID 1172 wrote to memory of 1876	1172	SuporteZeus.exe	43
PID 1172 wrote to memory of 1876	1172	SuporteZeus.exe	43
PID 1172 wrote to memory of 1876	1172	SuporteZeus.exe	43
PID 1172 wrote to memory of 1300	1172	SuporteZeus.exe	45
PID 1172 wrote to memory of 1300	1172	SuporteZeus.exe	45
PID 1172 wrote to memory of 1300	1172	SuporteZeus.exe	45
PID 1172 wrote to memory of 1300	1172	SuporteZeus.exe	45
PID 1172 wrote to memory of 1636	1172	SuporteZeus.exe	47
PID 1172 wrote to memory of 1636	1172	SuporteZeus.exe	47
PID 1172 wrote to memory of 1636	1172	SuporteZeus.exe	47
PID 1172 wrote to memory of 1636	1172	SuporteZeus.exe	47
PID 1172 wrote to memory of 748	1172	SuporteZeus.exe	49
PID 1172 wrote to memory of 748	1172	SuporteZeus.exe	49
PID 1172 wrote to memory of 748	1172	SuporteZeus.exe	49
PID 1172 wrote to memory of 748	1172	SuporteZeus.exe	49
PID 1172 wrote to memory of 1372	1172	SuporteZeus.exe	51
PID 1172 wrote to memory of 1372	1172	SuporteZeus.exe	51
PID 1172 wrote to memory of 1372	1172	SuporteZeus.exe	51
PID 1172 wrote to memory of 1372	1172	SuporteZeus.exe	51
PID 1172 wrote to memory of 740	1172	SuporteZeus.exe	53
PID 1172 wrote to memory of 740	1172	SuporteZeus.exe	53
PID 1172 wrote to memory of 740	1172	SuporteZeus.exe	53
PID 1172 wrote to memory of 740	1172	SuporteZeus.exe	53
PID 1172 wrote to memory of 1656	1172	SuporteZeus.exe	55
PID 1172 wrote to memory of 1656	1172	SuporteZeus.exe	55
PID 1172 wrote to memory of 1656	1172	SuporteZeus.exe	55
PID 1172 wrote to memory of 1656	1172	SuporteZeus.exe	55
PID 1172 wrote to memory of 572	1172	SuporteZeus.exe	58
PID 1172 wrote to memory of 572	1172	SuporteZeus.exe	58
PID 1172 wrote to memory of 572	1172	SuporteZeus.exe	58
PID 1172 wrote to memory of 572	1172	SuporteZeus.exe	58
PID 1172 wrote to memory of 1884	1172	SuporteZeus.exe	60

C:\Users\Admin\AppData\Local\Temp\1813cdbea071efd7e0b261e0b1f47635.exe
"C:\Users\Admin\AppData\Local\Temp\1813cdbea071efd7e0b261e0b1f47635.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Users\Admin\AppData\Local\Temp\is-6LS01.tmp\1813cdbea071efd7e0b261e0b1f47635.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-6LS01.tmp\1813cdbea071efd7e0b261e0b1f47635.tmp" /SL5="$80124,7763926,67584,C:\Users\Admin\AppData\Local\Temp\1813cdbea071efd7e0b261e0b1f47635.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Program Files (x86)\Zeus Tecnologia STI\SuporteZeus.exe
    "C:\Program Files (x86)\Zeus Tecnologia STI\SuporteZeus.exe" -STIconfig
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Modifies system certificate store
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1172
  - - C:\Windows\SysWOW64\SC.exe
      SC stop "AmmyyAdmin"
      4⤵
      Launches sc.exe
      PID:940
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /End /TN ZeusTecSTI
      4⤵
      PID:1712
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /End /TN ZeusTecSTI
      4⤵
      PID:1752
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /End /TN ZeusTecnologia\ZeusTecSTI
      4⤵
      PID:1428
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /End /TN ZeusTecnologia\ZeusTecINV
      4⤵
      PID:1716
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /delete /F /TN "Zeus Tecnologia STI"
      4⤵
      PID:1876
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /delete /F /TN ZeusTecSTI
      4⤵
      PID:1300
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /delete /F /TN ZeusTecnologia\ZeusTecINV
      4⤵
      PID:1636
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /delete /F /TN ZeusTecnologia\ZeusTecSTI
      4⤵
      PID:748
  - - C:\Windows\SysWOW64\NETSH.exe
      NETSH advfirewall firewall delete rule name="ZeusAtualiza"
      4⤵
      Modifies Windows Firewall
      PID:1372
  - - C:\Windows\SysWOW64\NETSH.exe
      NETSH advfirewall firewall delete rule name="ZeusAmmyyAdm"
      4⤵
      Modifies Windows Firewall
      PID:740
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill -f -im AmmyyAdmin.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1656
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill -f -im AtualizadorZeus.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:572
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill -f -im gerenciadorZeus.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1884
  - - C:\Windows\SysWOW64\SC.exe
      SC delete "AmmyyAdmin"
      4⤵
      Launches sc.exe
      PID:1832
  - - C:\Windows\SysWOW64\NET.exe
      NET USER "zeustec" /ADD
      4⤵
      PID:1808
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 USER "zeustec" /ADD
        5⤵
        
