b22faeb398c9a267f7da7e57c61edcbf119dc4a00a2abd24fcffeb14a73ecc46

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09/08/2024, 22:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Zeus_V2.lordly.ir/Zeus V2.exe
Size

244KB
MD5

422cd67007836b2208978d62f578c875
SHA1

102d17b69814d5113ad05b117c223486894b50fa
SHA256

29c5548ecca81adf8049b448dd179b4279407e478fa1097c8565d813f09d03a9
SHA512

8892f2b3e9d830b619bbc94782ea4edcda79cba56fe5f0ba5babf8d5efed82d35fb03675c8a60222099fb9340d7a3f37c07afa7ebd122c73d48a752d31ec1048
SSDEEP

3072:Ssjk1VADHICXt0+ULrLcnXPkUdfsmB//elAfAurssbm6FxPnzDUGpFCJl0xYrVri:SqFosE3mB//elAfTr

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zeus V2.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{439B05E2-2361-4B78-9C8E-AD86C8A9D0FA}\ProxyStubClsid32	Zeus V2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{794FE7F3-607F-4F4C-87D0-3FFADEF83DC8}\InprocServer32	Zeus V2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{794FE7F3-607F-4F4C-87D0-3FFADEF83DC8}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	Zeus V2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{439B05E2-2361-4B78-9C8E-AD86C8A9D0FA}\TypeLib	Zeus V2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{93019C16-6A9D-4E32-A995-8B9C1D41D5FE}\1.0\HELPDIR	Zeus V2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{93019C16-6A9D-4E32-A995-8B9C1D41D5FE}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Zeus_V2.lordly.ir"	Zeus V2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CD438BA1-36F0-4B76-B7DB-F92C7DBEB21F}\TypeLib	Zeus V2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CD438BA1-36F0-4B76-B7DB-F92C7DBEB21F}\TypeLib\ = "{93019C16-6A9D-4E32-A995-8B9C1D41D5FE}"	Zeus V2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CD438BA1-36F0-4B76-B7DB-F92C7DBEB21F}\TypeLib\Version = "1.0"	Zeus V2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CD438BA1-36F0-4B76-B7DB-F92C7DBEB21F}\ProxyStubClsid32	Zeus V2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CD438BA1-36F0-4B76-B7DB-F92C7DBEB21F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Zeus V2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{794FE7F3-607F-4F4C-87D0-3FFADEF83DC8}\Control\	Zeus V2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{794FE7F3-607F-4F4C-87D0-3FFADEF83DC8}\MiscStatus\ = "0"	Zeus V2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{794FE7F3-607F-4F4C-87D0-3FFADEF83DC8}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	Zeus V2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CD438BA1-36F0-4B76-B7DB-F92C7DBEB21F}\ProxyStubClsid32	Zeus V2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{439B05E2-2361-4B78-9C8E-AD86C8A9D0FA}\TypeLib\ = "{93019C16-6A9D-4E32-A995-8B9C1D41D5FE}"	Zeus V2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\prjChameleon.chameleonButton\ = "prjChameleon.chameleonButton"	Zeus V2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{794FE7F3-607F-4F4C-87D0-3FFADEF83DC8}	Zeus V2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CD438BA1-36F0-4B76-B7DB-F92C7DBEB21F}\ProxyStubClsid	Zeus V2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{93019C16-6A9D-4E32-A995-8B9C1D41D5FE}	Zeus V2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{93019C16-6A9D-4E32-A995-8B9C1D41D5FE}\1.0\0\win32	Zeus V2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{439B05E2-2361-4B78-9C8E-AD86C8A9D0FA}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Zeus V2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{794FE7F3-607F-4F4C-87D0-3FFADEF83DC8}\MiscStatus	Zeus V2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{93019C16-6A9D-4E32-A995-8B9C1D41D5FE}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Zeus_V2.lordly.ir\\prjChameleon.ocx"	Zeus V2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{439B05E2-2361-4B78-9C8E-AD86C8A9D0FA}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Zeus V2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{439B05E2-2361-4B78-9C8E-AD86C8A9D0FA}\TypeLib\ = "{93019C16-6A9D-4E32-A995-8B9C1D41D5FE}"	Zeus V2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{794FE7F3-607F-4F4C-87D0-3FFADEF83DC8}\ = "prjChameleon.chameleonButton"	Zeus V2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{794FE7F3-607F-4F4C-87D0-3FFADEF83DC8}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Zeus_V2.lordly.ir\\prjChameleon.ocx, 30000"	Zeus V2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{439B05E2-2361-4B78-9C8E-AD86C8A9D0FA}\TypeLib\Version = "1.0"	Zeus