dfd44c4d49422b6e842fa3d4ccd16129bd720bc25a6b8bd2f2b3049edee6e5ff

Analysis

max time kernel
142s
max time network
128s
platform
windows7_x64
resource
win7-20230824-en
resource tags

arch:x64arch:x86image:win7-20230824-enlocale:en-usos:windows7-x64system
submitted
30-08-2023 02:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfd44c4d49422b6e842fa3d4ccd16129bd720bc25a6b8bd2f2b3049edee6e5ff.exe
Size

198KB
MD5

b094c8c815592aa694225cddc2e7aa24
SHA1

5885a2311f17400e1dda6f91a864a49e8794ccb8
SHA256

dfd44c4d49422b6e842fa3d4ccd16129bd720bc25a6b8bd2f2b3049edee6e5ff
SHA512

f956ee9cda79dadf1f3755399395a44cefb69a08000c8875ffc2323cffa4cf64c252573ab6d6a271416bff70a6869ef13b1d3694a6bb529a097030337a9f2bca
SSDEEP

6144:rBs27MMLyX5HXXXDTXXXOGqIII+pXXX5AYjKXXXDoXXXG6XXXxXXXLIIIEAkOCOg:rK20HXXX/XXXFqIIIcXXX5j2XXXcXXXZ

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1496	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1728	jaohost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Debug\jaohost.exe	dfd44c4d49422b6e842fa3d4ccd16129bd720bc25a6b8bd2f2b3049edee6e5ff.exe
File opened for modification	C:\Windows\Debug\jaohost.exe	dfd44c4d49422b6e842fa3d4ccd16129bd720bc25a6b8bd2f2b3049edee6e5ff.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1740	dfd44c4d49422b6e842fa3d4ccd16129bd720bc25a6b8bd2f2b3049edee6e5ff.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 1496	1740	dfd44c4d49422b6e842fa3d4ccd16129bd720bc25a6b8bd2f2b3049edee6e5ff.exe	30
PID 1740 wrote to memory of 1496	1740	dfd44c4d49422b6e842fa3d4ccd16129bd720bc25a6b8bd2f2b3049edee6e5ff.exe	30
PID 1740 wrote to memory of 1496	1740	dfd44c4d49422b6e842fa3d4ccd16129bd720bc25a6b8bd2f2b3049edee6e5ff.exe	30
PID 1740 wrote to memory of 1496	1740	dfd44c4d49422b6e842fa3d4ccd16129bd720bc25a6b8bd2f2b3049edee6e5ff.exe	30

C:\Users\Admin\AppData\Local\Temp\dfd44c4d49422b6e842fa3d4ccd16129bd720bc25a6b8bd2f2b3049edee6e5ff.exe
"C:\Users\Admin\AppData\Local\Temp\dfd44c4d49422b6e842fa3d4ccd16129bd720bc25a6b8bd2f2b3049edee6e5ff.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\DFD44C~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1496

C:\Windows\Debug\jaohost.exe
C:\Windows\Debug\jaohost.exe
1⤵
- Executes dropped EXE
PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Debug\jaohost.exe

Filesize
198KB

MD5
a0564775745cc1e4f3e4a10edfd05edd

SHA1
ad04c601094fa174fe46c2c5252015c7d78fea1b

SHA256
0a61360fd822d965c0692dc9f07690144e2052b37db2cd90c43a6c5a87aee98d

SHA512
0cdce2f312847593fde4ff2b5f1c99879d3af203bac9b0c7065f7c38efa04a1fae6c6385ba72cdb990318a531c8aafddbe9f96c59384a5e7321723accbd32f92

Download Submit
C:\Windows\debug\jaohost.exe

Filesize
198KB

MD5
a0564775745cc1e4f3e4a10edfd05edd

SHA1
ad04c601094fa174fe46c2c5252015c7d78fea1b

SHA256
0a61360fd822d965c0692dc9f07690144e2052b37db2cd90c43a6c5a87aee98d

SHA512
0cdce2f312847593fde4ff2b5f1c99879d3af203bac9b0c7065f7c38efa04a1fae6c6385ba72cdb990318a531c8aafddbe9f96c59384a5e7321723accbd32f92

Download Submit