d8b48498a6bab4c9c59ee9f485669f82996ce1664c317fdb2d371cad9c26a9f5

Analysis

max time kernel
143s
max time network
135s
platform
windows7_x64
resource
win7-20230824-en
resource tags

arch:x64arch:x86image:win7-20230824-enlocale:en-usos:windows7-x64system
submitted
29/08/2023, 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d8b48498a6bab4c9c59ee9f485669f82996ce1664c317fdb2d371cad9c26a9f5.exe
Size

198KB
MD5

a08860306f327bb3bc7288ee5ab8db13
SHA1

2dee4a68034743b94370a66af2bc8c67179582ad
SHA256

d8b48498a6bab4c9c59ee9f485669f82996ce1664c317fdb2d371cad9c26a9f5
SHA512

4ea26012b30307763c68a44bbee94938bb73bf4844e92eceb00459fe1ca1b9ac21978caabcf9d195586fdc3136cfc84b6813e204afff552a44bb2ed5e0716c15
SSDEEP

6144:rBs27MMLyX5HXXXDTXXXOGqIII+pXXX5AYjKXXXDoXXXG6XXXxXXXLIIIEAkOCO6:rK20HXXX/XXXFqIIIcXXX5j2XXXcXXXL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3048	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2076	jaohost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Debug\jaohost.exe	d8b48498a6bab4c9c59ee9f485669f82996ce1664c317fdb2d371cad9c26a9f5.exe
File opened for modification	C:\Windows\Debug\jaohost.exe	d8b48498a6bab4c9c59ee9f485669f82996ce1664c317fdb2d371cad9c26a9f5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	828	d8b48498a6bab4c9c59ee9f485669f82996ce1664c317fdb2d371cad9c26a9f5.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 828 wrote to memory of 3048	828	d8b48498a6bab4c9c59ee9f485669f82996ce1664c317fdb2d371cad9c26a9f5.exe	29
PID 828 wrote to memory of 3048	828	d8b48498a6bab4c9c59ee9f485669f82996ce1664c317fdb2d371cad9c26a9f5.exe	29
PID 828 wrote to memory of 3048	828	d8b48498a6bab4c9c59ee9f485669f82996ce1664c317fdb2d371cad9c26a9f5.exe	29
PID 828 wrote to memory of 3048	828	d8b48498a6bab4c9c59ee9f485669f82996ce1664c317fdb2d371cad9c26a9f5.exe	29

C:\Users\Admin\AppData\Local\Temp\d8b48498a6bab4c9c59ee9f485669f82996ce1664c317fdb2d371cad9c26a9f5.exe
"C:\Users\Admin\AppData\Local\Temp\d8b48498a6bab4c9c59ee9f485669f82996ce1664c317fdb2d371cad9c26a9f5.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:828
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\D8B484~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3048

C:\Windows\Debug\jaohost.exe
C:\Windows\Debug\jaohost.exe
1⤵
- Executes dropped EXE
PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Debug\jaohost.exe

Filesize
198KB

MD5
4775f2c46cdcfe770506d1dfdc911830

SHA1
0bd58d86b8479769885d436ef925daeb3671e336

SHA256
4f26beb2cacfa0bded1b94ff4fb3bf930ae41c2185e9c1b3d9c09b946c50b50e

SHA512
0b2ea9aa7b000e5678d0de3f02807b00a102d4f44dbea433fa49a56c1150aa77916569796d2a2449098a292e2b4291d02653ed5ebaab60c5418e1848599145e7

Download Submit
C:\Windows\debug\jaohost.exe

Filesize
198KB

MD5
4775f2c46cdcfe770506d1dfdc911830

SHA1
0bd58d86b8479769885d436ef925daeb3671e336

SHA256
4f26beb2cacfa0bded1b94ff4fb3bf930ae41c2185e9c1b3d9c09b946c50b50e

SHA512
0b2ea9aa7b000e5678d0de3f02807b00a102d4f44dbea433fa49a56c1150aa77916569796d2a2449098a292e2b4291d02653ed5ebaab60c5418e1848599145e7

Download Submit