Overview

overview

7

Static

static

7

Zeus 0.2.exe

windows7-x64

7

Zeus 0.2.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-03-2023 00:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Zeus 0.2.exe

  • Size

    18.2MB

  • MD5

    1e97f6146a4c217ec9a28bfaee9fea07

  • SHA1

    6d3c051502dd24e6ff671dea5e973eb08108c3f6

  • SHA256

    72f4ad18fe9b73073d10ea4b8efea0f0f9c148e823388dc7fda4677b28a5dc69

  • SHA512

    4bf7846b8bc33a7444b5db464be85f593432dd8578cedeb332227e4b746ee67160f0dda57dc7c637c79da060cfa2a4a445d296ea6f3c7ad9a7fb851966fc081e

  • SSDEEP

    393216:aGpv+yh9ROf731uB74xoB+yyBhQFMgqS0XvZSVP0Feh1Kc:7vl473C4okPLQCgpIY1yc

Score
7/10
vmprotect

Malware Config

Signatures

  • .NET Reactor proctector 1 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • VMProtect packed file 1 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 42 IoCs
  • Suspicious use of SendNotifyMessage 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Zeus 0.2.exe
    "C:\Users\Admin\AppData\Local\Temp\Zeus 0.2.exe"
    1⤵
      PID:4468
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /7
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4200

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4200-149-0x0000028E3E3E0000-0x0000028E3E3E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4200-141-0x0000028E3E3E0000-0x0000028E3E3E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4200-142-0x0000028E3E3E0000-0x0000028E3E3E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4200-151-0x0000028E3E3E0000-0x0000028E3E3E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4200-143-0x0000028E3E3E0000-0x0000028E3E3E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4200-153-0x0000028E3E3E0000-0x0000028E3E3E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4200-152-0x0000028E3E3E0000-0x0000028E3E3E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4200-147-0x0000028E3E3E0000-0x0000028E3E3E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4200-150-0x0000028E3E3E0000-0x0000028E3E3E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4200-148-0x0000028E3E3E0000-0x0000028E3E3E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4468-138-0x0000000007F20000-0x0000000007F2A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4468-137-0x0000000007D90000-0x0000000007E22000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4468-133-0x00000000003E0000-0x00000000027E6000-memory.dmp
      Filesize

      36.0MB

      Download
    • memory/4468-135-0x00000000072B0000-0x00000000072C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4468-139-0x00000000072B0000-0x00000000072C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4468-134-0x0000000004BF0000-0x0000000004BF1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4468-136-0x00000000082A0000-0x0000000008844000-memory.dmp
      Filesize

      5.6MB

      Download