118d1730b016fb66426483645e57bf6575dab00709930a8a8571256e54139012 | Triage

Analysis

max time kernel
132s
max time network
69s
platform
windows10_x64
resource
win10v200430
submitted
19-07-2020 19:22

Sharing

Report Analysis Logs

General

Target

zeus 1_1.3.0.28.vir.exe
Size

1.5MB
MD5

466bd9f7dcfdbcbd15d6b82abd3a6c2d
SHA1

947ff14bdc686f228de45678b684d066c790592f
SHA256

118d1730b016fb66426483645e57bf6575dab00709930a8a8571256e54139012
SHA512

a4f5934b9debd82a56731affe743fe55aec7a34e3f65a6e31811bf815c1a916062b8db652d84b928bceb47c92665bac0f49db1e6c606be4518bcfeb193bbb017

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1816 1472 WerFault.exe zeus 1_1.3.0.28.vir.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1816 WerFault.exe
Token: SeBackupPrivilege 1816 WerFault.exe
Token: SeDebugPrivilege 1816 WerFault.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
1816	WerFault.exe
1816	WerFault.exe
1816	WerFault.exe
1816	WerFault.exe
1816	WerFault.exe
1816	WerFault.exe
1816	WerFault.exe
1816	WerFault.exe
1816	WerFault.exe
1816	WerFault.exe
1816	WerFault.exe
1816	WerFault.exe
1816	WerFault.exe
1816	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\zeus 1_1.3.0.28.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zeus 1_1.3.0.28.vir.exe"
1⤵
PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 232
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1816

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1816-0-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/1816-1-0x0000000005130000-0x0000000005131000-memory.dmp

Filesize
4KB

Download