Overview

overview

8

Static

static

62bc145fa8...0d.exe

windows7_x64

8

62bc145fa8...0d.exe

windows10_x64

8

Analysis

  • max time kernel
    132s
  • max time network
    135s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    31-07-2020 11:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    62bc145fa8fe6d16eb238eaf689c4c0d.exe

  • Size

    151KB

  • MD5

    62bc145fa8fe6d16eb238eaf689c4c0d

  • SHA1

    1dc89387bbd77ca4331828699a72aafce85b3623

  • SHA256

    b6129e3a5c30c44c577a5e3f64e2cd08d5faaaa776ec1866912b90dff5aa0493

  • SHA512

    896ef2818c7747ad77baf853fe19b813e0b3409baadfea635cc95ee8535be48917a07741314597d362f9f96ffeadfa9ba30f4e1d1dd586e9a74a9f9ade3f5035

Score
8/10

Malware Config

Signatures

  • Program crash 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 134 IoCs
  • Executes dropped EXE 3 IoCs
  • Drops file in Windows directory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\62bc145fa8fe6d16eb238eaf689c4c0d.exe
    "C:\Users\Admin\AppData\Local\Temp\62bc145fa8fe6d16eb238eaf689c4c0d.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Drops file in Windows directory
    PID:3820
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 544
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious behavior: EnumeratesProcesses
      PID:3844
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 860
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious behavior: EnumeratesProcesses
      PID:2912
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 872
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious behavior: EnumeratesProcesses
      PID:2668
  • C:\ProgramData\gtmmfic\hnlu.exe
    C:\ProgramData\gtmmfic\hnlu.exe start
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    PID:1932
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 536
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious behavior: EnumeratesProcesses
      PID:2988
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 716
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious behavior: EnumeratesProcesses
      PID:2536
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 704
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:3752
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 732
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:2212
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 732
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:3448
  • C:\Windows\TEMP\vjwlr.exe
    C:\Windows\TEMP\vjwlr.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    PID:2480
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 536
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:2736
  • C:\ProgramData\tjur\wevkg.exe
    C:\ProgramData\tjur\wevkg.exe start
    1⤵
    • Executes dropped EXE
    PID:3520
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 540
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:3232

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\Windows\WER\Temp\WERB56B.tmp.WERInternalMetadata.xml
    Download Submit
  • C:\ProgramData\gtmmfic\hnlu.exe
    Download Submit
  • C:\ProgramData\gtmmfic\hnlu.exe
    Download Submit
  • C:\ProgramData\tjur\wevkg.exe
    Download Submit
  • C:\ProgramData\tjur\wevkg.exe
    Download Submit
  • C:\Windows\TEMP\vjwlr.exe
    Download Submit
  • C:\Windows\Tasks\hnlu.job
    Download Submit
  • C:\Windows\Temp\vjwlr.exe
    Download Submit
  • memory/1932-9-0x0000000003CE0000-0x0000000003CE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1932-10-0x0000000003CE0000-0x0000000003CE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1932-8-0x00000000033CC000-0x00000000033CD000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2212-31-0x0000000003240000-0x0000000003241000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2212-34-0x00000000039F0000-0x00000000039F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2480-38-0x0000000003E20000-0x0000000003E21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2480-37-0x000000000360C000-0x000000000360D000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2536-15-0x0000000003AB0000-0x0000000003AB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2536-18-0x0000000004260000-0x0000000004261000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2668-23-0x0000000004750000-0x0000000004751000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2668-26-0x0000000004E80000-0x0000000004E81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2736-40-0x00000000030D0000-0x00000000030D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2736-46-0x00000000034D0000-0x00000000034D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2912-22-0x0000000004850000-0x0000000004851000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2912-19-0x00000000040A0000-0x00000000040A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2988-14-0x00000000033D0000-0x00000000033D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2988-11-0x0000000002CA0000-0x0000000002CA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3232-57-0x0000000003BE0000-0x0000000003BE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3232-54-0x00000000034B0000-0x00000000034B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3448-41-0x00000000038C0000-0x00000000038C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3448-47-0x0000000004480000-0x0000000004481000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3520-52-0x00000000034EC000-0x00000000034ED000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3520-53-0x0000000003D30000-0x0000000003D31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3752-30-0x00000000033E0000-0x00000000033E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3752-27-0x0000000002C30000-0x0000000002C31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3820-0-0x00000000033F1000-0x00000000033F2000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3820-1-0x0000000005240000-0x0000000005241000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3844-3-0x0000000004900000-0x0000000004901000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3844-2-0x0000000004900000-0x0000000004901000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3844-5-0x0000000005030000-0x0000000005031000-memory.dmp
    Filesize

    4KB

    Download