4d5ca9669c83429ef26b33c50a12e992b8b51bebd45bf567905a2e8eb69b2557

Analysis

max time kernel
137s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
09-06-2023 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d5ca9669c83429ef26b33c50a12e992b8b51bebd45bf567905a2e8eb69b2557.exe
Size

591KB
MD5

1eab0178be1feabc5bdfa76c93314092
SHA1

19e4855db4c0e311757c56359a91060efea05426
SHA256

4d5ca9669c83429ef26b33c50a12e992b8b51bebd45bf567905a2e8eb69b2557
SHA512

e4ec631156dbc8445ce2ef4eae6ca60cc50c67477d18f8ae1ffdae4a722d03de3a5cb791f5e45c35d99f91b09c1d1d4a877a0024234b5c828372df39d9f7b731
SSDEEP

12288:4alIKgkcOSQ9TuHtrOrUAhtB0H9L4U1MUQhPK7sQSWe:4GgktPO4rUO094VUQFK7sY

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4d5ca9669c83429ef26b33c50a12e992b8b51bebd45bf567905a2e8eb69b2557.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	4d5ca9669c83429ef26b33c50a12e992b8b51bebd45bf567905a2e8eb69b2557.exe

Executes dropped EXE 4 IoCs

Processes:

jecxz.exea.exea.exea.exe

pid process

2400 jecxz.exe
3276 a.exe
2500 a.exe
4908 a.exe

pid	process
2400	jecxz.exe
3276	a.exe
2500	a.exe
4908	a.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

jecxz.exe

description	ioc	process
File opened (read-only)	\??\Y:	jecxz.exe
File opened (read-only)	\??\F:	jecxz.exe
File opened (read-only)	\??\G:	jecxz.exe
File opened (read-only)	\??\M:	jecxz.exe
File opened (read-only)	\??\P:	jecxz.exe
File opened (read-only)	\??\R:	jecxz.exe
File opened (read-only)	\??\Z:	jecxz.exe
File opened (read-only)	\??\B:	jecxz.exe
File opened (read-only)	\??\J:	jecxz.exe
File opened (read-only)	\??\N:	jecxz.exe
File opened (read-only)	\??\O:	jecxz.exe
File opened (read-only)	\??\T:	jecxz.exe
File opened (read-only)	\??\U:	jecxz.exe
File opened (read-only)	\??\V:	jecxz.exe
File opened (read-only)	\??\W:	jecxz.exe
File opened (read-only)	\??\H:	jecxz.exe
File opened (read-only)	\??\I:	jecxz.exe
File opened (read-only)	\??\K:	jecxz.exe
File opened (read-only)	\??\L:	jecxz.exe
File opened (read-only)	\??\X:	jecxz.exe
File opened (read-only)	\??\E:	jecxz.exe
File opened (read-only)	\??\Q:	jecxz.exe
File opened (read-only)	\??\S:	jecxz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

jecxz.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	jecxz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	jecxz.exe

Modifies registry class 1 IoCs

Processes:

4d5ca9669c83429ef26b33c50a12e992b8b51bebd45bf567905a2e8eb69b2557.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	4d5ca9669c83429ef26b33c50a12e992b8b51bebd45bf567905a2e8eb69b2557.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

4d5ca9669c83429ef26b33c50a12e992b8b51bebd45bf567905a2e8eb69b2557.exejecxz.exe

pid	process
4884	4d5ca9669c83429ef26b33c50a12e992b8b51bebd45bf567905a2e8eb69b2557.exe
4884	4d5ca9669c83429ef26b33c50a12e992b8b51bebd45bf567905a2e8eb69b2557.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

4d5ca9669c83429ef26b33c50a12e992b8b51bebd45bf567905a2e8eb69b2557.exejecxz.exe

pid	process
4884	4d5ca9669c83429ef26b33c50a12e992b8b51bebd45bf567905a2e8eb69b2557.exe
4884	4d5ca9669c83429ef26b33c50a12e992b8b51bebd45bf567905a2e8eb69b2557.exe
2400	jecxz.exe
2400	jecxz.exe
2400	jecxz.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

