Analysis Overview
SHA256
8e96c53eea3cbb5be49dcafc17f3d9e20dba6ca88772c9ee24f3f3a02c7ca251
Threat Level: Shows suspicious behavior
The file Zeus V3.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
.NET Reactor proctector
VMProtect packed file
Obfuscated with Agile.Net obfuscator
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-21 02:02
Signatures
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-21 02:02
Reported
2024-09-21 02:02
Platform
win10v2004-20240802-en
Max time kernel
22s
Max time network
25s
Command Line
Signatures
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Zeus V3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Zeus V3.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Zeus V3.exe
"C:\Users\Admin\AppData\Local\Temp\Zeus V3.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | budxk2uggn72ultkzpcd-mysql.services.clever-cloud.com | udp |
| FR | 91.208.207.227:21449 | budxk2uggn72ultkzpcd-mysql.services.clever-cloud.com | tcp |
| US | 8.8.8.8:53 | 227.207.208.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
Files
memory/2316-0-0x00000000750DE000-0x00000000750DF000-memory.dmp
memory/2316-1-0x0000000000BE0000-0x00000000063BE000-memory.dmp
memory/2316-2-0x00000000750D0000-0x0000000075880000-memory.dmp
memory/2316-3-0x00000000750D0000-0x0000000075880000-memory.dmp
memory/2316-4-0x00000000750D0000-0x0000000075880000-memory.dmp
memory/2316-5-0x00000000750D0000-0x0000000075880000-memory.dmp
memory/2316-6-0x00000000750D0000-0x0000000075880000-memory.dmp
memory/2316-7-0x000000000B450000-0x000000000C9CC000-memory.dmp
memory/2316-8-0x00000000117B0000-0x0000000011D54000-memory.dmp
memory/2316-9-0x000000000CB90000-0x000000000CC22000-memory.dmp
memory/2316-10-0x000000000CB50000-0x000000000CB5A000-memory.dmp
memory/2316-11-0x0000000018D60000-0x000000001A6EE000-memory.dmp
memory/2316-13-0x000000000CC30000-0x000000000CC50000-memory.dmp
memory/2316-12-0x000000000CB60000-0x000000000CB80000-memory.dmp
memory/2316-15-0x000000000CC80000-0x000000000CC94000-memory.dmp
memory/2316-16-0x000000000CCA0000-0x000000000CCBE000-memory.dmp
memory/2316-14-0x000000000CC70000-0x000000000CC7E000-memory.dmp
memory/2316-17-0x000000000EF50000-0x000000000F09E000-memory.dmp
memory/2316-18-0x00000000750DE000-0x00000000750DF000-memory.dmp
memory/2316-19-0x000000000F0E0000-0x000000000F0E6000-memory.dmp
memory/2316-20-0x000000001F2C0000-0x000000001F362000-memory.dmp
memory/2316-21-0x00000000750D0000-0x0000000075880000-memory.dmp
memory/2316-22-0x000000001F360000-0x000000001F6B4000-memory.dmp
memory/2316-23-0x000000001F700000-0x000000001F74C000-memory.dmp
memory/2316-24-0x000000001D050000-0x000000001D05A000-memory.dmp
memory/2316-25-0x000000001D010000-0x000000001D036000-memory.dmp
memory/2316-26-0x000000001D4B0000-0x000000001D4DC000-memory.dmp
memory/2316-27-0x000000001D040000-0x000000001D048000-memory.dmp
memory/2316-28-0x000000001F9F0000-0x000000001FA2C000-memory.dmp
memory/2316-29-0x000000001F9C0000-0x000000001F9E1000-memory.dmp
memory/2316-30-0x000000001FA80000-0x000000001FA8A000-memory.dmp
memory/2316-33-0x00000000750D0000-0x0000000075880000-memory.dmp
memory/2316-34-0x00000000750D0000-0x0000000075880000-memory.dmp
memory/2316-35-0x00000000750D0000-0x0000000075880000-memory.dmp
memory/2316-36-0x000000000CE80000-0x000000000CEE6000-memory.dmp
memory/2316-37-0x000000000CEF0000-0x000000000CF12000-memory.dmp
memory/2316-38-0x00000000750D0000-0x0000000075880000-memory.dmp
memory/2316-39-0x00000000750D0000-0x0000000075880000-memory.dmp
memory/2316-41-0x00000000750D0000-0x0000000075880000-memory.dmp