8ff9f4513a27aac296994173104350fbdbc97d41cafd3afd37a2b09f69e5856c

Analysis

max time kernel
141s
max time network
36s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
08-06-2023 19:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ff9f4513a27aac296994173104350fbdbc97d41cafd3afd37a2b09f69e5856c.exe
Size

513KB
MD5

6629289fd2abf1c30a16fb9578ff4e08
SHA1

1bd30832f866299027722104c6a92f8ccca594f9
SHA256

8ff9f4513a27aac296994173104350fbdbc97d41cafd3afd37a2b09f69e5856c
SHA512

41920d19d6791b88f06fd8e57e38365c3bcc318fd5f4e4411a76318ad3fbca4cbcb8854ccd9526f2c4c00899c03eddb955ebd886b084bb11b1f13b7533842c3d
SSDEEP

12288:M7y5t7wPDi5ttUT18OB2AM3zX1Ke9y0p/wgwP3QJ1:M7Kt7wPDGkJf2Amge9f9wT4J1

Score

8^/10

aspackv2 upx

Malware Config

Signatures

Downloads MZ/PE file

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Users\Public\xiaodaxzqxia\jecxz.exe	aspack_v212_v242
C:\Users\Public\xiaodaxzqxia\jecxz.exe	aspack_v212_v242
C:\Users\Public\xiaodaxzqxia\jecxz.exe	aspack_v212_v242
\Users\Public\xiaodaxzqxia\jecxz.exe	aspack_v212_v242

Executes dropped EXE 2 IoCs

Processes:

jecxz.exev.exe

pid process

1428 jecxz.exe
864 v.exe

pid	process
1428	jecxz.exe
864	v.exe

Loads dropped DLL 4 IoCs

Processes:

8ff9f4513a27aac296994173104350fbdbc97d41cafd3afd37a2b09f69e5856c.exe

pid	process
1604	8ff9f4513a27aac296994173104350fbdbc97d41cafd3afd37a2b09f69e5856c.exe
1604	8ff9f4513a27aac296994173104350fbdbc97d41cafd3afd37a2b09f69e5856c.exe
1604	8ff9f4513a27aac296994173104350fbdbc97d41cafd3afd37a2b09f69e5856c.exe
1604	8ff9f4513a27aac296994173104350fbdbc97d41cafd3afd37a2b09f69e5856c.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1604-54-0x0000000000400000-0x000000000058A200-memory.dmp	upx
behavioral1/memory/1604-58-0x0000000000400000-0x000000000058A200-memory.dmp	upx
behavioral1/memory/1604-88-0x0000000000400000-0x000000000058A200-memory.dmp	upx
behavioral1/memory/1604-89-0x0000000000400000-0x000000000058A200-memory.dmp	upx
behavioral1/memory/1604-92-0x0000000000400000-0x000000000058A200-memory.dmp	upx
behavioral1/memory/1604-95-0x0000000000400000-0x000000000058A200-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

8ff9f4513a27aac296994173104350fbdbc97d41cafd3afd37a2b09f69e5856c.exe

pid process

1604 8ff9f4513a27aac296994173104350fbdbc97d41cafd3afd37a2b09f69e5856c.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

8ff9f4513a27aac296994173104350fbdbc97d41cafd3afd37a2b09f69e5856c.exe

pid	process
1604	8ff9f4513a27aac296994173104350fbdbc97d41cafd3afd37a2b09f69e5856c.exe
1604	8ff9f4513a27aac296994173104350fbdbc97d41cafd3afd37a2b09f69e5856c.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

