95c0083088ecaae25b32782af71007fa871594391a22f0ecef4389a0c5fa91b5 | Triage

Analysis

max time kernel
128s
max time network
128s
platform
windows10_x64
resource
win10
submitted
19-07-2020 17:20

Sharing

Report Analysis Logs

General

Target

zloader_1.14.7.0.vir.exe
Size

316KB
MD5

002b8030adf234692cf4fbb77c67799e
SHA1

611e8f1e727960c7ca2efeb24b867e9281ea665b
SHA256

95c0083088ecaae25b32782af71007fa871594391a22f0ecef4389a0c5fa91b5
SHA512

97852fa83736464f819766cffccfb7c896be38b2173e6520c0dda32cd8edaed67bcf7aa329c1c4782e1b7de4179c7747f751441c24bf84563db9fe49350043ee

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1808 3908 WerFault.exe zloader_1.14.7.0.vir.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1808 WerFault.exe
Token: SeBackupPrivilege 1808 WerFault.exe
Token: SeDebugPrivilege 1808 WerFault.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
1808	WerFault.exe
1808	WerFault.exe
1808	WerFault.exe
1808	WerFault.exe
1808	WerFault.exe
1808	WerFault.exe
1808	WerFault.exe
1808	WerFault.exe
1808	WerFault.exe
1808	WerFault.exe
1808	WerFault.exe
1808	WerFault.exe
1808	WerFault.exe
1808	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\zloader_1.14.7.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.14.7.0.vir.exe"
1⤵
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 508
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1808

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1808-0-0x0000000004950000-0x0000000004951000-memory.dmp

Filesize
4KB

Download
memory/1808-1-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download