        PID:1192
  - - C:\Windows\SysWOW64\NET.exe
      NET USER "zeustec" "Zeus!2125"
      4⤵
      PID:240
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 USER "zeustec" "Zeus!2125"
        5⤵
        
        PID:1688
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC USERACCOUNT WHERE "Name='zeustec' and Domain='VUIIVLGQ'" SET PasswordExpires=FALSE
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2020
  - - C:\Windows\SysWOW64\net.exe
      net users zeustec /fullname:"ZeusTecnologia"
      4⤵
      PID:896
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 users zeustec /fullname:"ZeusTecnologia"
        5⤵
        
        PID:432
  - - C:\Windows\SysWOW64\NET.exe
      NET LOCALGROUP "Administrators" "zeustec" /ADD
      4⤵
      PID:1008
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 LOCALGROUP "Administrators" "zeustec" /ADD
        5⤵
        
        PID:1628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Zeus Tecnologia STI\SuporteZeus.exe

Filesize
610KB

MD5
f07db1e2a512171311f40d080034ba01

SHA1
2296ad3bc8807dfa775d43d58c8d3b52d19dd7e2

SHA256
f3e997e126aaec0734a6f2a5d68e3d3ec58cc863705cc3991989cc8183af283e

SHA512
a8e4e28ff8332bc84471f1dfd02a9c519eda796196d4ce143bd3a7f94d91c2dab1a591996ece81de3f0e2fff2491efc66be611bd802857bb56b024240ad4026b

Download Submit
C:\Program Files (x86)\Zeus Tecnologia STI\SuporteZeus.exe

Filesize
610KB

MD5
f07db1e2a512171311f40d080034ba01

SHA1
2296ad3bc8807dfa775d43d58c8d3b52d19dd7e2

SHA256
f3e997e126aaec0734a6f2a5d68e3d3ec58cc863705cc3991989cc8183af283e

SHA512
a8e4e28ff8332bc84471f1dfd02a9c519eda796196d4ce143bd3a7f94d91c2dab1a591996ece81de3f0e2fff2491efc66be611bd802857bb56b024240ad4026b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6LS01.tmp\1813cdbea071efd7e0b261e0b1f47635.tmp

Filesize
711KB

MD5
478fbeed5ddcc14317065fafc3c19928

SHA1
8a680ce343453e2407444894055e9630f0c36017

SHA256
20d3b66b3d08b16204a6471c1eba6e682765a5397f33a1f4607725db3ea6cd2d

SHA512
6165a7f11184fc8cc52dbe4ed1f412895f5abc308c1b1f9c793d465ddbae4406a656127b40a15591b26fa737e5d7015c9e927fbfadb095e462d2a1cba1fa417d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6LS01.tmp\1813cdbea071efd7e0b261e0b1f47635.tmp

Filesize
711KB

MD5
478fbeed5ddcc14317065fafc3c19928

SHA1
8a680ce343453e2407444894055e9630f0c36017

SHA256
20d3b66b3d08b16204a6471c1eba6e682765a5397f33a1f4607725db3ea6cd2d

SHA512
6165a7f11184fc8cc52dbe4ed1f412895f5abc308c1b1f9c793d465ddbae4406a656127b40a15591b26fa737e5d7015c9e927fbfadb095e462d2a1cba1fa417d

