Overview

overview

8

Static

static

e72863de70...58.exe

windows7_x64

8

e72863de70...58.exe

windows10_x64

8

Analysis

  • max time kernel
    128s
  • max time network
    124s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    31-07-2020 12:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e72863de70ee56a86c394313e9ac4558.exe

  • Size

    150KB

  • MD5

    e72863de70ee56a86c394313e9ac4558

  • SHA1

    c9c57dd5bcfd469b4872a2851b93e7c6716b33bd

  • SHA256

    c5bc1c6af0d7ef6f65692aec19d9ef0f393a1ca80ce9a45671ce451e41dee85a

  • SHA512

    c70e1270c6380a378cee5f4aa6bf83c0cd9a9d439b9da7259fe3e338fd0486ecc95bd3071b3bb9dd920c4c19cf0ad7315850d5156cd0132870991d3bd16616fd

Score
8/10

Malware Config

Signatures

  • Program crash 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 136 IoCs
  • Executes dropped EXE 3 IoCs
  • Drops file in Windows directory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e72863de70ee56a86c394313e9ac4558.exe
    "C:\Users\Admin\AppData\Local\Temp\e72863de70ee56a86c394313e9ac4558.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Drops file in Windows directory
    PID:3908
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 540
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious behavior: EnumeratesProcesses
      PID:3108
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 856
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious behavior: EnumeratesProcesses
      PID:3776
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 868
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious behavior: EnumeratesProcesses
      PID:3824
  • C:\ProgramData\kxbcds\luupsor.exe
    C:\ProgramData\kxbcds\luupsor.exe start
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    PID:2988
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 536
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious behavior: EnumeratesProcesses
      PID:1012
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 716
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious behavior: EnumeratesProcesses
      PID:3932
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 704
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:496
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 772
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:3376
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 672
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:3804
  • C:\Windows\TEMP\tccqfs.exe
    C:\Windows\TEMP\tccqfs.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    PID:2680
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 540
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:3736
  • C:\ProgramData\aitehju\francqi.exe
    C:\ProgramData\aitehju\francqi.exe start
    1⤵
    • Executes dropped EXE
    PID:3928
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 544
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:4088

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\Windows\WER\Temp\WERAD0F.tmp.WERInternalMetadata.xml
    Download Submit
  • C:\ProgramData\Microsoft\Windows\WER\Temp\WERAD0F.tmp.WERInternalMetadata.xml
    Download Submit
  • C:\ProgramData\aitehju\francqi.exe
    Download Submit
  • C:\ProgramData\aitehju\francqi.exe
    Download Submit
  • C:\ProgramData\kxbcds\luupsor.exe
    Download Submit
  • C:\ProgramData\kxbcds\luupsor.exe
    Download Submit
  • C:\Windows\TEMP\tccqfs.exe
    Download Submit
  • C:\Windows\Tasks\luupsor.job
    Download Submit
  • C:\Windows\Temp\tccqfs.exe
    Download Submit
  • memory/496-32-0x0000000003FF0000-0x0000000003FF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/496-29-0x00000000037B0000-0x00000000037B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/496-28-0x00000000037B0000-0x00000000037B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1012-15-0x0000000003800000-0x0000000003801000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1012-14-0x0000000003410000-0x0000000003411000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1012-11-0x0000000003010000-0x0000000003011000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2680-41-0x0000000003C80000-0x0000000003C81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2680-40-0x0000000003C80000-0x0000000003C81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2988-9-0x000000000351C000-0x000000000351D000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2988-10-0x0000000003E90000-0x0000000003E91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3108-5-0x0000000004840000-0x0000000004841000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3108-3-0x0000000004200000-0x0000000004201000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3108-2-0x0000000004200000-0x0000000004201000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3376-33-0x0000000002E00000-0x0000000002E01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3376-36-0x0000000003530000-0x0000000003531000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3736-46-0x0000000002E00000-0x0000000002E01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3736-49-0x0000000003430000-0x0000000003431000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3736-43-0x0000000002E00000-0x0000000002E01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3776-20-0x0000000004E00000-0x0000000004E01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3804-50-0x00000000038D0000-0x00000000038D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3804-44-0x0000000002E00000-0x0000000002E01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3824-24-0x0000000004520000-0x0000000004521000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3824-27-0x0000000004A50000-0x0000000004A51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3908-0-0x0000000003521000-0x0000000003522000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3908-1-0x00000000050D0000-0x00000000050D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3928-55-0x000000000351C000-0x000000000351D000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3928-56-0x0000000003E40000-0x0000000003E41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3932-19-0x0000000003FE0000-0x0000000003FE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3932-16-0x00000000038B0000-0x00000000038B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4088-57-0x00000000034F0000-0x00000000034F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4088-60-0x0000000003BA0000-0x0000000003BA1000-memory.dmp
    Filesize

    4KB

    Download