Overview

overview

9

Static

static

7

ZEUS SOFTA...ce.exe

windows7-x64

9

ZEUS SOFTA...ce.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    19-09-2024 05:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ZEUS SOFTAIM!/RUN AS ADMIN/tranquil_radiance.exe

  • Size

    5.2MB

  • MD5

    5ed21aff5b09ec48e44a750e0abf4423

  • SHA1

    e83f10d045d00a18d17aeedb2b1901d223b9a00b

  • SHA256

    41e39eed1a999c27b61b2a9297ee969026fe9c5d7051c44c863a3bbafd07d4c5

  • SHA512

    418d26effcd36fb8fdb89e2a0dbe9e3f4cef52d67aa4de6cad2cf94a2f4cda0bd8fc896de81edd0e361938ee0ab899c70656d750e9d4e49aebeabc684909d646

  • SSDEEP

    98304:SuRHzIKiG/WxSFN0kqLto3Zt0z7QpU7kh2AOn6jz1PTMyCbj2:SczIKiGRD3b0z7QciZjpgy

Score
9/10
discoveryevasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Themida packer 10 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 3 IoCs
    evasion
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ZEUS SOFTAIM!\RUN AS ADMIN\tranquil_radiance.exe
    "C:\Users\Admin\AppData\Local\Temp\ZEUS SOFTAIM!\RUN AS ADMIN\tranquil_radiance.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2084
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2372
      • C:\Windows\system32\taskkill.exe
        taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2748
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start "" "C:\Users\Admin\AppData\Local\Temp\frAQBc8Wsa.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2688
      • C:\Users\Admin\AppData\Local\Temp\frAQBc8Wsa.exe
        "C:\Users\Admin\AppData\Local\Temp\frAQBc8Wsa.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious use of WriteProcessMemory
        PID:2764
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 532
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:2924
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\ZEUS SOFTAIM!\RUN AS ADMIN\tranquil_radiance.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2752
      • C:\Windows\system32\certutil.exe
        certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\ZEUS SOFTAIM!\RUN AS ADMIN\tranquil_radiance.exe" MD5
        3⤵
          PID:2844
        • C:\Windows\system32\find.exe
          find /i /v "md5"
          3⤵
            PID:2836
          • C:\Windows\system32\find.exe
            find /i /v "certutil"
            3⤵
              PID:2992
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2588
            • C:\Windows\system32\taskkill.exe
              taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1328
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2188
            • C:\Windows\system32\taskkill.exe
              taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2072

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\frAQBc8Wsa.exe
          Filesize

          11KB

          MD5

          599f14dd53faa32fefa3e2751aea1e1a

          SHA1

          c44aa18d9f8b150e7ae42193c1f1aefb36d91a3c

          SHA256

          d5996d0593c9fc0eac1fdc1da4be692f9ee0103b1151b43f71091679b2d6429f

          SHA512

          cf0bdc2edc089d6ba6ef4bdd694c301b40d39bb2a672524ac4695c1e86f29188965d6cd53fa6d290f90800b285353729517c4990a05340330f2f03855cdccc26

          Download Submit

        • memory/2084-3-0x000000013F300000-0x000000014005C000-memory.dmp

          Filesize

          13.4MB

          Download

        • memory/2084-2-0x000000013F300000-0x000000014005C000-memory.dmp

          Filesize

          13.4MB

          Download

        • memory/2084-0-0x000000013F300000-0x000000014005C000-memory.dmp

          Filesize

          13.4MB

          Download

        • memory/2084-5-0x000000013F300000-0x000000014005C000-memory.dmp

          Filesize

          13.4MB

          Download

        • memory/2084-4-0x000000013F300000-0x000000014005C000-memory.dmp

          Filesize

          13.4MB

          Download

        • memory/2084-7-0x000000013F300000-0x000000014005C000-memory.dmp

          Filesize

          13.4MB

          Download

        • memory/2084-8-0x000000013F300000-0x000000014005C000-memory.dmp

          Filesize

          13.4MB

          Download

        • memory/2084-6-0x000000013F300000-0x000000014005C000-memory.dmp

          Filesize

          13.4MB

          Download

        • memory/2084-1-0x0000000077AA0000-0x0000000077AA2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2084-9-0x000000013F300000-0x000000014005C000-memory.dmp

          Filesize

          13.4MB

          Download

        • memory/2084-15-0x000000013F300000-0x000000014005C000-memory.dmp

          Filesize

          13.4MB

          Download

        • memory/2764-13-0x0000000000120000-0x000000000012A000-memory.dmp

          Filesize

          40KB

          Download