fb413e293d5cc9f5b0cef6328221ab9888fd61f9898935fad11c2afb42f4ee12 | Triage

Analysis

max time kernel
115s
max time network
115s
platform
windows10_x64
resource
win10
submitted
19-07-2020 17:25

Sharing

Report Analysis Logs

General

Target

zeus 2_2.1.0.5.vir.exe
Size

189KB
MD5

0c4cf45b512432aaeb0e0a52697f1e8a
SHA1

570f75215e0755937adbae7abd3a00b3af0702d8
SHA256

fb413e293d5cc9f5b0cef6328221ab9888fd61f9898935fad11c2afb42f4ee12
SHA512

550c2c56eb751b2886b1e9bfeac434392505ad0778b675563571deb8bdca4758ed46e7e3d4193fbdcd7aa42dc12fa8c16dbb438e9359dc3d9adc95321ab66420

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3016 3620 WerFault.exe zeus 2_2.1.0.5.vir.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3016 WerFault.exe
Token: SeBackupPrivilege 3016 WerFault.exe
Token: SeDebugPrivilege 3016 WerFault.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
3016	WerFault.exe
3016	WerFault.exe
3016	WerFault.exe
3016	WerFault.exe
3016	WerFault.exe
3016	WerFault.exe
3016	WerFault.exe
3016	WerFault.exe
3016	WerFault.exe
3016	WerFault.exe
3016	WerFault.exe
3016	WerFault.exe
3016	WerFault.exe
3016	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\zeus 2_2.1.0.5.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zeus 2_2.1.0.5.vir.exe"
1⤵
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 528
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3016

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3016-0-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/3016-1-0x0000000005660000-0x0000000005661000-memory.dmp

Filesize
4KB

Download