8ff9f4513a27aac296994173104350fbdbc97d41cafd3afd37a2b09f69e5856c.exejecxz.exe

description	pid	process	target process
PID 1604 wrote to memory of 1428	1604	8ff9f4513a27aac296994173104350fbdbc97d41cafd3afd37a2b09f69e5856c.exe	jecxz.exe
PID 1604 wrote to memory of 1428	1604	8ff9f4513a27aac296994173104350fbdbc97d41cafd3afd37a2b09f69e5856c.exe	jecxz.exe
PID 1604 wrote to memory of 1428	1604	8ff9f4513a27aac296994173104350fbdbc97d41cafd3afd37a2b09f69e5856c.exe	jecxz.exe
PID 1604 wrote to memory of 1428	1604	8ff9f4513a27aac296994173104350fbdbc97d41cafd3afd37a2b09f69e5856c.exe	jecxz.exe
PID 1428 wrote to memory of 744	1428	jecxz.exe	cmd.exe
PID 1428 wrote to memory of 744	1428	jecxz.exe	cmd.exe
PID 1428 wrote to memory of 744	1428	jecxz.exe	cmd.exe
PID 1428 wrote to memory of 744	1428	jecxz.exe	cmd.exe
PID 1604 wrote to memory of 864	1604	8ff9f4513a27aac296994173104350fbdbc97d41cafd3afd37a2b09f69e5856c.exe	v.exe
PID 1604 wrote to memory of 864	1604	8ff9f4513a27aac296994173104350fbdbc97d41cafd3afd37a2b09f69e5856c.exe	v.exe
PID 1604 wrote to memory of 864	1604	8ff9f4513a27aac296994173104350fbdbc97d41cafd3afd37a2b09f69e5856c.exe	v.exe
PID 1604 wrote to memory of 864	1604	8ff9f4513a27aac296994173104350fbdbc97d41cafd3afd37a2b09f69e5856c.exe	v.exe

C:\Users\Admin\AppData\Local\Temp\8ff9f4513a27aac296994173104350fbdbc97d41cafd3afd37a2b09f69e5856c.exe
"C:\Users\Admin\AppData\Local\Temp\8ff9f4513a27aac296994173104350fbdbc97d41cafd3afd37a2b09f69e5856c.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1604

C:\Users\Public\xiaodaxzqxia\jecxz.exe
C:\Users\Public\xiaodaxzqxia\jecxz.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c pause
3⤵
PID:744

C:\Users\Public\xiaodaxzqxia\v.exe
"C:\Users\Public\xiaodaxzqxia\v.exe" -o C:\Users\Public\xiaodaxzqxia\111 -d C:\Users\Public\xiaodaxzqxia
2⤵
- Executes dropped EXE
PID:864

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\xiaodaxzqxia\111
Filesize
1.1MB

MD5
6d3fdfa871671c5e41f8d05f0140abf1

SHA1
6e55d6e3a329809dcf69e0a70cdc4ea3700b8c6c

SHA256
a017033cc4fd3743fd778269e703c4818c6e5eac79d1477a00f20c2ffd51e4de

SHA512
c804d53c327aed4e7559d0e1e5166938e3e9960301fab0ad61489e063affb458df382521ac2ae60b7a5a9e7ee8fb761ad7190595f1b284efa20a14946bb53db0

Download Submit
C:\Users\Public\xiaodaxzqxia\jecxz.exe
Filesize
114KB

MD5
94eb950bbf80edd41f9073ce55a4b08d

SHA1
1f222a5ccd2b474fbed19d34af5d3607ade5024d

SHA256
429952e76c2b06dd9c0a4843f18721dd9daa4c8652657f084b5607aef28e1cd2

SHA512
3baefbd7833c4b6f009bc8b6e7a152463e9dfb981271ecbffe00251c841a60f379895c77139a36f92e72dc09b578b9b4a3e0c7eac34ba6afcddd1e0ff0b591b0

Download Submit
C:\Users\Public\xiaodaxzqxia\jecxz.exe
Filesize
114KB

MD5
94eb950bbf80edd41f9073ce55a4b08d

SHA1
1f222a5ccd2b474fbed19d34af5d3607ade5024d

SHA256
429952e76c2b06dd9c0a4843f18721dd9daa4c8652657f084b5607aef28e1cd2

SHA512
3baefbd7833c4b6f009bc8b6e7a152463e9dfb981271ecbffe00251c841a60f379895c77139a36f92e72dc09b578b9b4a3e0c7eac34ba6afcddd1e0ff0b591b0

Download Submit
C:\Users\Public\xiaodaxzqxia\v.exe
Filesize
142KB

MD5
bbaea75e78b80434b7cd699749b93a97

SHA1
c7d151758cb88dee39dbb5f4cd30e7d226980dde

SHA256
c9a1c52f5f5c8deef76b8e989c6a377f00061fa369cbd1cee7f53f8f03295f5c

SHA512
7f41846d61452c73566554ba5f6ef356e757ff4c292ad68bbcc1b84f736c02c6b0bc52e13270e5d7be4cde743d40cfc281028d4a0e322fbeecd9b786d08bac3d

