Analysis
-
max time kernel
152s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 15:52
Static task
static1
Behavioral task
behavioral1
Sample
c1aaf2dd35ca3f2374c391703d0f5c33a30462d5f0b65d39d7ede42dfa9419f6.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c1aaf2dd35ca3f2374c391703d0f5c33a30462d5f0b65d39d7ede42dfa9419f6.exe
Resource
win10v2004-20220812-en
General
-
Target
c1aaf2dd35ca3f2374c391703d0f5c33a30462d5f0b65d39d7ede42dfa9419f6.exe
-
Size
152KB
-
MD5
42fbccf64541cffa18ba28cd878d3250
-
SHA1
ae00dd2eef075e74327a1136a35becfeb72d2675
-
SHA256
c1aaf2dd35ca3f2374c391703d0f5c33a30462d5f0b65d39d7ede42dfa9419f6
-
SHA512
5778b96b428fc163458d24130d6ede6fbce2263419596b4dcbad1d5d76a7d40078354784be3939aca28e0c58a76a490629c4dec943dc63c4e1f65dad1e87966d
-
SSDEEP
3072:T3jIpK9xKA9w2p4QZisLaazNiIIkyyqN4oQZiEHPgcF:T3cpKxY+1isuazgfklcWVP3
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
c1aaf2dd35ca3f2374c391703d0f5c33a30462d5f0b65d39d7ede42dfa9419f6.exejiaab.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" c1aaf2dd35ca3f2374c391703d0f5c33a30462d5f0b65d39d7ede42dfa9419f6.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" jiaab.exe -
Executes dropped EXE 1 IoCs
Processes:
jiaab.exepid process 724 jiaab.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c1aaf2dd35ca3f2374c391703d0f5c33a30462d5f0b65d39d7ede42dfa9419f6.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation c1aaf2dd35ca3f2374c391703d0f5c33a30462d5f0b65d39d7ede42dfa9419f6.exe -
Adds Run key to start application 2 TTPs 55 IoCs
Processes:
jiaab.exec1aaf2dd35ca3f2374c391703d0f5c33a30462d5f0b65d39d7ede42dfa9419f6.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /k" jiaab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /K" jiaab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /l" jiaab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /x" jiaab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /R" jiaab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /z" jiaab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /j" jiaab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /Z" jiaab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /T" jiaab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /W" c1aaf2dd35ca3f2374c391703d0f5c33a30462d5f0b65d39d7ede42dfa9419f6.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /r" jiaab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /A" jiaab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /I" jiaab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /O" jiaab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /L" jiaab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /E" jiaab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /J" jiaab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /u" jiaab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /F" jiaab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /s" jiaab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /S" jiaab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /W" jiaab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /b" jiaab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /p" jiaab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /B" jiaab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /i" jiaab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /g" jiaab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /d" jiaab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /q" jiaab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /V" jiaab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /D" jiaab.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ c1aaf2dd35ca3f2374c391703d0f5c33a30462d5f0b65d39d7ede42dfa9419f6.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /Q" jiaab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /o" jiaab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /G" jiaab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /H" jiaab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /h" jiaab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /C" jiaab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /c" jiaab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /t" jiaab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /U" jiaab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /N" jiaab.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ jiaab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /X" jiaab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /n" jiaab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /a" jiaab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /y" jiaab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /e" jiaab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /M" jiaab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /P" jiaab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /w" jiaab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /m" jiaab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /f" jiaab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /Y" jiaab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiaab = "C:\\Users\\Admin\\jiaab.exe /v" jiaab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
c1aaf2dd35ca3f2374c391703d0f5c33a30462d5f0b65d39d7ede42dfa9419f6.exejiaab.exepid process 4400 c1aaf2dd35ca3f2374c391703d0f5c33a30462d5f0b65d39d7ede42dfa9419f6.exe 4400 c1aaf2dd35ca3f2374c391703d0f5c33a30462d5f0b65d39d7ede42dfa9419f6.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe 724 jiaab.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
c1aaf2dd35ca3f2374c391703d0f5c33a30462d5f0b65d39d7ede42dfa9419f6.exejiaab.exepid process 4400 c1aaf2dd35ca3f2374c391703d0f5c33a30462d5f0b65d39d7ede42dfa9419f6.exe 724 jiaab.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
c1aaf2dd35ca3f2374c391703d0f5c33a30462d5f0b65d39d7ede42dfa9419f6.exedescription pid process target process PID 4400 wrote to memory of 724 4400 c1aaf2dd35ca3f2374c391703d0f5c33a30462d5f0b65d39d7ede42dfa9419f6.exe jiaab.exe PID 4400 wrote to memory of 724 4400 c1aaf2dd35ca3f2374c391703d0f5c33a30462d5f0b65d39d7ede42dfa9419f6.exe jiaab.exe PID 4400 wrote to memory of 724 4400 c1aaf2dd35ca3f2374c391703d0f5c33a30462d5f0b65d39d7ede42dfa9419f6.exe jiaab.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1aaf2dd35ca3f2374c391703d0f5c33a30462d5f0b65d39d7ede42dfa9419f6.exe"C:\Users\Admin\AppData\Local\Temp\c1aaf2dd35ca3f2374c391703d0f5c33a30462d5f0b65d39d7ede42dfa9419f6.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\jiaab.exe"C:\Users\Admin\jiaab.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\jiaab.exeFilesize
152KB
MD51e1e844f56175a2d38b83542d87b161b
SHA101e82d16ce5f61ae6f0257434ddeb5443605bfdc
SHA256b82151768bec6bd8ec70805400233ca18ea8e2f3e999c3a0f5826e6b42f08cbd
SHA5129077919f7789c3954b987441a288ef822744cf9932a33e505e6981ce2393a938b85cf21bdcaf6316884354b891a3f9b7c3b04cb3a9774a1dc2eab44bd619dd6c
-
C:\Users\Admin\jiaab.exeFilesize
152KB
MD51e1e844f56175a2d38b83542d87b161b
SHA101e82d16ce5f61ae6f0257434ddeb5443605bfdc
SHA256b82151768bec6bd8ec70805400233ca18ea8e2f3e999c3a0f5826e6b42f08cbd
SHA5129077919f7789c3954b987441a288ef822744cf9932a33e505e6981ce2393a938b85cf21bdcaf6316884354b891a3f9b7c3b04cb3a9774a1dc2eab44bd619dd6c
-
memory/724-134-0x0000000000000000-mapping.dmp