9fb6e0a9adcb2211a34b0dfa43b51fefd16b712ee6054fc802d810486ea0a1a3

Analysis

max time kernel
151s
max time network
172s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 13:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9fb6e0a9adcb2211a34b0dfa43b51fefd16b712ee6054fc802d810486ea0a1a3.exe
Size

198KB
MD5

2f57335dc03ded3b802800e2e6cc4182
SHA1

ce4e598dad8dfd3a49d79f14d9904bff31b3bebf
SHA256

9fb6e0a9adcb2211a34b0dfa43b51fefd16b712ee6054fc802d810486ea0a1a3
SHA512

2ad67f4dba29da7459b5fd62e14e4bc53c44711eb5e606f9f1b242fc4c4ab9b841ff11e9ebb8a0448063f122d390ad61fb64edafe341a406f2feac3b151549a1
SSDEEP

6144:rBs27MMLyX5HXXXDTXXXOGqIII+pXXX5AYjKXXXDoXXXG6XXXxXXXLIIIEAkOCOf:rK20HXXX/XXXFqIIIcXXX5j2XXXcXXXS

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2600	jaohost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Debug\jaohost.exe	9fb6e0a9adcb2211a34b0dfa43b51fefd16b712ee6054fc802d810486ea0a1a3.exe
File opened for modification	C:\Windows\Debug\jaohost.exe	9fb6e0a9adcb2211a34b0dfa43b51fefd16b712ee6054fc802d810486ea0a1a3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	jaohost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	jaohost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2872	9fb6e0a9adcb2211a34b0dfa43b51fefd16b712ee6054fc802d810486ea0a1a3.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2788	2872	9fb6e0a9adcb2211a34b0dfa43b51fefd16b712ee6054fc802d810486ea0a1a3.exe	31
PID 2872 wrote to memory of 2788	2872	9fb6e0a9adcb2211a34b0dfa43b51fefd16b712ee6054fc802d810486ea0a1a3.exe	31
PID 2872 wrote to memory of 2788	2872	9fb6e0a9adcb2211a34b0dfa43b51fefd16b712ee6054fc802d810486ea0a1a3.exe	31
PID 2872 wrote to memory of 2788	2872	9fb6e0a9adcb2211a34b0dfa43b51fefd16b712ee6054fc802d810486ea0a1a3.exe	31

C:\Users\Admin\AppData\Local\Temp\9fb6e0a9adcb2211a34b0dfa43b51fefd16b712ee6054fc802d810486ea0a1a3.exe
"C:\Users\Admin\AppData\Local\Temp\9fb6e0a9adcb2211a34b0dfa43b51fefd16b712ee6054fc802d810486ea0a1a3.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\9FB6E0~1.EXE > nul
  2⤵
  PID:2788

C:\Windows\Debug\jaohost.exe
C:\Windows\Debug\jaohost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\debug\jaohost.exe

Filesize
198KB

MD5
3a9ff0fd9638f1ee2eff2661717f8dcc

SHA1
aed4fe2874900f79ef370ecfe9748601d8838c3b

SHA256
692d2b86bf69e29c4fc497f1524483ce07d49d8ac23c051aeca7b6caffa5dd40

SHA512
e71051a4dfc92c32ba9e11992fc1d71bdb2290520904c47ddbff161422734f0fcaecda7be40f595744d657c5ad452c5e7fba4708d8bd374c8e457c3a43e09627

Download Submit