Download Submit
C:\Users\Public\xiaodaxzqxia\v.exe
Filesize
142KB

MD5
bbaea75e78b80434b7cd699749b93a97

SHA1
c7d151758cb88dee39dbb5f4cd30e7d226980dde

SHA256
c9a1c52f5f5c8deef76b8e989c6a377f00061fa369cbd1cee7f53f8f03295f5c

SHA512
7f41846d61452c73566554ba5f6ef356e757ff4c292ad68bbcc1b84f736c02c6b0bc52e13270e5d7be4cde743d40cfc281028d4a0e322fbeecd9b786d08bac3d

Download Submit
\Users\Public\xiaodaxzqxia\jecxz.exe
Filesize
114KB

MD5
94eb950bbf80edd41f9073ce55a4b08d

SHA1
1f222a5ccd2b474fbed19d34af5d3607ade5024d

SHA256
429952e76c2b06dd9c0a4843f18721dd9daa4c8652657f084b5607aef28e1cd2

SHA512
3baefbd7833c4b6f009bc8b6e7a152463e9dfb981271ecbffe00251c841a60f379895c77139a36f92e72dc09b578b9b4a3e0c7eac34ba6afcddd1e0ff0b591b0

Download Submit
\Users\Public\xiaodaxzqxia\jecxz.exe
Filesize
114KB

MD5
94eb950bbf80edd41f9073ce55a4b08d

SHA1
1f222a5ccd2b474fbed19d34af5d3607ade5024d

SHA256
429952e76c2b06dd9c0a4843f18721dd9daa4c8652657f084b5607aef28e1cd2

SHA512
3baefbd7833c4b6f009bc8b6e7a152463e9dfb981271ecbffe00251c841a60f379895c77139a36f92e72dc09b578b9b4a3e0c7eac34ba6afcddd1e0ff0b591b0

Download Submit
\Users\Public\xiaodaxzqxia\v.exe
Filesize
142KB

MD5
bbaea75e78b80434b7cd699749b93a97

SHA1
c7d151758cb88dee39dbb5f4cd30e7d226980dde

SHA256
c9a1c52f5f5c8deef76b8e989c6a377f00061fa369cbd1cee7f53f8f03295f5c

SHA512
7f41846d61452c73566554ba5f6ef356e757ff4c292ad68bbcc1b84f736c02c6b0bc52e13270e5d7be4cde743d40cfc281028d4a0e322fbeecd9b786d08bac3d

Download Submit
\Users\Public\xiaodaxzqxia\v.exe
Filesize
142KB

MD5
bbaea75e78b80434b7cd699749b93a97

SHA1
c7d151758cb88dee39dbb5f4cd30e7d226980dde

SHA256
c9a1c52f5f5c8deef76b8e989c6a377f00061fa369cbd1cee7f53f8f03295f5c

SHA512
7f41846d61452c73566554ba5f6ef356e757ff4c292ad68bbcc1b84f736c02c6b0bc52e13270e5d7be4cde743d40cfc281028d4a0e322fbeecd9b786d08bac3d

Download Submit
memory/1428-71-0x0000000000CF0000-0x0000000000D2E000-memory.dmp

Filesize
248KB

Download
memory/1428-70-0x0000000000CF0000-0x0000000000D2E000-memory.dmp

Filesize
248KB

Download
memory/1428-72-0x0000000000CF0000-0x0000000000D2E000-memory.dmp

Filesize
248KB

Download
memory/1604-58-0x0000000000400000-0x000000000058A200-memory.dmp

Filesize
1.5MB

Download
memory/1604-69-0x00000000029C0000-0x00000000029FE000-memory.dmp

Filesize
248KB

Download
memory/1604-54-0x0000000000400000-0x000000000058A200-memory.dmp

Filesize
1.5MB

Download
memory/1604-67-0x00000000029C0000-0x00000000029FE000-memory.dmp

Filesize
248KB

Download
memory/1604-88-0x0000000000400000-0x000000000058A200-memory.dmp

Filesize
1.5MB

Download
memory/1604-89-0x0000000000400000-0x000000000058A200-memory.dmp

Filesize
1.5MB

Download
memory/1604-92-0x0000000000400000-0x000000000058A200-memory.dmp

Filesize
1.5MB

Download
memory/1604-95-0x0000000000400000-0x000000000058A200-memory.dmp

Filesize
1.5MB

Download