4d5ca9669c83429ef26b33c50a12e992b8b51bebd45bf567905a2e8eb69b2557

Analysis

max time kernel
31s
max time network
149s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09-06-2023 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d5ca9669c83429ef26b33c50a12e992b8b51bebd45bf567905a2e8eb69b2557.exe
Size

591KB
MD5

1eab0178be1feabc5bdfa76c93314092
SHA1

19e4855db4c0e311757c56359a91060efea05426
SHA256

4d5ca9669c83429ef26b33c50a12e992b8b51bebd45bf567905a2e8eb69b2557
SHA512

e4ec631156dbc8445ce2ef4eae6ca60cc50c67477d18f8ae1ffdae4a722d03de3a5cb791f5e45c35d99f91b09c1d1d4a877a0024234b5c828372df39d9f7b731
SSDEEP

12288:4alIKgkcOSQ9TuHtrOrUAhtB0H9L4U1MUQhPK7sQSWe:4GgktPO4rUO094VUQFK7sY

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

jecxz.exea.exe

pid process

1092 jecxz.exe
604 a.exe

pid	process
1092	jecxz.exe
604	a.exe

Loads dropped DLL 4 IoCs

Processes:

4d5ca9669c83429ef26b33c50a12e992b8b51bebd45bf567905a2e8eb69b2557.exe

pid	process
1972	4d5ca9669c83429ef26b33c50a12e992b8b51bebd45bf567905a2e8eb69b2557.exe
1972	4d5ca9669c83429ef26b33c50a12e992b8b51bebd45bf567905a2e8eb69b2557.exe
1972	4d5ca9669c83429ef26b33c50a12e992b8b51bebd45bf567905a2e8eb69b2557.exe
1972	4d5ca9669c83429ef26b33c50a12e992b8b51bebd45bf567905a2e8eb69b2557.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

jecxz.exe

description	ioc	process
File opened (read-only)	\??\B:	jecxz.exe
File opened (read-only)	\??\H:	jecxz.exe
File opened (read-only)	\??\R:	jecxz.exe
File opened (read-only)	\??\S:	jecxz.exe
File opened (read-only)	\??\V:	jecxz.exe
File opened (read-only)	\??\Y:	jecxz.exe
File opened (read-only)	\??\Z:	jecxz.exe
File opened (read-only)	\??\E:	jecxz.exe
File opened (read-only)	\??\F:	jecxz.exe
File opened (read-only)	\??\G:	jecxz.exe
File opened (read-only)	\??\T:	jecxz.exe
File opened (read-only)	\??\P:	jecxz.exe
File opened (read-only)	\??\U:	jecxz.exe
File opened (read-only)	\??\X:	jecxz.exe
File opened (read-only)	\??\I:	jecxz.exe
File opened (read-only)	\??\K:	jecxz.exe
File opened (read-only)	\??\N:	jecxz.exe
File opened (read-only)	\??\O:	jecxz.exe
File opened (read-only)	\??\W:	jecxz.exe
File opened (read-only)	\??\J:	jecxz.exe
File opened (read-only)	\??\L:	jecxz.exe
File opened (read-only)	\??\M:	jecxz.exe
File opened (read-only)	\??\Q:	jecxz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

jecxz.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	jecxz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	jecxz.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

4d5ca9669c83429ef26b33c50a12e992b8b51bebd45bf567905a2e8eb69b2557.exejecxz.exe

pid	process
1972	4d5ca9669c83429ef26b33c50a12e992b8b51bebd45bf567905a2e8eb69b2557.exe
1092	jecxz.exe
1092	jecxz.exe
1092	jecxz.exe
1092	jecxz.exe
1092	jecxz.exe
1092	jecxz.exe
1092	jecxz.exe
1092	jecxz.exe
1092	jecxz.exe
1092	jecxz.exe
1092	jecxz.exe
1092	jecxz.exe
1092	jecxz.exe
1092	jecxz.exe
1092	jecxz.exe
1092	jecxz.exe
1092	jecxz.exe
1092	jecxz.exe
1092	jecxz.exe
1092	jecxz.exe
1092	jecxz.exe
1092	jecxz.exe
1092	jecxz.exe
1092	jecxz.exe
1092	jecxz.exe
1092	jecxz.exe
1092	jecxz.exe
1092	jecxz.exe
1092	jecxz.exe
1092	jecxz.exe
1092	jecxz.exe
1092	jecxz.exe
1092	jecxz.exe
1092	jecxz.exe
1092	jecxz.exe
1092	jecxz.exe
1092	jecxz.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

