8ff9f4513a27aac296994173104350fbdbc97d41cafd3afd37a2b09f69e5856c

Analysis

max time kernel
145s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2023 19:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ff9f4513a27aac296994173104350fbdbc97d41cafd3afd37a2b09f69e5856c.exe
Size

513KB
MD5

6629289fd2abf1c30a16fb9578ff4e08
SHA1

1bd30832f866299027722104c6a92f8ccca594f9
SHA256

8ff9f4513a27aac296994173104350fbdbc97d41cafd3afd37a2b09f69e5856c
SHA512

41920d19d6791b88f06fd8e57e38365c3bcc318fd5f4e4411a76318ad3fbca4cbcb8854ccd9526f2c4c00899c03eddb955ebd886b084bb11b1f13b7533842c3d
SSDEEP

12288:M7y5t7wPDi5ttUT18OB2AM3zX1Ke9y0p/wgwP3QJ1:M7Kt7wPDGkJf2Amge9f9wT4J1

Score

8^/10

aspackv2 upx

Malware Config

Signatures

Downloads MZ/PE file

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Public\xiaodaxzqxia\jecxz.exe	aspack_v212_v242
C:\Users\Public\xiaodaxzqxia\jecxz.exe	aspack_v212_v242

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8ff9f4513a27aac296994173104350fbdbc97d41cafd3afd37a2b09f69e5856c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	8ff9f4513a27aac296994173104350fbdbc97d41cafd3afd37a2b09f69e5856c.exe

Drops startup file 2 IoCs

Processes:

v.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winzaxcvb.lnk	v.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winzaxcvb.lnk	v.exe

Executes dropped EXE 4 IoCs

Processes:

jecxz.exev.exev.exev.exe

pid process

4744 jecxz.exe
3392 v.exe
224 v.exe
3356 v.exe

pid	process
4744	jecxz.exe
3392	v.exe
224	v.exe
3356	v.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3372-133-0x0000000000400000-0x000000000058A200-memory.dmp	upx
behavioral2/memory/3372-156-0x0000000000400000-0x000000000058A200-memory.dmp	upx
behavioral2/memory/3372-157-0x0000000000400000-0x000000000058A200-memory.dmp	upx
behavioral2/memory/3372-169-0x0000000000400000-0x000000000058A200-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

8ff9f4513a27aac296994173104350fbdbc97d41cafd3afd37a2b09f69e5856c.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings	8ff9f4513a27aac296994173104350fbdbc97d41cafd3afd37a2b09f69e5856c.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

8ff9f4513a27aac296994173104350fbdbc97d41cafd3afd37a2b09f69e5856c.exe

pid	process
3372	8ff9f4513a27aac296994173104350fbdbc97d41cafd3afd37a2b09f69e5856c.exe
3372	8ff9f4513a27aac296994173104350fbdbc97d41cafd3afd37a2b09f69e5856c.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

8ff9f4513a27aac296994173104350fbdbc97d41cafd3afd37a2b09f69e5856c.exe

pid	process
3372	8ff9f4513a27aac296994173104350fbdbc97d41cafd3afd37a2b09f69e5856c.exe
3372	8ff9f4513a27aac296994173104350fbdbc97d41cafd3afd37a2b09f69e5856c.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

8ff9f4513a27aac296994173104350fbdbc97d41cafd3afd37a2b09f69e5856c.exejecxz.exe

description	pid	process	target process
PID 3372 wrote to memory of 4744	3372	8ff9f4513a27aac296994173104350fbdbc97d41cafd3afd37a2b09f69e5856c.exe	jecxz.exe
PID 3372 wrote to memory of 4744	3372	8ff9f4513a27aac296994173104350fbdbc97d41cafd3afd37a2b09f69e5856c.exe	jecxz.exe
PID 3372 wrote to memory of 4744	3372	8ff9f4513a27aac296994173104350fbdbc97d41cafd3afd37a2b09f69e5856c.exe	jecxz.exe
PID 4744 wrote to memory of 4392	4744	jecxz.exe	cmd.exe
PID 4744 wrote to memory of 4392	4744	jecxz.exe	cmd.exe
PID 4744 wrote to memory of 4392	4744	jecxz.exe	cmd.exe
PID 3372 wrote to memory of 3392	3372	8ff9f4513a27aac296994173104350fbdbc97d41cafd3afd37a2b09f69e5856c.exe	v.exe
PID 3372 wrote to memory of 3392	3372	8ff9f4513a27aac296994173104350fbdbc97d41cafd3afd37a2b09f69e5856c.exe	v.exe
PID 3372 wrote to memory of 3392	3372	8ff9f4513a27aac296994173104350fbdbc97d41cafd3afd37a2b09f69e5856c.exe	v.exe

