9bff283edf384a62a8aab5d2827b1c8fd4514746fc7f2c3ce688a34b419a1a86

Analysis

max time kernel
39s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 08:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f9127245473fbfdab735869bce40d88.exe
Size

484KB
MD5

5f9127245473fbfdab735869bce40d88
SHA1

4960afd3e5e88ec967973248b93b97a4743fa5d1
SHA256

9bff283edf384a62a8aab5d2827b1c8fd4514746fc7f2c3ce688a34b419a1a86
SHA512

4299e96e65b96b78bb84896c84fadcf321c7afff31b926988ca2ea0478f61724f015ac583b5a19bab6d3f3ae35a56cf31749478cb13ae8e5011e35438046f4b1
SSDEEP

12288:hoUld/f2I9JECdYW4/e4Pii15XZSAmKjlafbdDNUQ:R92ILECd0R15XZS3QafpDNUQ

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	LB9c4j3K.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	jiizob.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	LB9c4j3K.exe

Executes dropped EXE 7 IoCs

pid	Process
4516	LB9c4j3K.exe
1496	jiizob.exe
4892	aahost.exe
4288	aahost.exe
4940	bshost.exe
532	dyhost.exe
392	ekhost.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4288-52-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/4288-55-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/4288-50-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/4288-47-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /G"	jiizob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /k"	jiizob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /d"	jiizob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /e"	jiizob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /i"	jiizob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /O"	jiizob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /S"	jiizob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /g"	jiizob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /H"	jiizob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /V"	jiizob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /Z"	jiizob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /X"	jiizob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /B"	jiizob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /d"	LB9c4j3K.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /C"	jiizob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /m"	jiizob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /x"	jiizob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /y"	jiizob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /K"	jiizob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /p"	jiizob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /u"	jiizob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /f"	jiizob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /F"	jiizob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /q"	jiizob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /r"	jiizob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /s"	jiizob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /v"	jiizob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /N"	jiizob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /t"	jiizob.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4892 set thread context of 4288	4892	aahost.exe	94
PID 4940 set thread context of 2792	4940	bshost.exe	100

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 3 IoCs

Process Discovery

T1057

pid	Process
392	tasklist.exe
4720	tasklist.exe
4912	tasklist.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4516	LB9c4j3K.exe
4516	LB9c4j3K.exe
4516	LB9c4j3K.exe
4516	LB9c4j3K.exe
4288	aahost.exe
4288	aahost.exe
1496	jiizob.exe
1496	jiizob.exe
1496	jiizob.exe
1496	jiizob.exe
4288	aahost.exe
4288	aahost.exe
1496	jiizob.exe
1496	jiizob.exe
1496	jiizob.exe
1496	jiizob.exe
1496	jiizob.exe
1496	jiizob.exe
1496	jiizob.exe
1496	jiizob.exe
4288	aahost.exe
4288	aahost.exe
1496	jiizob.exe
1496	jiizob.exe
4288	aahost.exe
4288	aahost.exe
4288	aahost.exe
4288	aahost.exe
1496	jiizob.exe
1496	jiizob.exe
1496	jiizob.exe
1496	jiizob.exe
1496	jiizob.exe
1496	jiizob.exe
4288	aahost.exe
4288	aahost.exe
1496	jiizob.exe
1496	jiizob.exe
4288	aahost.exe
4288	aahost.exe
4288	aahost.exe
4288	aahost.exe
1496	jiizob.exe
1496	jiizob.exe
1496	jiizob.exe
1496	jiizob.exe
1496	jiizob.exe
1496	jiizob.exe
4288	aahost.exe
4288	aahost.exe
4288	aahost.exe
4288	aahost.exe
1496	jiizob.exe
1496	jiizob.exe
4288	aahost.exe
4288	aahost.exe
1496	jiizob.exe
1496	jiizob.exe
4288	aahost.exe
4288	aahost.exe
4288	aahost.exe
4288	aahost.exe
1496	jiizob.exe
1496	jiizob.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	392	tasklist.exe
Token: SeDebugPrivilege	4940	bshost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3120	5f9127245473fbfdab735869bce40d88.exe
4516	LB9c4j3K.exe
1496	jiizob.exe
4892	aahost.exe
532	dyhost.exe
392	ekhost.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3120 wrote to memory of 4516	3120	5f9127245473fbfdab735869bce40d88.exe	26
PID 3120 wrote to memory of 4516	3120	5f9127245473fbfdab735869bce40d88.exe	26
PID 3120 wrote to memory of 4516	3120	5f9127245473fbfdab735869bce40d88.exe	26
PID 4516 wrote to memory of 1496	4516	LB9c4j3K.exe	99
PID 4516 wrote to memory of 1496	4516	LB9c4j3K.exe	99
PID 4516 wrote to memory of 1496	4516	LB9c4j3K.exe	99
PID 4516 wrote to memory of 4896	4516	LB9c4j3K.exe	98
PID 4516 wrote to memory of 4896	4516	LB9c4j3K.exe	98
PID 4516 wrote to memory of 4896	4516	LB9c4j3K.exe	98
PID 4896 wrote to memory of 392	4896	cmd.exe	96
PID 4896 wrote to memory of 392	4896	cmd.exe	96
PID 4896 wrote to memory of 392	4896	cmd.exe	96
PID 3120 wrote to memory of 4892	3120	5f9127245473fbfdab735869bce40d88.exe	95
PID 3120 wrote to memory of 4892	3120	5f9127245473fbfdab735869bce40d88.exe	95
PID 3120 wrote to memory of 4892	3120	5f9127245473fbfdab735869bce40d88.exe	95
PID 4892 wrote to memory of 4288	4892	aahost.exe	94
PID 4892 wrote to memory of 4288	4892	aahost.exe	94
PID 4892 wrote to memory of 4288	4892	aahost.exe	94
PID 4892 wrote to memory of 4288	4892	aahost.exe	94
PID 4892 wrote to memory of 4288	4892	aahost.exe	94
PID 4892 wrote to memory of 4288	4892	aahost.exe	94
PID 4892 wrote to memory of 4288	4892	aahost.exe	94
PID 4892 wrote to memory of 4288	4892	aahost.exe	94
PID 3120 wrote to memory of 4940	3120	5f9127245473fbfdab735869bce40d88.exe	93
PID 3120 wrote to memory of 4940	3120	5f9127245473fbfdab735869bce40d88.exe	93
PID 3120 wrote to memory of 4940	3120	5f9127245473fbfdab735869bce40d88.exe	93
PID 4940 wrote to memory of 2792	4940	bshost.exe	100
PID 4940 wrote to memory of 2792	4940	bshost.exe	100
PID 4940 wrote to memory of 2792	4940	bshost.exe	100
PID 4940 wrote to memory of 2792	4940	bshost.exe	100
PID 3120 wrote to memory of 532	3120	5f9127245473fbfdab735869bce40d88.exe	102
PID 3120 wrote to memory of 532	3120	5f9127245473fbfdab735869bce40d88.exe	102
PID 3120 wrote to memory of 532	3120	5f9127245473fbfdab735869bce40d88.exe	102
PID 3120 wrote to memory of 392	3120	5f9127245473fbfdab735869bce40d88.exe	111
PID 3120 wrote to memory of 392	3120	5f9127245473fbfdab735869bce40d88.exe	111
PID 3120 wrote to memory of 392	3120	5f9127245473fbfdab735869bce40d88.exe	111

