f045bc5b371055bad897b604d5562529e2db65dfd207fa32ad398bc5d324efe9 | Triage

Analysis

max time kernel
127s
max time network
128s
platform
windows10_x64
resource
win10
submitted
10-07-2020 12:11

Sharing

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.Zadved.1610.16777.12084.exe
Size

3.0MB
MD5

04ed5ea599e3b9b7cefdd5fae9649975
SHA1

65d76c91cdbde034c2c0efc4a6e00f35b5bbecd6
SHA256

f045bc5b371055bad897b604d5562529e2db65dfd207fa32ad398bc5d324efe9
SHA512

a60b9d2ebac6b391e5456a1c0c549f3012e39a5150a1d058ae131969b2e39972dc6760b197aee518a6ed04bc128d421eb46b5a3e1f4373e6f6bdadb5c3fecb95

Score

10^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
2292	WerFault.exe
2292	WerFault.exe
2292	WerFault.exe
2292	WerFault.exe
2292	WerFault.exe
2292	WerFault.exe
2292	WerFault.exe
2292	WerFault.exe
2292	WerFault.exe
2292	WerFault.exe
2292	WerFault.exe
2292	WerFault.exe
2292	WerFault.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

SecuriteInfo.com.Trojan.Zadved.1610.16777.12084.exeWerFault.exe

description	pid	process
Token: SeBackupPrivilege	3844	SecuriteInfo.com.Trojan.Zadved.1610.16777.12084.exe
Token: SeSecurityPrivilege	3844	SecuriteInfo.com.Trojan.Zadved.1610.16777.12084.exe
Token: SeRestorePrivilege	2292	WerFault.exe
Token: SeBackupPrivilege	2292	WerFault.exe
Token: SeDebugPrivilege	2292	WerFault.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2292 3844 WerFault.exe SecuriteInfo.com.Trojan.Zadved.1610.16777.12084.exe
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 2292 created 3844 2292 WerFault.exe SecuriteInfo.com.Trojan.Zadved.1610.16777.12084.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Zadved.1610.16777.12084.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Zadved.1610.16777.12084.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 688
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Program crash
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2292

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2292-0-0x0000000004290000-0x0000000004291000-memory.dmp

Filesize
4KB

Download
memory/2292-1-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download