8ae8e3bb7106e318c4ab4f6dd0cbe79a63485531a91b4e86e15fec556ccf8e60 | Triage

Analysis

max time kernel
127s
max time network
128s
platform
windows10_x64
resource
win10
submitted
19-07-2020 17:20

Sharing

Report Analysis Logs

General

Target

zeus 2_2.1.0.4.vir.exe
Size

208KB
MD5

1e72e82d0e512917ca34b3fd04f5ff67
SHA1

5fb5d35a75bb08e7e435aa3f0929108aa01aab63
SHA256

8ae8e3bb7106e318c4ab4f6dd0cbe79a63485531a91b4e86e15fec556ccf8e60
SHA512

faa558c475194402211c2eb8b91427f028309ceb9a0e7114cf2cd460727f3760a392655f28ba8a743a04fa893bd26231cb045029ae750453ff84e8e6ca93b48e

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3916 3068 WerFault.exe zeus 2_2.1.0.4.vir.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3916 WerFault.exe
Token: SeBackupPrivilege 3916 WerFault.exe
Token: SeDebugPrivilege 3916 WerFault.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\zeus 2_2.1.0.4.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zeus 2_2.1.0.4.vir.exe"
1⤵
PID:3068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 272
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3916

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3916-0-0x0000000004C70000-0x0000000004C71000-memory.dmp

Filesize
4KB

Download
memory/3916-1-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download