55412a1f909695ad8ec22a5302142a4c9194bd4c2de98672d41953b620bc2e27 | Triage

Analysis

max time kernel
126s
max time network
131s
platform
windows10_x64
resource
win10
submitted
19-07-2020 17:15

Sharing

Report Analysis Logs

General

Target

zeus 2_2.0.4.0.vir.exe
Size

197KB
MD5

16374c7a87c60d8c0faefcc168785af6
SHA1

d37159f02d5c6ab273edb92eb159f05d286c9d0a
SHA256

55412a1f909695ad8ec22a5302142a4c9194bd4c2de98672d41953b620bc2e27
SHA512

e4c7947bb2ef5c5647561f8bd07d233ddf2a4263b4fa9a0a077b9c750bb0f9019b21dadd429d6734993e35b4290d04542192273a49c815279c11b069714274e5

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3832 3404 WerFault.exe zeus 2_2.0.4.0.vir.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3832 WerFault.exe
Token: SeBackupPrivilege 3832 WerFault.exe
Token: SeDebugPrivilege 3832 WerFault.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
3832	WerFault.exe
3832	WerFault.exe
3832	WerFault.exe
3832	WerFault.exe
3832	WerFault.exe
3832	WerFault.exe
3832	WerFault.exe
3832	WerFault.exe
3832	WerFault.exe
3832	WerFault.exe
3832	WerFault.exe
3832	WerFault.exe
3832	WerFault.exe
3832	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\zeus 2_2.0.4.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zeus 2_2.0.4.0.vir.exe"
1⤵
PID:3404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 252
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3832-0-0x0000000004810000-0x0000000004811000-memory.dmp

Filesize
4KB

Download
memory/3832-1-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

Filesize
4KB

Download