33a7e5882768de2ea9636c6321ab06c137a2ed9479042866e1ff8571be10e1ec

Analysis

max time kernel
148s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2023, 13:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

33a7e5882768de2ea9636c6321ab06c137a2ed9479042866e1ff8571be10e1ec.exe
Size

342KB
MD5

430452bd90e640e85489924f61544a21
SHA1

0ee663916dadc5ac32a6785a4b3c7bc23a540226
SHA256

33a7e5882768de2ea9636c6321ab06c137a2ed9479042866e1ff8571be10e1ec
SHA512

85e5e9747d037bcefd500c8f9d10bc311ce67c97247f5ca0bb54c380c1aeda057426159068f2ac7f8520a4ad42390ba533617aa9757ab79a498b3b73eb89498d
SSDEEP

6144:wYa6KAWUPEzy+WnGJ6zdbIHUJOWPk6AktkS1+b3COA:wY8J4YyTRrVtkSvOA

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	jakave.exe

Executes dropped EXE 2 IoCs

pid	Process
4812	jakave.exe
2184	jakave.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4812 set thread context of 2184	4812	jakave.exe	87

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe
2184	jakave.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4812	jakave.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2184	jakave.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4104 wrote to memory of 4812	4104	33a7e5882768de2ea9636c6321ab06c137a2ed9479042866e1ff8571be10e1ec.exe	86
PID 4104 wrote to memory of 4812	4104	33a7e5882768de2ea9636c6321ab06c137a2ed9479042866e1ff8571be10e1ec.exe	86
PID 4104 wrote to memory of 4812	4104	33a7e5882768de2ea9636c6321ab06c137a2ed9479042866e1ff8571be10e1ec.exe	86
PID 4812 wrote to memory of 2184	4812	jakave.exe	87
PID 4812 wrote to memory of 2184	4812	jakave.exe	87
PID 4812 wrote to memory of 2184	4812	jakave.exe	87
PID 4812 wrote to memory of 2184	4812	jakave.exe	87

C:\Users\Admin\AppData\Local\Temp\33a7e5882768de2ea9636c6321ab06c137a2ed9479042866e1ff8571be10e1ec.exe
"C:\Users\Admin\AppData\Local\Temp\33a7e5882768de2ea9636c6321ab06c137a2ed9479042866e1ff8571be10e1ec.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4104
- C:\Users\Admin\AppData\Local\Temp\jakave.exe
  "C:\Users\Admin\AppData\Local\Temp\jakave.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4812
- - C:\Users\Admin\AppData\Local\Temp\jakave.exe
    "C:\Users\Admin\AppData\Local\Temp\jakave.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\agawuhpftq.emm

Filesize
218KB

MD5
7616b2be9c491c0bf92f8dd9af5ed981

SHA1
f7c7691aa17130a35513ad3417a2890e95d84f28

SHA256
0af72b68fc6b60c6d122efb97d8cd2b8b85960496560bf03c54d066d2f794601

SHA512
a838cb159b53528ebe3d34ce94d2db76211dfd90f9c562ef814de0520284787507dcf8c121bff8aa86a6aec5f3762feebc32f9f81d72de480e4a3e79e261ac57

Download Submit
C:\Users\Admin\AppData\Local\Temp\jakave.exe

Filesize
158KB

MD5
a8bfa26e26a9f2168d74bddad5cc4c2c

SHA1
b522d8701302550732dbd2665b4f8e0acd324efd

SHA256
4ad61bff2593077bb185554f574372b8a34ceb75d34c79178d35e2ffd69f08c1

SHA512
1bce09774a544e73376cb2a6a8c6807342a249d3c80e61b44f29a9c6f6c29654f5db31ef7cf59b6800eee19b2d8253709e0264a80f24e54eedaf14cddfab0fcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\jakave.exe

Filesize
158KB

MD5
a8bfa26e26a9f2168d74bddad5cc4c2c

SHA1
b522d8701302550732dbd2665b4f8e0acd324efd

SHA256
4ad61bff2593077bb185554f574372b8a34ceb75d34c79178d35e2ffd69f08c1

SHA512
1bce09774a544e73376cb2a6a8c6807342a249d3c80e61b44f29a9c6f6c29654f5db31ef7cf59b6800eee19b2d8253709e0264a80f24e54eedaf14cddfab0fcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\jakave.exe

Filesize
158KB

MD5
a8bfa26e26a9f2168d74bddad5cc4c2c

SHA1
b522d8701302550732dbd2665b4f8e0acd324efd

SHA256
4ad61bff2593077bb185554f574372b8a34ceb75d34c79178d35e2ffd69f08c1

SHA512
1bce09774a544e73376cb2a6a8c6807342a249d3c80e61b44f29a9c6f6c29654f5db31ef7cf59b6800eee19b2d8253709e0264a80f24e54eedaf14cddfab0fcf

Download Submit
memory/2184-7-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2184-10-0x0000000001A20000-0x0000000001D6A000-memory.dmp

Filesize
3.3MB

Download
memory/2184-11-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4812-5-0x0000000001090000-0x0000000001092000-memory.dmp

Filesize
8KB

Download