C:\Users\Admin\AppData\Local\Temp\8ff9f4513a27aac296994173104350fbdbc97d41cafd3afd37a2b09f69e5856c.exe
"C:\Users\Admin\AppData\Local\Temp\8ff9f4513a27aac296994173104350fbdbc97d41cafd3afd37a2b09f69e5856c.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3372

C:\Users\Public\xiaodaxzqxia\jecxz.exe
C:\Users\Public\xiaodaxzqxia\jecxz.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c pause
3⤵
PID:4392

C:\Users\Public\xiaodaxzqxia\v.exe
"C:\Users\Public\xiaodaxzqxia\v.exe" -o C:\Users\Public\xiaodaxzqxia\111 -d C:\Users\Public\xiaodaxzqxia
2⤵
- Executes dropped EXE
PID:3392

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4968

C:\Users\Public\xiaodaxzqxia\v.exe
"C:\Users\Public\xiaodaxzqxia\v.exe" -n C:\Users\Public\xiaodaxzqxia\b -d C:\Users\Admin\AppData\Roaming
1⤵
- Drops startup file
- Executes dropped EXE
PID:224

C:\Users\Public\xiaodaxzqxia\v.exe
"C:\Users\Public\xiaodaxzqxia\v.exe" -n C:\Users\Public\xiaodaxzqxia\b -d C:\Users\Admin\AppData\Roaming
1⤵
- Executes dropped EXE
PID:3356

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winzaxcvb.lnk
Filesize
1KB

MD5
65390da2a2a676e971e54730f385671d

SHA1
7a45295b5e44240b66c02635befe10f9b2ed2b06

SHA256
0437963c85448339ef452e7224c1712a29f6e0e775482324a2b4fda8debdc821

SHA512
710862fcaa063bfceabc6eafe009d8a0e583c5d214b069393db164e97d4a7fd9b36fd9153e9b0a9f9caee49eaa5606a5025332ee6aae8dbd99dd5d89445d4320

Download Submit
C:\Users\Public\xiaodaxzqxia\111
Filesize
1.1MB

MD5
6d3fdfa871671c5e41f8d05f0140abf1

SHA1
6e55d6e3a329809dcf69e0a70cdc4ea3700b8c6c

SHA256
a017033cc4fd3743fd778269e703c4818c6e5eac79d1477a00f20c2ffd51e4de

SHA512
c804d53c327aed4e7559d0e1e5166938e3e9960301fab0ad61489e063affb458df382521ac2ae60b7a5a9e7ee8fb761ad7190595f1b284efa20a14946bb53db0

Download Submit
C:\Users\Public\xiaodaxzqxia\b
Filesize
1KB

MD5
90ef125bfb1c56aa09bd25707d27677f

SHA1
fd39a1f56869c8a090f066ccbf052c6c6366d5e8

SHA256
43ae9f64ac4196544c30038df9f63823bf9a6644014cff8d02a9fd28462044da

SHA512
78cc4d07d0570e4ba09dcb40e4ba61e004de23b7f5d760518b3f7dcd2abcd7f732f09409ce7743138076d39783f0aada9b5adb6cbc61d75ef84018f2d5f81887

Download Submit
C:\Users\Public\xiaodaxzqxia\jecxz.exe
Filesize
114KB

MD5
94eb950bbf80edd41f9073ce55a4b08d

SHA1
1f222a5ccd2b474fbed19d34af5d3607ade5024d

SHA256
429952e76c2b06dd9c0a4843f18721dd9daa4c8652657f084b5607aef28e1cd2

SHA512
3baefbd7833c4b6f009bc8b6e7a152463e9dfb981271ecbffe00251c841a60f379895c77139a36f92e72dc09b578b9b4a3e0c7eac34ba6afcddd1e0ff0b591b0

