Overview

overview

7

Static

static

3

25e40b297e...JC.exe

windows7-x64

7

25e40b297e...JC.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    153s
  • max time network
    169s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2023 21:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    25e40b297e3dfaba991c66e3c7eaae24_JC.exe

  • Size

    181KB

  • MD5

    25e40b297e3dfaba991c66e3c7eaae24

  • SHA1

    cde5f20dc3e92b845bbab74f15132783ad65d209

  • SHA256

    62394eb5dd88f12e00f112e4ec4693fe6e8af0723ed362fbb330a3cb7b2e5ad8

  • SHA512

    e0eb45d6f1d4d7051fd165efd38595e9358bf54c29b03a6c4c0cdfbed0c07d0d33b899d0b51500ad3a9e0387e2bbb4eb7a6b354e71a77637027c22cfc81ca0ce

  • SSDEEP

    3072:lv5Ls27BIJsMLyXuyoXXXxXXXLIIIRm5CjFcyjESRNMXVZQvXSHr9XzClPbfQKeU:lBs27tMLyXhoXXXxXXXLIIIRmoJcyfR9

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\25e40b297e3dfaba991c66e3c7eaae24_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\25e40b297e3dfaba991c66e3c7eaae24_JC.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4956
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\25E40B~1.EXE > nul
      2⤵
        PID:4752
    • C:\Windows\Debug\soohost.exe
      C:\Windows\Debug\soohost.exe
      1⤵
      • Executes dropped EXE
      • Checks processor information in registry
      PID:4284

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Debug\soohost.exe
      Filesize

      181KB

      MD5

      7544c9984770eb3f92c50dd2acda66a2

      SHA1

      c4f6e26b7334655c7a632e0695a283f049573470

      SHA256

      8aeb48a4cc479e8fd9709ebaabb304bd0d1338da02b5c4be9cad98dcb4f481b7

      SHA512

      fd7235083a42ad1f07565edb4ec620a560a62a87257f89f1108295478d89c9deba23eacc2ea597984efa15ce4b333c7129dbdf7671f30111227e5858f28bd87f

      Download Submit

    • C:\Windows\debug\soohost.exe
      Filesize

      181KB

      MD5

      7544c9984770eb3f92c50dd2acda66a2

      SHA1

      c4f6e26b7334655c7a632e0695a283f049573470

      SHA256

      8aeb48a4cc479e8fd9709ebaabb304bd0d1338da02b5c4be9cad98dcb4f481b7

      SHA512

      fd7235083a42ad1f07565edb4ec620a560a62a87257f89f1108295478d89c9deba23eacc2ea597984efa15ce4b333c7129dbdf7671f30111227e5858f28bd87f

      Download Submit