63d640dcc4a5c6cc472eb281b5946299301dd11231b9b89259302e6f4c0a3062 | Triage

Analysis

max time kernel
131s
max time network
132s
platform
windows10_x64
resource
win10
submitted
19-07-2020 19:45

Sharing

Report Analysis Logs

General

Target

zeus 1_1.2.10.1.vir.exe
Size

116KB
MD5

d0824f3900f7f37bb923e1573d23a801
SHA1

206acd4990e0d21d59e03597af7de225fda3f3ca
SHA256

63d640dcc4a5c6cc472eb281b5946299301dd11231b9b89259302e6f4c0a3062
SHA512

1c234e1b3c08de8cc7724a1871b47d4e19706df45617a159701df07362826271719eaee082d51a287801d20ad592991ef94ce096b6a18a44d73a7bff47a1620c

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3624 792 WerFault.exe zeus 1_1.2.10.1.vir.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3624 WerFault.exe
Token: SeBackupPrivilege 3624 WerFault.exe
Token: SeDebugPrivilege 3624 WerFault.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
3624	WerFault.exe
3624	WerFault.exe
3624	WerFault.exe
3624	WerFault.exe
3624	WerFault.exe
3624	WerFault.exe
3624	WerFault.exe
3624	WerFault.exe
3624	WerFault.exe
3624	WerFault.exe
3624	WerFault.exe
3624	WerFault.exe
3624	WerFault.exe
3624	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\zeus 1_1.2.10.1.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zeus 1_1.2.10.1.vir.exe"
1⤵
PID:792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 792 -s 528
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3624

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3624-0-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/3624-1-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download