4d5ca9669c83429ef26b33c50a12e992b8b51bebd45bf567905a2e8eb69b2557.exejecxz.exe

pid	process
1972	4d5ca9669c83429ef26b33c50a12e992b8b51bebd45bf567905a2e8eb69b2557.exe
1972	4d5ca9669c83429ef26b33c50a12e992b8b51bebd45bf567905a2e8eb69b2557.exe
1092	jecxz.exe
1092	jecxz.exe
1092	jecxz.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

4d5ca9669c83429ef26b33c50a12e992b8b51bebd45bf567905a2e8eb69b2557.exe

description	pid	process	target process
PID 1972 wrote to memory of 1092	1972	4d5ca9669c83429ef26b33c50a12e992b8b51bebd45bf567905a2e8eb69b2557.exe	jecxz.exe
PID 1972 wrote to memory of 1092	1972	4d5ca9669c83429ef26b33c50a12e992b8b51bebd45bf567905a2e8eb69b2557.exe	jecxz.exe
PID 1972 wrote to memory of 1092	1972	4d5ca9669c83429ef26b33c50a12e992b8b51bebd45bf567905a2e8eb69b2557.exe	jecxz.exe
PID 1972 wrote to memory of 1092	1972	4d5ca9669c83429ef26b33c50a12e992b8b51bebd45bf567905a2e8eb69b2557.exe	jecxz.exe
PID 1972 wrote to memory of 604	1972	4d5ca9669c83429ef26b33c50a12e992b8b51bebd45bf567905a2e8eb69b2557.exe	a.exe
PID 1972 wrote to memory of 604	1972	4d5ca9669c83429ef26b33c50a12e992b8b51bebd45bf567905a2e8eb69b2557.exe	a.exe
PID 1972 wrote to memory of 604	1972	4d5ca9669c83429ef26b33c50a12e992b8b51bebd45bf567905a2e8eb69b2557.exe	a.exe
PID 1972 wrote to memory of 604	1972	4d5ca9669c83429ef26b33c50a12e992b8b51bebd45bf567905a2e8eb69b2557.exe	a.exe

C:\Users\Admin\AppData\Local\Temp\4d5ca9669c83429ef26b33c50a12e992b8b51bebd45bf567905a2e8eb69b2557.exe
"C:\Users\Admin\AppData\Local\Temp\4d5ca9669c83429ef26b33c50a12e992b8b51bebd45bf567905a2e8eb69b2557.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1972

C:\Users\Public\jiudxz\jecxz.exe
C:\Users\Public\jiudxz\jecxz.exe
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1092

C:\Users\Public\jiudxz\a.exe
"C:\Users\Public\jiudxz\a.exe" -o -d C:\Users\Public\jiudxz C:\Users\Public\jiudxz\111.zip
2⤵
- Executes dropped EXE
PID:604

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\jiudxz\1
Filesize
291KB

MD5
a3b03d45087962693f6d7fa1cd479650

SHA1
26c2eef98093e0ba04c1695f9c3823793858e4ad

SHA256
a14750afe979facd0ad09d1840b0418b1fd229da4a38d2c66351eaa13b9b526c

SHA512
1afe15e73f86cec04e230081805b48aa45ef28f2333442cae2602e6eb6a936fb8508c8d6ec75b4adbdd6c57605abb37a413489af0a6b4601f55a170a7e6d3a42

Download Submit
C:\Users\Public\jiudxz\111.zip
Filesize
940KB

MD5
f0cc344f4753a8f931a7293538288d4b

SHA1
82a4979eed9eb8c272f3238c038ce6fede7399a9

SHA256
3da344607bc8d9416f4e972e8c25fced6a2e6c97c2ae114de9ae31e8a0882dfa

SHA512
53f3e158c3e6faabaaf3588b335e7eb84dc1c5ad4f3058440ce286d972ede0c8b351451f36343dac40d8d14c57e0917d9e6a523548e79b83dd954c2c9f5b5138

Download Submit
C:\Users\Public\jiudxz\a.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
C:\Users\Public\jiudxz\a.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
C:\Users\Public\jiudxz\jecxz.exe
Filesize
1008KB

