7615c8734fc70c59c48fefdceb1930ca73b182e97537e8d451d4f49a3c65e31e

Analysis

max time kernel
112s
max time network
119s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
11/06/2024, 23:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7615c8734fc70c59c48fefdceb1930ca73b182e97537e8d451d4f49a3c65e31e.exe
Size

76KB
MD5

825c02728dc61ce6dfda719f5e8575d9
SHA1

7565a5ff108255eae5107973d8f27edeaa7761c8
SHA256

7615c8734fc70c59c48fefdceb1930ca73b182e97537e8d451d4f49a3c65e31e
SHA512

acf7f42c6ba77a620f14b17d1710bf3c3604e271e42c9c13a26c970b617c9b4bea94957f0482979a7861f64e3542c1cb6e57560ac718b6e73ad5e630bb099854
SSDEEP

768:weIrCaOEjR9z+xOF4/i/BEYkp7P6lweQDhDmpU5GFrrEzWsdSE0d8pUHIkI0IUL:wLrjSxO+2G40OIkaUL

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	jiubos.exe

Executes dropped EXE 1 IoCs

pid	Process
2528	jiubos.exe

Loads dropped DLL 2 IoCs

pid	Process
2088	7615c8734fc70c59c48fefdceb1930ca73b182e97537e8d451d4f49a3c65e31e.exe
2088	7615c8734fc70c59c48fefdceb1930ca73b182e97537e8d451d4f49a3c65e31e.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiubos = "C:\\Users\\Admin\\jiubos.exe"	jiubos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe
2528	jiubos.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2088	7615c8734fc70c59c48fefdceb1930ca73b182e97537e8d451d4f49a3c65e31e.exe
2528	jiubos.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2528	2088	7615c8734fc70c59c48fefdceb1930ca73b182e97537e8d451d4f49a3c65e31e.exe	29
PID 2088 wrote to memory of 2528	2088	7615c8734fc70c59c48fefdceb1930ca73b182e97537e8d451d4f49a3c65e31e.exe	29
PID 2088 wrote to memory of 2528	2088	7615c8734fc70c59c48fefdceb1930ca73b182e97537e8d451d4f49a3c65e31e.exe	29
PID 2088 wrote to memory of 2528	2088	7615c8734fc70c59c48fefdceb1930ca73b182e97537e8d451d4f49a3c65e31e.exe	29

C:\Users\Admin\AppData\Local\Temp\7615c8734fc70c59c48fefdceb1930ca73b182e97537e8d451d4f49a3c65e31e.exe
"C:\Users\Admin\AppData\Local\Temp\7615c8734fc70c59c48fefdceb1930ca73b182e97537e8d451d4f49a3c65e31e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Users\Admin\jiubos.exe
  "C:\Users\Admin\jiubos.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\jiubos.exe

Filesize
76KB

MD5
73247e44b482b88c8796fb290731b608

SHA1
3efc9ceed8b8cfe9145647b61dc539088cc2b44b

SHA256
04df97af5af9c6f3ede21cb5efe058d0f2d6b409c26298777b1dd083e54d242a

SHA512
e4a3fda65ad652a80f977201b645c9282a3f80286bbebaf51338f2b158674c2e54b892a6cadb9b1a99c2f7205c4b7460d41e94ccc3e55c2636239bd4974f3b33

Download Submit