V2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{794FE7F3-607F-4F4C-87D0-3FFADEF83DC8}\ProgID\ = "prjChameleon.chameleonButton"	Zeus V2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CD438BA1-36F0-4B76-B7DB-F92C7DBEB21F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Zeus V2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CD438BA1-36F0-4B76-B7DB-F92C7DBEB21F}\TypeLib\Version = "1.0"	Zeus V2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{794FE7F3-607F-4F4C-87D0-3FFADEF83DC8}\ProgID	Zeus V2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{794FE7F3-607F-4F4C-87D0-3FFADEF83DC8}\VERSION\ = "1.0"	Zeus V2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{93019C16-6A9D-4E32-A995-8B9C1D41D5FE}\1.0\FLAGS	Zeus V2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CD438BA1-36F0-4B76-B7DB-F92C7DBEB21F}\ = "_chameleonButton"	Zeus V2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{439B05E2-2361-4B78-9C8E-AD86C8A9D0FA}	Zeus V2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\prjChameleon.chameleonButton\Clsid	Zeus V2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{93019C16-6A9D-4E32-A995-8B9C1D41D5FE}\1.0\0	Zeus V2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{794FE7F3-607F-4F4C-87D0-3FFADEF83DC8}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	Zeus V2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{93019C16-6A9D-4E32-A995-8B9C1D41D5FE}\1.0	Zeus V2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{93019C16-6A9D-4E32-A995-8B9C1D41D5FE}\1.0\FLAGS\ = "2"	Zeus V2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CD438BA1-36F0-4B76-B7DB-F92C7DBEB21F}	Zeus V2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{439B05E2-2361-4B78-9C8E-AD86C8A9D0FA}	Zeus V2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{439B05E2-2361-4B78-9C8E-AD86C8A9D0FA}\TypeLib	Zeus V2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{794FE7F3-607F-4F4C-87D0-3FFADEF83DC8}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Zeus_V2.lordly.ir\\prjChameleon.ocx"	Zeus V2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CD438BA1-36F0-4B76-B7DB-F92C7DBEB21F}\ = "chameleonButton"	Zeus V2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{93019C16-6A9D-4E32-A995-8B9C1D41D5FE}\1.0\ = "prjChameleon"	Zeus V2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CD438BA1-36F0-4B76-B7DB-F92C7DBEB21F}\TypeLib\ = "{93019C16-6A9D-4E32-A995-8B9C1D41D5FE}"	Zeus V2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\prjChameleon.chameleonButton	Zeus V2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{439B05E2-2361-4B78-9C8E-AD86C8A9D0FA}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}"	Zeus V2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{794FE7F3-607F-4F4C-87D0-3FFADEF83DC8}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	Zeus V2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{439B05E2-2361-4B78-9C8E-AD86C8A9D0FA}\ = "__chameleonButton"	Zeus V2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{794FE7F3-607F-4F4C-87D0-3FFADEF83DC8}\Control	Zeus V2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{794FE7F3-607F-4F4C-87D0-3FFADEF83DC8}\ToolboxBitmap32	Zeus V2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{439B05E2-2361-4B78-9C8E-AD86C8A9D0FA}\ = "chameleonButton"	Zeus V2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{794FE7F3-607F-4F4C-87D0-3FFADEF83DC8}\Implemented Categories	Zeus V2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{794FE7F3-607F-4F4C-87D0-3FFADEF83DC8}\MiscStatus\1\ = "135569"	Zeus V2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{794FE7F3-607F-4F4C-87D0-3FFADEF83DC8}\TypeLib\ = "{93019C16-6A9D-4E32-A995-8B9C1D41D5FE}"	Zeus V2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{794FE7F3-607F-4F4C-87D0-3FFADEF83DC8}\VERSION	Zeus V2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CD438BA1-36F0-4B76-B7DB-F92C7DBEB21F}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	Zeus V2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CD438BA1-36F0-4B76-B7DB-F92C7DBEB21F}	Zeus V2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\prjChameleon.chameleonButton\Clsid\ = "{794FE7F3-607F-4F4C-87D0-3FFADEF83DC8}"	Zeus V2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{439B05E2-2361-4B78-9C8E-AD86C8A9D0FA}\ProxyStubClsid	Zeus V2.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3052	Zeus V2.exe
3052	Zeus V2.exe

C:\Users\Admin\AppData\Local\Temp\Zeus_V2.lordly.ir\Zeus V2.exe
"C:\Users\Admin\AppData\Local\Temp\Zeus_V2.lordly.ir\Zeus V2.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads