Overview

overview

7

Static

static

3

20377d2626...b6.exe

windows7-x64

7

20377d2626...b6.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    147s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-04-2024 07:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    20377d2626f676a651c526d6e9808bdea9e4ac20f426e5f9b297b90f984781b6.exe

  • Size

    197KB

  • MD5

    3d48daf09cb0deba593f8e31433653fb

  • SHA1

    d4c261deebb1b4246287e6a754cd1118b53d4886

  • SHA256

    20377d2626f676a651c526d6e9808bdea9e4ac20f426e5f9b297b90f984781b6

  • SHA512

    865a75bcbf9f18c4b1ee6e7445a91aa468831cd70b52fdc99c989c38535c882091d0b11e44d99d8a576030aa133d96549db79730308b1fa5235cceff016400e1

  • SSDEEP

    6144:rBs27MMLyX5HXXXDTXXXOGqIII+pXXX5AYjKXXXDoXXXG6XXXxXXXLIIIEAkOCOg:rK20HXXX/XXXFqIIIcXXX5j2XXXcXXXp

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\20377d2626f676a651c526d6e9808bdea9e4ac20f426e5f9b297b90f984781b6.exe
    "C:\Users\Admin\AppData\Local\Temp\20377d2626f676a651c526d6e9808bdea9e4ac20f426e5f9b297b90f984781b6.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\20377D~1.EXE > nul
      2⤵
        PID:900
    • C:\Windows\Debug\jmahost.exe
      C:\Windows\Debug\jmahost.exe
      1⤵
      • Executes dropped EXE
      • Checks processor information in registry
      PID:1944
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4148 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:4340

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\debug\jmahost.exe
        Filesize

        197KB

        MD5

        a0ffa3dcbbaee12b1ba0d47ab79d0b94

        SHA1

        6782197495e07db2f1ffa28f6845c5c39b2dcf77

        SHA256

        c86024b78ee43ed38420c648f7acbfceb96d4a6008663600428981676ab9b7ba

        SHA512

        595cc868e47791bdd6881a508604fa3d99ee367d6b0b5400bd52219bfc3683f65156adbe236929f8a3a24523de4dc222fcabf23cf06720c450348236cab86354

        Download Submit