65097b9c5cc7c00d1f077fd6b873b186cd609018394f0404334e20a5ec3e65d6

Analysis

max time kernel
139s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 23:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65097b9c5cc7c00d1f077fd6b873b186cd609018394f0404334e20a5ec3e65d6.exe
Size

1.5MB
MD5

bb3e531fa675e6bf80f23fe79c11cd3c
SHA1

e76cd64ae56b37a455dcd6ae9f691256ed5d272c
SHA256

65097b9c5cc7c00d1f077fd6b873b186cd609018394f0404334e20a5ec3e65d6
SHA512

5a3e68a78d070a3c05c51db926aab2fbb3b6f2e82fa7d3881fd8591db97ea3ebeba85495c918d84bddab88bcea396326b4a72e515d09e551d242feffebcc0da2
SSDEEP

24576:ExpXH7rAjoHNT5PSBe/3cAyEI3QIVLgvLQzFgUAyW56YKU1oZ9NQgRH3H4:iBrzNT5P2cM53QIazQhlW5EvjNQgRXY

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1972	Jnz.exe

Loads dropped DLL 1 IoCs

pid	Process
2728	65097b9c5cc7c00d1f077fd6b873b186cd609018394f0404334e20a5ec3e65d6.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	65097b9c5cc7c00d1f077fd6b873b186cd609018394f0404334e20a5ec3e65d6.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	65097b9c5cc7c00d1f077fd6b873b186cd609018394f0404334e20a5ec3e65d6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnz.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	65097b9c5cc7c00d1f077fd6b873b186cd609018394f0404334e20a5ec3e65d6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	65097b9c5cc7c00d1f077fd6b873b186cd609018394f0404334e20a5ec3e65d6.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2728	65097b9c5cc7c00d1f077fd6b873b186cd609018394f0404334e20a5ec3e65d6.exe
2728	65097b9c5cc7c00d1f077fd6b873b186cd609018394f0404334e20a5ec3e65d6.exe
2728	65097b9c5cc7c00d1f077fd6b873b186cd609018394f0404334e20a5ec3e65d6.exe
2728	65097b9c5cc7c00d1f077fd6b873b186cd609018394f0404334e20a5ec3e65d6.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1972	Jnz.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 1972	2728	65097b9c5cc7c00d1f077fd6b873b186cd609018394f0404334e20a5ec3e65d6.exe	84
PID 2728 wrote to memory of 1972	2728	65097b9c5cc7c00d1f077fd6b873b186cd609018394f0404334e20a5ec3e65d6.exe	84
PID 2728 wrote to memory of 1972	2728	65097b9c5cc7c00d1f077fd6b873b186cd609018394f0404334e20a5ec3e65d6.exe	84

C:\Users\Admin\AppData\Local\Temp\65097b9c5cc7c00d1f077fd6b873b186cd609018394f0404334e20a5ec3e65d6.exe
"C:\Users\Admin\AppData\Local\Temp\65097b9c5cc7c00d1f077fd6b873b186cd609018394f0404334e20a5ec3e65d6.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Users\Admin\AppData\Roaming\AuntecPkg\Jnz\Jnz.exe
  "C:\Users\Admin\AppData\Roaming\AuntecPkg\Jnz\Jnz.exe" -n 9317EAD2-896B-4AEC-B49F-8AC6FFFE2B00 -s 65536 -p 2728
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AuntecPkg\Jnz\Jnz.dll

Filesize
920KB

MD5
1ccb274f0be174f6acc31090dd24147b

SHA1
07d47d0e311ae8f21fa48f95dd0a53a23dfcabe9

SHA256
13499a966982ba1e12251f2d112c109c1b28102a8b4aa13f20055776ad057e04

SHA512
53596000a1245cc4e934793e3ba2a721d223cdc86cd395f9561bab972d1a243188ae25c227c1bbe98576332f21f8ba75211593f3ff77544108f23ea4475407a3

Download Submit
C:\Users\Admin\AppData\Roaming\AuntecPkg\Jnz\Jnz.exe

Filesize
188KB

MD5
e848064ebd9408d2e12abf012da34a0c

SHA1
28a06816eabd6457e36a9f16ea086c066eebdbb3

SHA256
936c43f021074039176e9fa25118a41a9d7db6ccefc3d99f6bc8c942dfe67696

SHA512
0329c9c9cdd33f43362e31cd0bd0d288192b974db794beba922e255360688ec5800713a1e87e6e1b4265523ee981ff0ebf6cca9268762e89c332f883fb19e63b

Download Submit