Overview

overview

9

Static

static

3

20e123d5fc...0N.exe

windows7-x64

9

20e123d5fc...0N.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    118s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/09/2024, 17:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    20e123d5fc3ce6dd21660e1f2392cbf0N.exe

  • Size

    986KB

  • MD5

    20e123d5fc3ce6dd21660e1f2392cbf0

  • SHA1

    a6ffbd3fd7e19546ee81d865682b51760dd5be2d

  • SHA256

    531d8e15d9187eb27e839ec544a102d07e6d6e5d2e27a031dca15d48a1d3b748

  • SHA512

    8dc7bae683e4b03bb5a42969d901f525f941e0a915c236a0afa4c93735ac522f5c3629158c84948fac0b889e6796eecc67180c6b38898fb4c5b35422dd20cea6

  • SSDEEP

    12288:saBSBQnp1K/6exjnarrlZPJgm4g3LHcbcQg6iS3MCFaiECzT+W73sdRTgKz5nJXb:sai/6exjarZNJgm8oQHFaiTt78DraGv

Score
9/10
discoveryevasion

Malware Config

Signatures

  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 3 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in Program Files directory 51 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 59 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\20e123d5fc3ce6dd21660e1f2392cbf0N.exe
    "C:\Users\Admin\AppData\Local\Temp\20e123d5fc3ce6dd21660e1f2392cbf0N.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1268
    • C:\Windows\svchost.exe
      "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\20e123d5fc3ce6dd21660e1f2392cbf0N.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4680
      • C:\Users\Admin\AppData\Local\Temp\20e123d5fc3ce6dd21660e1f2392cbf0N.exe
        "C:\Users\Admin\AppData\Local\Temp\20e123d5fc3ce6dd21660e1f2392cbf0N.exe"
        3⤵
        • Looks for VirtualBox Guest Additions in registry
        • Looks for VMWare Tools registry key
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Maps connected drives based on registry
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:544
  • C:\Windows\svchost.exe
    C:\Windows\svchost.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Program Files directory
    PID:4976

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\20e123d5fc3ce6dd21660e1f2392cbf0N.exe
    Filesize

    951KB

    MD5

    71d8fb320a4bb07786255b2f965962c9

    SHA1

    6c30a1e8ea32570d76fd3529e799f44d6150adf9

    SHA256

    58b611ddf85878f64703b091b1b6ffbc9794d799118bf8fff9d16752cac0227d

    SHA512

    f40a159951577502dddf287632838afa9c1020a53d818b35f3c362faffb9f75a3bf4316e9e14677888b7110d576e3081aa85fd5de95e255cdb8eab0a8e6b404a

    Download Submit

  • C:\Windows\svchost.exe
    Filesize

    35KB

    MD5

    9e3c13b6556d5636b745d3e466d47467

    SHA1

    2ac1c19e268c49bc508f83fe3d20f495deb3e538

    SHA256

    20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

    SHA512

    5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

    Download Submit

  • memory/544-20-0x0000000005510000-0x0000000005576000-memory.dmp

    Filesize

    408KB

    Download

  • memory/544-21-0x0000000005D40000-0x0000000005DD2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/544-14-0x00000000747CE000-0x00000000747CF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/544-15-0x0000000000670000-0x0000000000766000-memory.dmp

    Filesize

    984KB

    Download

  • memory/544-16-0x00000000747C0000-0x0000000074F70000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/544-17-0x00000000052C0000-0x000000000535A000-memory.dmp

    Filesize

    616KB

    Download

  • memory/544-18-0x0000000005470000-0x000000000550C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/544-19-0x0000000005F90000-0x0000000006534000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/544-28-0x00000000747C0000-0x0000000074F70000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/544-26-0x00000000747C0000-0x0000000074F70000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/544-22-0x0000000005D10000-0x0000000005D1A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/544-23-0x0000000006640000-0x0000000006696000-memory.dmp

    Filesize

    344KB

    Download

  • memory/544-24-0x00000000747C0000-0x0000000074F70000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/544-25-0x00000000747CE000-0x00000000747CF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1268-3-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/4680-11-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/4976-27-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/4976-29-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/4976-31-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/4976-32-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download