94a71d2356d627cea1d8790d0d70b568d6024559d9a2305f9d4ea6d38d9d285a

Analysis

max time kernel
141s
max time network
128s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/04/2024, 03:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94a71d2356d627cea1d8790d0d70b568d6024559d9a2305f9d4ea6d38d9d285a.exe
Size

198KB
MD5

ca099f409722c7450f7d813a54fdb7a6
SHA1

22b232693ab2d8ccfe6d1406cd0c64342dde40d5
SHA256

94a71d2356d627cea1d8790d0d70b568d6024559d9a2305f9d4ea6d38d9d285a
SHA512

62144f17834b4cba1e487195bec4a50689b3771f77dfbb37380787a340df1227d4e9548a30746211057f2550b782ec087317c46765fa7e9c65a9590606a8fab4
SSDEEP

6144:rBs27MMLyX5HXXXDTXXXOGqIII+pXXX5AYjKXXXDoXXXG6XXXxXXXLIIIEAkOCOC:rK20HXXX/XXXFqIIIcXXX5j2XXXcXXXD

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2868	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2308	jaohost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Debug\jaohost.exe	94a71d2356d627cea1d8790d0d70b568d6024559d9a2305f9d4ea6d38d9d285a.exe
File opened for modification	C:\Windows\Debug\jaohost.exe	94a71d2356d627cea1d8790d0d70b568d6024559d9a2305f9d4ea6d38d9d285a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	jaohost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	jaohost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2264	94a71d2356d627cea1d8790d0d70b568d6024559d9a2305f9d4ea6d38d9d285a.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2868	2264	94a71d2356d627cea1d8790d0d70b568d6024559d9a2305f9d4ea6d38d9d285a.exe	29
PID 2264 wrote to memory of 2868	2264	94a71d2356d627cea1d8790d0d70b568d6024559d9a2305f9d4ea6d38d9d285a.exe	29
PID 2264 wrote to memory of 2868	2264	94a71d2356d627cea1d8790d0d70b568d6024559d9a2305f9d4ea6d38d9d285a.exe	29
PID 2264 wrote to memory of 2868	2264	94a71d2356d627cea1d8790d0d70b568d6024559d9a2305f9d4ea6d38d9d285a.exe	29

C:\Users\Admin\AppData\Local\Temp\94a71d2356d627cea1d8790d0d70b568d6024559d9a2305f9d4ea6d38d9d285a.exe
"C:\Users\Admin\AppData\Local\Temp\94a71d2356d627cea1d8790d0d70b568d6024559d9a2305f9d4ea6d38d9d285a.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\94A71D~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2868

C:\Windows\Debug\jaohost.exe
C:\Windows\Debug\jaohost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\debug\jaohost.exe

Filesize
198KB

MD5
13b9df9bc502968add87f0add353a8af

SHA1
96da30331e24eed398823971b7db974f1118b17b

SHA256
066bca40cdc79a3f86665c81b1b9fa6289e45ed601e228741708ce2fad7097f6

SHA512
954523ccc9a232862e966ed954882fa7ab1c32ee38ac434f9a528e29f90c26a4e30faa7a03168782f69fb5fea6b7869f78d323034c0531f5f5387f16daae3efb

Download Submit