Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2023 06:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0a30b6a4b96947529fb6093a26a896d5.exe
Resource
win7-20231215-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
0a30b6a4b96947529fb6093a26a896d5.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
0a30b6a4b96947529fb6093a26a896d5.exe
-
Size
228KB
-
MD5
0a30b6a4b96947529fb6093a26a896d5
-
SHA1
4f6f4c21d1c5d058e7e3bba43e21782b9d6d0df4
-
SHA256
60671cc6fa126b667c80e26f47e1b95376d4927b24a091214ca11eceb0177e76
-
SHA512
60ba8d3e5c446d4e192d6fd7d874df43b9037f9526709c95c9d734272ea44c295231740a6ab30f3f02d919072b50f14b8e27c5f8cc824debd5e81e502658945d
-
SSDEEP
6144:lmMfx3PFKs7aFwKWwalhrEqxF6snji81RUinKZHg/7SK:lmMf9PhAmZIH+7r
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 0a30b6a4b96947529fb6093a26a896d5.exe Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" jioda.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation 0a30b6a4b96947529fb6093a26a896d5.exe -
Executes dropped EXE 1 IoCs
pid Process 3380 jioda.exe -
Adds Run key to start application 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jioda = "C:\\Users\\Admin\\jioda.exe /y" jioda.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jioda = "C:\\Users\\Admin\\jioda.exe /k" jioda.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jioda = "C:\\Users\\Admin\\jioda.exe /s" jioda.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jioda = "C:\\Users\\Admin\\jioda.exe /z" jioda.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jioda = "C:\\Users\\Admin\\jioda.exe /w" jioda.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jioda = "C:\\Users\\Admin\\jioda.exe /t" jioda.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jioda = "C:\\Users\\Admin\\jioda.exe /o" jioda.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jioda = "C:\\Users\\Admin\\jioda.exe /f" jioda.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jioda = "C:\\Users\\Admin\\jioda.exe /l" jioda.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jioda = "C:\\Users\\Admin\\jioda.exe /j" jioda.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jioda = "C:\\Users\\Admin\\jioda.exe /m" jioda.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jioda = "C:\\Users\\Admin\\jioda.exe /a" jioda.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jioda = "C:\\Users\\Admin\\jioda.exe /e" jioda.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jioda = "C:\\Users\\Admin\\jioda.exe /c" jioda.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jioda = "C:\\Users\\Admin\\jioda.exe /u" jioda.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jioda = "C:\\Users\\Admin\\jioda.exe /x" jioda.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jioda = "C:\\Users\\Admin\\jioda.exe /i" jioda.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jioda = "C:\\Users\\Admin\\jioda.exe /r" jioda.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jioda = "C:\\Users\\Admin\\jioda.exe /q" jioda.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jioda = "C:\\Users\\Admin\\jioda.exe /p" jioda.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jioda = "C:\\Users\\Admin\\jioda.exe /e" 0a30b6a4b96947529fb6093a26a896d5.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jioda = "C:\\Users\\Admin\\jioda.exe /h" jioda.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jioda = "C:\\Users\\Admin\\jioda.exe /v" jioda.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jioda = "C:\\Users\\Admin\\jioda.exe /b" jioda.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jioda = "C:\\Users\\Admin\\jioda.exe /n" jioda.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jioda = "C:\\Users\\Admin\\jioda.exe /d" jioda.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jioda = "C:\\Users\\Admin\\jioda.exe /g" jioda.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4272 0a30b6a4b96947529fb6093a26a896d5.exe 4272 0a30b6a4b96947529fb6093a26a896d5.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe 3380 jioda.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4272 0a30b6a4b96947529fb6093a26a896d5.exe 3380 jioda.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4272 wrote to memory of 3380 4272 0a30b6a4b96947529fb6093a26a896d5.exe 92 PID 4272 wrote to memory of 3380 4272 0a30b6a4b96947529fb6093a26a896d5.exe 92 PID 4272 wrote to memory of 3380 4272 0a30b6a4b96947529fb6093a26a896d5.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a30b6a4b96947529fb6093a26a896d5.exe"C:\Users\Admin\AppData\Local\Temp\0a30b6a4b96947529fb6093a26a896d5.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Users\Admin\jioda.exe"C:\Users\Admin\jioda.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3380
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
192KB
MD5de07147435722ea06a2f0d4b619f0359
SHA17914894517e9c9e228ccb495a4f539563f828e72
SHA2566500e5a6ace8e5993efc6b037a0f980b76f3f0dcba62104e76fc139a2ea7759c
SHA5127088433bd9de6e03d8da26f2f8860ac4690206ef25d0568100e08275e51f553a50d05553bb83d35a843e13a685cac747fad9c8152bb42ed5d7dbd2713ece6279
-
Filesize
150KB
MD564e96ffd79ee03258d064d252fa3f831
SHA1a6eedf26071fde45fb950b40799bcfc808cdada9
SHA2563adace7e680b8973eef563d81832281c9e06bf9bc338fb98c6eb84f4a60b5771
SHA51208bc6a1c702bfc99a1a53f262084ff8e23aae4bbc5e0e8f76063bf2ac3548967c0f123925f4cb512ecc38acc504b10184a3bb35c94fb4fab2debe6ed9223cc24
-
Filesize
183KB
MD584173a6c19f0369abf9a2b7cb565202e
SHA1a3194e924343b48a7480de833b4f7b0faa863fe9
SHA2566c97b267060af605c5502fe381de952c7f1dba1475aa139e1ee8e80ce724f3bb
SHA512e07a384d6e9f0f579540766a5ef1d77bf72039566c0e47a30a03238ad0ba300c6d39a68d7ebbcd22d4907b2f1761afdb1acf70e5049b4ce083074c1deca35a9e