Overview

overview

7

Static

static

3

9a449e54a1...ec.exe

windows7-x64

7

9a449e54a1...ec.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    145s
  • max time network
    159s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    11-10-2023 20:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9a449e54a16c70a8a7858f24a075e180578ed56cf7b06e132748f5f2814ed4ec.exe

  • Size

    198KB

  • MD5

    783663acd0f5b57a54917898feb3192f

  • SHA1

    c146f3168379a9b2c11bd73dbcdd035f1888e78d

  • SHA256

    9a449e54a16c70a8a7858f24a075e180578ed56cf7b06e132748f5f2814ed4ec

  • SHA512

    6e32f0703730bd1e7034cd4c6f2959a2e973a32ce314ddccc6f0f9a3177ed09e78b62f2f081aeeeca0518772714c29939e344152c22e7f21274988d327f6cbd5

  • SSDEEP

    6144:rBs27MMLyX5HXXXDTXXXOGqIII+pXXX5AYjKXXXDoXXXG6XXXxXXXLIIIEAkOCOm:rK20HXXX/XXXFqIIIcXXX5j2XXXcXXXP

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9a449e54a16c70a8a7858f24a075e180578ed56cf7b06e132748f5f2814ed4ec.exe
    "C:\Users\Admin\AppData\Local\Temp\9a449e54a16c70a8a7858f24a075e180578ed56cf7b06e132748f5f2814ed4ec.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\9A449E~1.EXE > nul
      2⤵
      • Deletes itself
      PID:2088
  • C:\Windows\Debug\jaohost.exe
    C:\Windows\Debug\jaohost.exe
    1⤵
    • Executes dropped EXE
    • Checks processor information in registry
    PID:3060

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\debug\jaohost.exe
    Filesize

    198KB

    MD5

    7a09a716b35757b4d75d2cb072267971

    SHA1

    7a6402a2054e7a7588461b66dd318a5dd6d68433

    SHA256

    ba061009cd016e9923fb479b656e4f3e1472af5528607bdea379c8c31a5fa656

    SHA512

    c6c65699abaeebb82bec182d0fddbca3143d2659f040301aa989fc1f6d8b66765e79f25d1a3d34667fd2f54ac2369efa8e6f6d2efaad45ce77380c1c5606519e

    Download Submit