4d5ca9669c83429ef26b33c50a12e992b8b51bebd45bf567905a2e8eb69b2557.exe

description	pid	process	target process
PID 4884 wrote to memory of 2400	4884	4d5ca9669c83429ef26b33c50a12e992b8b51bebd45bf567905a2e8eb69b2557.exe	jecxz.exe
PID 4884 wrote to memory of 2400	4884	4d5ca9669c83429ef26b33c50a12e992b8b51bebd45bf567905a2e8eb69b2557.exe	jecxz.exe
PID 4884 wrote to memory of 2400	4884	4d5ca9669c83429ef26b33c50a12e992b8b51bebd45bf567905a2e8eb69b2557.exe	jecxz.exe
PID 4884 wrote to memory of 3276	4884	4d5ca9669c83429ef26b33c50a12e992b8b51bebd45bf567905a2e8eb69b2557.exe	a.exe
PID 4884 wrote to memory of 3276	4884	4d5ca9669c83429ef26b33c50a12e992b8b51bebd45bf567905a2e8eb69b2557.exe	a.exe
PID 4884 wrote to memory of 3276	4884	4d5ca9669c83429ef26b33c50a12e992b8b51bebd45bf567905a2e8eb69b2557.exe	a.exe

C:\Users\Admin\AppData\Local\Temp\4d5ca9669c83429ef26b33c50a12e992b8b51bebd45bf567905a2e8eb69b2557.exe
"C:\Users\Admin\AppData\Local\Temp\4d5ca9669c83429ef26b33c50a12e992b8b51bebd45bf567905a2e8eb69b2557.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4884

C:\Users\Public\jiudxz\jecxz.exe
C:\Users\Public\jiudxz\jecxz.exe
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2400

C:\Users\Public\jiudxz\a.exe
"C:\Users\Public\jiudxz\a.exe" -o -d C:\Users\Public\jiudxz C:\Users\Public\jiudxz\111.zip
2⤵
- Executes dropped EXE
PID:3276

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:920

C:\Users\Public\jiudxz\a.exe
"C:\Users\Public\jiudxz\a.exe" -n -d C:\ProgramData C:\Users\Public\jiudxz\b.zip
1⤵
- Executes dropped EXE
PID:2500

C:\Users\Public\jiudxz\a.exe
"C:\Users\Public\jiudxz\a.exe" -n -d C:\ProgramData C:\Users\Public\jiudxz\b.zip
1⤵
- Executes dropped EXE
PID:4908

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Windows_denfendcx.lnk
Filesize
1KB

MD5
c907cbaad90a6e086965e9907a002eb8

SHA1
5b5de249ea7ca890f51652dfd80bc851ca4a70ce

SHA256
d00cdc9c69a47d4d6bfa605f3a5f6a6866dbb470fadf3b7d3cbc9e8de53764f1

SHA512
089b611191e2e5b547c9ee5a8eb10d94651530b0fb5c2d592b3cfdaa84c6d63245f2a8bda034fa14776c4921b082723fab59387e77e9949137c2a5e438f21f5a

Download Submit
C:\Users\Public\jiudxz\1
Filesize
291KB

MD5
a3b03d45087962693f6d7fa1cd479650

SHA1
26c2eef98093e0ba04c1695f9c3823793858e4ad

SHA256
a14750afe979facd0ad09d1840b0418b1fd229da4a38d2c66351eaa13b9b526c

SHA512
1afe15e73f86cec04e230081805b48aa45ef28f2333442cae2602e6eb6a936fb8508c8d6ec75b4adbdd6c57605abb37a413489af0a6b4601f55a170a7e6d3a42

