Overview

overview

7

Static

static

3

b65d582778...5b.exe

windows7-x64

7

b65d582778...5b.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-09-2023 02:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b65d5827783e5c7c2d63519297104e7b5c8dae747ec4e24db6d3d2ee6a7eda5b.exe

  • Size

    198KB

  • MD5

    64c243bee8a149048cfe25e8eec150d9

  • SHA1

    7621e5dc70d1fb8daa4a99933d4a7ffa305d5f31

  • SHA256

    b65d5827783e5c7c2d63519297104e7b5c8dae747ec4e24db6d3d2ee6a7eda5b

  • SHA512

    224ecbdf24b8d1b263531daba968f63271974773e33261391e1f77e44c28891da5bcded763a851639c2dc5f12180e93a94fa90d5977d2be1bda5c09c26657872

  • SSDEEP

    6144:rBs27MMLyX5HXXXDTXXXOGqIII+pXXX5AYjKXXXDoXXXG6XXXxXXXLIIIEAkOCO+:rK20HXXX/XXXFqIIIcXXX5j2XXXcXXXP

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b65d5827783e5c7c2d63519297104e7b5c8dae747ec4e24db6d3d2ee6a7eda5b.exe
    "C:\Users\Admin\AppData\Local\Temp\b65d5827783e5c7c2d63519297104e7b5c8dae747ec4e24db6d3d2ee6a7eda5b.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2288
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\B65D58~1.EXE > nul
      2⤵
        PID:4844
    • C:\Windows\Debug\jmahost.exe
      C:\Windows\Debug\jmahost.exe
      1⤵
      • Executes dropped EXE
      • Checks processor information in registry
      PID:3244

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Debug\jmahost.exe
      Filesize

      198KB

      MD5

      70ceeb1a03562f4c09fd487d498808c7

      SHA1

      90f75a050a7087c569e5d54a3544cef9eb1557e0

      SHA256

      d5f21bddd2d608fdd2ead658b1a7051838786a18b98d9b747c0cdde69d017175

      SHA512

      bf8e623674e05596c67bae9a09fd04ba531e5079a36afacbec28308d417e0a9f3462ff7e71b77dc95326e07bbe6a48e34df0066e7223e22ca34f632fcfd7e7d8

      Download Submit

    • C:\Windows\debug\jmahost.exe
      Filesize

      198KB

      MD5

      70ceeb1a03562f4c09fd487d498808c7

      SHA1

      90f75a050a7087c569e5d54a3544cef9eb1557e0

      SHA256

      d5f21bddd2d608fdd2ead658b1a7051838786a18b98d9b747c0cdde69d017175

      SHA512

      bf8e623674e05596c67bae9a09fd04ba531e5079a36afacbec28308d417e0a9f3462ff7e71b77dc95326e07bbe6a48e34df0066e7223e22ca34f632fcfd7e7d8

      Download Submit