Analysis
-
max time kernel
123s -
max time network
124s -
platform
windows10_x64 -
resource
win10 -
submitted
19-07-2020 17:35
Static task
static1
Behavioral task
behavioral1
Sample
powerzeus_1.0.2.0.vir.dll
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
powerzeus_1.0.2.0.vir.dll
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
powerzeus_1.0.2.0.vir.dll
-
Size
170KB
-
MD5
58bebe685a0b35149cf7f1daf059f3fa
-
SHA1
50b8e32336e850b7e0b0a70734270db29ea168bc
-
SHA256
442b1971e92aefeb93774a13cd2ca15f7f8e9dad99303f1c832bd62f10e30ed2
-
SHA512
6d610141e7d1a6e3e7ed8b85e0feab0a583ec77dbf5dc37973b70cbb300dfcb98a2fd95904164d1681c05546973b59e98a892d7f7dd459477fe30a227c38d26c
Score
3/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 720 wrote to memory of 336 720 rundll32.exe rundll32.exe PID 720 wrote to memory of 336 720 rundll32.exe rundll32.exe PID 720 wrote to memory of 336 720 rundll32.exe rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3560 336 WerFault.exe rundll32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3560 WerFault.exe Token: SeBackupPrivilege 3560 WerFault.exe Token: SeDebugPrivilege 3560 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3560 WerFault.exe 3560 WerFault.exe 3560 WerFault.exe 3560 WerFault.exe 3560 WerFault.exe 3560 WerFault.exe 3560 WerFault.exe 3560 WerFault.exe 3560 WerFault.exe 3560 WerFault.exe 3560 WerFault.exe 3560 WerFault.exe 3560 WerFault.exe 3560 WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\powerzeus_1.0.2.0.vir.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\powerzeus_1.0.2.0.vir.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 336 -s 6483⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/336-0-0x0000000000000000-mapping.dmp
-
memory/336-2-0x0000000000000000-mapping.dmp
-
memory/336-3-0x0000000000000000-mapping.dmp
-
memory/336-4-0x0000000000000000-mapping.dmp
-
memory/3560-1-0x0000000004470000-0x0000000004471000-memory.dmpFilesize
4KB
-
memory/3560-5-0x00000000049A0000-0x00000000049A1000-memory.dmpFilesize
4KB