8dcf148a8c237e56338bf58160abff133b6bceb8e14323b10f41818159ac98d4 | Triage

Analysis

max time kernel
121s
max time network
120s
platform
windows10_x64
resource
win10
submitted
19-07-2020 19:37

Sharing

Report Analysis Logs

General

Target

zeus 1_1.2.7.13.vir.exe
Size

445KB
MD5

4ad4ee2b7652ad0bd2cea94c97674d0b
SHA1

114bc02e49bfd38e25a6c2e59a3528fcdabe1606
SHA256

8dcf148a8c237e56338bf58160abff133b6bceb8e14323b10f41818159ac98d4
SHA512

ffe6c83232f043c79ae535f1ca213674cc5cd4bf2b4749f6b65226bc9dff3abd4117a7fcbfb454e55238abbe12725d53b1d001f844fa1adb0bc041cace03ca0d

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2028 3828 WerFault.exe zeus 1_1.2.7.13.vir.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2028 WerFault.exe
Token: SeBackupPrivilege 2028 WerFault.exe
Token: SeDebugPrivilege 2028 WerFault.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
2028	WerFault.exe
2028	WerFault.exe
2028	WerFault.exe
2028	WerFault.exe
2028	WerFault.exe
2028	WerFault.exe
2028	WerFault.exe
2028	WerFault.exe
2028	WerFault.exe
2028	WerFault.exe
2028	WerFault.exe
2028	WerFault.exe
2028	WerFault.exe
2028	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\zeus 1_1.2.7.13.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zeus 1_1.2.7.13.vir.exe"
1⤵
PID:3828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 352
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:2028

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2028-0-0x0000000004780000-0x0000000004781000-memory.dmp

Filesize
4KB

Download
memory/2028-1-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download