MD5
e392cdd1a09a7510225aa614a1bbea11

SHA1
a0c79045eafc0b211843ec425a08af35464e5698

SHA256
349c714ea4218250fcd81ed0d180e7ff06926de8dec907709a0daec63fa3c2c2

SHA512
ba5dfb32a591d3fb8e1de4962746dad91c2f92e678ff06464d2a06626586bfd871ea975eb462b2a6f557b807611542adebe8735e350e80a7967a531b370026a7

Download Submit
C:\Users\Public\jiudxz\jecxz.exe
Filesize
1008KB

MD5
e392cdd1a09a7510225aa614a1bbea11

SHA1
a0c79045eafc0b211843ec425a08af35464e5698

SHA256
349c714ea4218250fcd81ed0d180e7ff06926de8dec907709a0daec63fa3c2c2

SHA512
ba5dfb32a591d3fb8e1de4962746dad91c2f92e678ff06464d2a06626586bfd871ea975eb462b2a6f557b807611542adebe8735e350e80a7967a531b370026a7

Download Submit
C:\Users\Public\jiudxz\jecxz.exe
Filesize
1008KB

MD5
e392cdd1a09a7510225aa614a1bbea11

SHA1
a0c79045eafc0b211843ec425a08af35464e5698

SHA256
349c714ea4218250fcd81ed0d180e7ff06926de8dec907709a0daec63fa3c2c2

SHA512
ba5dfb32a591d3fb8e1de4962746dad91c2f92e678ff06464d2a06626586bfd871ea975eb462b2a6f557b807611542adebe8735e350e80a7967a531b370026a7

Download Submit
\Users\Public\jiudxz\a.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
\Users\Public\jiudxz\a.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
\Users\Public\jiudxz\jecxz.exe
Filesize
1008KB

MD5
e392cdd1a09a7510225aa614a1bbea11

SHA1
a0c79045eafc0b211843ec425a08af35464e5698

SHA256
349c714ea4218250fcd81ed0d180e7ff06926de8dec907709a0daec63fa3c2c2

SHA512
ba5dfb32a591d3fb8e1de4962746dad91c2f92e678ff06464d2a06626586bfd871ea975eb462b2a6f557b807611542adebe8735e350e80a7967a531b370026a7

Download Submit
\Users\Public\jiudxz\jecxz.exe
Filesize
1008KB

MD5
e392cdd1a09a7510225aa614a1bbea11

SHA1
a0c79045eafc0b211843ec425a08af35464e5698

SHA256
349c714ea4218250fcd81ed0d180e7ff06926de8dec907709a0daec63fa3c2c2

SHA512
ba5dfb32a591d3fb8e1de4962746dad91c2f92e678ff06464d2a06626586bfd871ea975eb462b2a6f557b807611542adebe8735e350e80a7967a531b370026a7

Download Submit
memory/604-94-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1092-76-0x0000000000530000-0x000000000057A000-memory.dmp

Filesize
296KB

Download
memory/1092-69-0x0000000000530000-0x000000000057A000-memory.dmp

Filesize
296KB

Download
memory/1092-70-0x0000000000530000-0x000000000057A000-memory.dmp

Filesize
296KB

Download
memory/1092-72-0x0000000000530000-0x000000000057A000-memory.dmp

Filesize
296KB

Download
memory/1092-99-0x0000000000530000-0x000000000057A000-memory.dmp

Filesize
296KB

Download
memory/1972-54-0x0000000000400000-0x00000000005BD000-memory.dmp

Filesize
1.7MB

Download
memory/1972-59-0x0000000000400000-0x00000000005BD000-memory.dmp

Filesize
1.7MB

Download
memory/1972-57-0x0000000000400000-0x00000000005BD000-memory.dmp

Filesize
1.7MB

Download
memory/1972-55-0x0000000000400000-0x00000000005BD000-memory.dmp

Filesize
1.7MB

Download
memory/1972-56-0x0000000000400000-0x00000000005BD000-memory.dmp

Filesize
1.7MB

Download
memory/1972-95-0x0000000000400000-0x00000000005BD000-memory.dmp

Filesize
1.7MB

Download
memory/1972-98-0x0000000000400000-0x00000000005BD000-memory.dmp

Filesize
1.7MB

Download
memory/1972-100-0x0000000000400000-0x00000000005BD000-memory.dmp

Filesize
1.7MB

Download