Download Submit
C:\Users\Public\xiaodaxzqxia\jecxz.exe
Filesize
114KB

MD5
94eb950bbf80edd41f9073ce55a4b08d

SHA1
1f222a5ccd2b474fbed19d34af5d3607ade5024d

SHA256
429952e76c2b06dd9c0a4843f18721dd9daa4c8652657f084b5607aef28e1cd2

SHA512
3baefbd7833c4b6f009bc8b6e7a152463e9dfb981271ecbffe00251c841a60f379895c77139a36f92e72dc09b578b9b4a3e0c7eac34ba6afcddd1e0ff0b591b0

Download Submit
C:\Users\Public\xiaodaxzqxia\v.exe
Filesize
142KB

MD5
bbaea75e78b80434b7cd699749b93a97

SHA1
c7d151758cb88dee39dbb5f4cd30e7d226980dde

SHA256
c9a1c52f5f5c8deef76b8e989c6a377f00061fa369cbd1cee7f53f8f03295f5c

SHA512
7f41846d61452c73566554ba5f6ef356e757ff4c292ad68bbcc1b84f736c02c6b0bc52e13270e5d7be4cde743d40cfc281028d4a0e322fbeecd9b786d08bac3d

Download Submit
C:\Users\Public\xiaodaxzqxia\v.exe
Filesize
142KB

MD5
bbaea75e78b80434b7cd699749b93a97

SHA1
c7d151758cb88dee39dbb5f4cd30e7d226980dde

SHA256
c9a1c52f5f5c8deef76b8e989c6a377f00061fa369cbd1cee7f53f8f03295f5c

SHA512
7f41846d61452c73566554ba5f6ef356e757ff4c292ad68bbcc1b84f736c02c6b0bc52e13270e5d7be4cde743d40cfc281028d4a0e322fbeecd9b786d08bac3d

Download Submit
C:\Users\Public\xiaodaxzqxia\v.exe
Filesize
142KB

MD5
bbaea75e78b80434b7cd699749b93a97

SHA1
c7d151758cb88dee39dbb5f4cd30e7d226980dde

SHA256
c9a1c52f5f5c8deef76b8e989c6a377f00061fa369cbd1cee7f53f8f03295f5c

SHA512
7f41846d61452c73566554ba5f6ef356e757ff4c292ad68bbcc1b84f736c02c6b0bc52e13270e5d7be4cde743d40cfc281028d4a0e322fbeecd9b786d08bac3d

Download Submit
C:\Users\Public\xiaodaxzqxia\v.exe
Filesize
142KB

MD5
bbaea75e78b80434b7cd699749b93a97

SHA1
c7d151758cb88dee39dbb5f4cd30e7d226980dde

SHA256
c9a1c52f5f5c8deef76b8e989c6a377f00061fa369cbd1cee7f53f8f03295f5c

SHA512
7f41846d61452c73566554ba5f6ef356e757ff4c292ad68bbcc1b84f736c02c6b0bc52e13270e5d7be4cde743d40cfc281028d4a0e322fbeecd9b786d08bac3d

Download Submit
memory/3372-156-0x0000000000400000-0x000000000058A200-memory.dmp

Filesize
1.5MB

Download
memory/3372-157-0x0000000000400000-0x000000000058A200-memory.dmp

Filesize
1.5MB

Download
memory/3372-133-0x0000000000400000-0x000000000058A200-memory.dmp

Filesize
1.5MB

Download
memory/3372-169-0x0000000000400000-0x000000000058A200-memory.dmp

Filesize
1.5MB

Download
memory/4744-142-0x00000000003D0000-0x000000000040E000-memory.dmp

Filesize
248KB

Download
memory/4744-144-0x00000000003D0000-0x000000000040E000-memory.dmp

Filesize
248KB

Download
memory/4744-143-0x00000000003D0000-0x000000000040E000-memory.dmp

Filesize
248KB

Download