C:\Users\Admin\AppData\Local\Temp\5f9127245473fbfdab735869bce40d88.exe
"C:\Users\Admin\AppData\Local\Temp\5f9127245473fbfdab735869bce40d88.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3120
- C:\Users\Admin\LB9c4j3K.exe
  C:\Users\Admin\LB9c4j3K.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4516
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c tasklist&&del LB9c4j3K.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4896
- - C:\Users\Admin\jiizob.exe
    "C:\Users\Admin\jiizob.exe"
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1496
- C:\Users\Admin\bshost.exe
  C:\Users\Admin\bshost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:2792
- C:\Users\Admin\aahost.exe
  C:\Users\Admin\aahost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4892
- C:\Users\Admin\dyhost.exe
  C:\Users\Admin\dyhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:532
- C:\Users\Admin\ekhost.exe
  C:\Users\Admin\ekhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:392
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c tasklist&&del ekhost.exe
    3⤵
    PID:4764
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c tasklist&&del 5f9127245473fbfdab735869bce40d88.exe
  2⤵
  PID:3364

C:\Users\Admin\aahost.exe
"C:\Users\Admin\aahost.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4288

C:\Windows\SysWOW64\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:392

C:\Windows\SysWOW64\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4720

C:\Windows\SysWOW64\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\LB9c4j3K.exe

Filesize
92KB

MD5
5fc8235bf7463fc8dc2dbfbc5071487b

SHA1
e8d816dc0fb397484883c13a48208508ccf73519

SHA256
bd16d2f2758c6e5b79e2fe9255412c1691c0c23deeed52779fdf7a9600abf277

SHA512
0f78d9897584b3f4ca2629bdfad0d95830521235e933cfc780e60a6fcec6c2f4a80a1816f28aa33457ebeffbf887510e3ffc9037a1284e3a47f4e6bb88b36bdf

Download Submit
C:\Users\Admin\calc.exe

Filesize
764KB

MD5
e381b04abf596ed1573154cd41f418dc

SHA1
2ad1df7bebf1e4c0715adbf76c8c14b9162edf2e

SHA256
02b08664fcc196f15ff0e33e7ed43e9e78af7b564e3f7c5388dd7d0267905fe6

SHA512
44307e60bdc804b3abe710a21e2268960dcc9d29671cf8ce723e40721b6b38ae338c49cd1b9cfd4fa8fa4f644cc80414baeb70f136f39f73833f8373f8180858

Download Submit
C:\Users\Admin\ekhost.exe

Filesize
24KB

MD5
9fe0e5252dc24fc1788b0d8b26026807

SHA1
21e3063a0fac1157b9707861048c5f7fbd070ceb

SHA256
9c99c968d969c2d5c1570c6066957d726bc19ffe9e0562242ce1bf79514c1b40

SHA512
613f5c821dfcef8124ecb7c9b118cda14be4d72a26f1a21ffde81c4d8aae4f315740d66c298e5963b0647f0ecd9e2d63d9bbb8df4e0c731019896e7ac0391d5c

Download Submit
C:\Users\Admin\jiizob.exe

Filesize
92KB

MD5
2812aff3bc179ef18e550ea16f5af933

SHA1
ee409fd42b7d44eeb284fe93a3a2127c7a5cc0ed

SHA256
948363a98a1aa03c9c593029f6f6a54156589c4681fd88c157da9c87d2ad0f78

SHA512
6375096e708fff88019679bb215b074e47f58eab67fe51e9d64e4d62839534a74a05def573c47d8f8964f19fb7deaa60997d8420c1fd51279f828fa2129fbb3f

Download Submit
memory/4288-47-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4288-52-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4288-55-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4288-50-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4940-61-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4940-65-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4940-64-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/4940-63-0x0000000002510000-0x0000000002554000-memory.dmp

Filesize
272KB

Download
memory/4940-62-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4940-68-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4940-60-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/4940-59-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download