Download Submit
\Program Files (x86)\Zeus Tecnologia STI\GerenciadorZeus.exe

Filesize
1.1MB

MD5
8d79a74e9577d4d1a42e9a0e76033e4c

SHA1
795b91dafd2b16847cb393d98f419bdd9e48fdf3

SHA256
1ad012e6a910a80338958b2ad90d1cbd2ca1355f15021b205be23715474530d0

SHA512
e411eef003131660b87b978bbd778b9e3dc86537b4d0c2f529ec9e5e26c8bb7760dd62352ca55d9fbf874718cedcb7c7726f11e0b26a31ab5698e5fba051be2b

Download Submit
\Program Files (x86)\Zeus Tecnologia STI\SuporteZeus.exe

Filesize
610KB

MD5
f07db1e2a512171311f40d080034ba01

SHA1
2296ad3bc8807dfa775d43d58c8d3b52d19dd7e2

SHA256
f3e997e126aaec0734a6f2a5d68e3d3ec58cc863705cc3991989cc8183af283e

SHA512
a8e4e28ff8332bc84471f1dfd02a9c519eda796196d4ce143bd3a7f94d91c2dab1a591996ece81de3f0e2fff2491efc66be611bd802857bb56b024240ad4026b

Download Submit
\Program Files (x86)\Zeus Tecnologia STI\SuporteZeus.exe

Filesize
610KB

MD5
f07db1e2a512171311f40d080034ba01

SHA1
2296ad3bc8807dfa775d43d58c8d3b52d19dd7e2

SHA256
f3e997e126aaec0734a6f2a5d68e3d3ec58cc863705cc3991989cc8183af283e

SHA512
a8e4e28ff8332bc84471f1dfd02a9c519eda796196d4ce143bd3a7f94d91c2dab1a591996ece81de3f0e2fff2491efc66be611bd802857bb56b024240ad4026b

Download Submit
\Program Files (x86)\Zeus Tecnologia STI\SuporteZeus.exe

Filesize
610KB

MD5
f07db1e2a512171311f40d080034ba01

SHA1
2296ad3bc8807dfa775d43d58c8d3b52d19dd7e2

SHA256
f3e997e126aaec0734a6f2a5d68e3d3ec58cc863705cc3991989cc8183af283e

SHA512
a8e4e28ff8332bc84471f1dfd02a9c519eda796196d4ce143bd3a7f94d91c2dab1a591996ece81de3f0e2fff2491efc66be611bd802857bb56b024240ad4026b

Download Submit
\Users\Admin\AppData\Local\Temp\is-6LS01.tmp\1813cdbea071efd7e0b261e0b1f47635.tmp

Filesize
711KB

MD5
478fbeed5ddcc14317065fafc3c19928

SHA1
8a680ce343453e2407444894055e9630f0c36017

SHA256
20d3b66b3d08b16204a6471c1eba6e682765a5397f33a1f4607725db3ea6cd2d

SHA512
6165a7f11184fc8cc52dbe4ed1f412895f5abc308c1b1f9c793d465ddbae4406a656127b40a15591b26fa737e5d7015c9e927fbfadb095e462d2a1cba1fa417d

Download Submit
memory/1172-79-0x0000000000FC0000-0x000000000111E000-memory.dmp

Filesize
1.4MB

Download
memory/1172-76-0x0000000000FC0000-0x000000000111E000-memory.dmp

Filesize
1.4MB

Download
memory/1532-54-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download
memory/1532-55-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1532-61-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1552-67-0x00000000021E0000-0x00000000021F0000-memory.dmp

Filesize
64KB

Download
memory/1552-62-0x00000000743E1000-0x00000000743E3000-memory.dmp

Filesize
8KB

Download
memory/1552-74-0x00000000021E0000-0x00000000021F0000-memory.dmp

Filesize
64KB

Download
memory/1552-78-0x0000000003C00000-0x0000000003D5E000-memory.dmp

Filesize
1.4MB

Download
memory/1552-75-0x0000000003C00000-0x0000000003D5E000-memory.dmp

Filesize
1.4MB

Download
memory/1552-68-0x00000000021E0000-0x00000000021F0000-memory.dmp

Filesize
64KB

Download
memory/1552-73-0x00000000021E0000-0x00000000021F0000-memory.dmp

Filesize
64KB

Download