f2971b4f34505097bb2651e4581648fe1900ebe43d7d28043c8462ac9ad87599

Analysis

max time kernel
292s
max time network
297s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14/01/2024, 18:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

jia.exe
Size

270KB
MD5

6ef2a70161040708e88a53fc48d316eb
SHA1

4a7a21afe4e54b98af48b82730ca5c1a3fd89e39
SHA256

f2971b4f34505097bb2651e4581648fe1900ebe43d7d28043c8462ac9ad87599
SHA512

54984df08579f38d030c66753bc186a3a8b0bfcc4b8105c40608dfd7e55aca99d8b76db9c6bac95f3f4071b4fb7aef6fc69b697f45e91bc2016cd5385c49cfd1
SSDEEP

6144:FRLCJMWVCsCSapryyyIN1Pq/S6oGf9cxDvuzKd:f5WVCsCSabN1PxltD

Score

8^/10

persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2992	svvhost.exe

Loads dropped DLL 1 IoCs

pid	Process
3432	Explorer.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\360 = "C:\\Windows\\System32\\svvhost.exe"	svvhost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\svvhost.exe	jia.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2992	svvhost.exe
2992	svvhost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4512	jia.exe
Token: SeShutdownPrivilege	3432	Explorer.EXE
Token: SeCreatePagefilePrivilege	3432	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3432	Explorer.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4512 wrote to memory of 2992	4512	jia.exe	85
PID 4512 wrote to memory of 2992	4512	jia.exe	85
PID 4512 wrote to memory of 5108	4512	jia.exe	86
PID 4512 wrote to memory of 5108	4512	jia.exe	86
PID 2992 wrote to memory of 3432	2992	svvhost.exe	57

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3432
- C:\Users\Admin\AppData\Local\Temp\jia.exe
  "C:\Users\Admin\AppData\Local\Temp\jia.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Windows\System32\svvhost.exe
    "C:\Windows\System32\svvhost.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\jia.exe > nul
    3⤵
    PID:5108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.rdp

Filesize
966KB

MD5
e531d22940716fbc6740e6963dc39bf4

SHA1
1fca402c4a84f072611dae21ff6f4dd4ce44dc86

SHA256
1dfa866c67486413d0124bdd87a5c91dac51e5801a3aeb596693a79302e2ecd3

SHA512
bc26148ba94b7de7a7e868a09ead190bd297a1f0acaee63c93f23054422ef79f4bcb318d48bc7b3e6d0c753daa22fb8153d9dc1acd6be48b7ee691a7469ae7a8

Download Submit
C:\Windows\System32\svvhost.exe

Filesize
270KB

MD5
6ef2a70161040708e88a53fc48d316eb

SHA1
4a7a21afe4e54b98af48b82730ca5c1a3fd89e39

SHA256
f2971b4f34505097bb2651e4581648fe1900ebe43d7d28043c8462ac9ad87599

SHA512
54984df08579f38d030c66753bc186a3a8b0bfcc4b8105c40608dfd7e55aca99d8b76db9c6bac95f3f4071b4fb7aef6fc69b697f45e91bc2016cd5385c49cfd1

Download Submit