Download Submit
C:\Users\Public\jiudxz\111.zip
Filesize
940KB

MD5
f0cc344f4753a8f931a7293538288d4b

SHA1
82a4979eed9eb8c272f3238c038ce6fede7399a9

SHA256
3da344607bc8d9416f4e972e8c25fced6a2e6c97c2ae114de9ae31e8a0882dfa

SHA512
53f3e158c3e6faabaaf3588b335e7eb84dc1c5ad4f3058440ce286d972ede0c8b351451f36343dac40d8d14c57e0917d9e6a523548e79b83dd954c2c9f5b5138

Download Submit
C:\Users\Public\jiudxz\a.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
C:\Users\Public\jiudxz\a.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
C:\Users\Public\jiudxz\a.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
C:\Users\Public\jiudxz\a.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
C:\Users\Public\jiudxz\b.zip
Filesize
1KB

MD5
f44f02d78a5e136e6ab23306069535f1

SHA1
e1a4da6ce8ff800bbec20dd3d24ee6b09a997b0d

SHA256
cfefb6094f4a83f3da8a35aeff3e5d813716476536bfdd66f8d058882e9aa450

SHA512
639c981e95cc667ecd29aaee0df95d889bf7da2ee1aa3b2baa40836ee785c4cc2ab25f0c5455dedf6bb6681c645a0524bc3f29291bbe3995ca7a81c2feb9c503

Download Submit
C:\Users\Public\jiudxz\jecxz.exe
Filesize
1008KB

MD5
e392cdd1a09a7510225aa614a1bbea11

SHA1
a0c79045eafc0b211843ec425a08af35464e5698

SHA256
349c714ea4218250fcd81ed0d180e7ff06926de8dec907709a0daec63fa3c2c2

SHA512
ba5dfb32a591d3fb8e1de4962746dad91c2f92e678ff06464d2a06626586bfd871ea975eb462b2a6f557b807611542adebe8735e350e80a7967a531b370026a7

Download Submit
C:\Users\Public\jiudxz\jecxz.exe
Filesize
1008KB

MD5
e392cdd1a09a7510225aa614a1bbea11

SHA1
a0c79045eafc0b211843ec425a08af35464e5698

SHA256
349c714ea4218250fcd81ed0d180e7ff06926de8dec907709a0daec63fa3c2c2

SHA512
ba5dfb32a591d3fb8e1de4962746dad91c2f92e678ff06464d2a06626586bfd871ea975eb462b2a6f557b807611542adebe8735e350e80a7967a531b370026a7

Download Submit
C:\Users\Public\jiudxz\saxbn.exe
Filesize
350KB

MD5
45e0b1e56b803e9400aef913b0ee76f7

SHA1
5e99bab28b1e29ddf3d37bc38aacc1f5182dbd73

SHA256
f18a037a8ac26b970091057899047cb9237e420d3d194784a66e5d3068d893fa

SHA512
70cb1767dc52467d6ad84f8e876ef3a2d0f079788557fa23ab3062927ea9975734c8dbe3b1f524705954cc8ce74864f05c1ce5806dc0341aa9655399d2ab1e1c

Download Submit
memory/2400-176-0x0000000002370000-0x00000000023BA000-memory.dmp

Filesize
296KB

Download
memory/2400-147-0x0000000002370000-0x00000000023BA000-memory.dmp

Filesize
296KB

Download
memory/2400-146-0x0000000002370000-0x00000000023BA000-memory.dmp

Filesize
296KB

Download
memory/2400-145-0x0000000002370000-0x00000000023BA000-memory.dmp

Filesize
296KB

Download
memory/2400-143-0x0000000002370000-0x00000000023BA000-memory.dmp

Filesize
296KB

Download
memory/2500-170-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3276-163-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4884-164-0x0000000000400000-0x00000000005BD000-memory.dmp

Filesize
1.7MB

Download
memory/4884-135-0x0000000000400000-0x00000000005BD000-memory.dmp

Filesize
1.7MB

Download
memory/4884-134-0x0000000000400000-0x00000000005BD000-memory.dmp

Filesize
1.7MB

Download
memory/4884-133-0x0000000000400000-0x00000000005BD000-memory.dmp

Filesize
1.7MB

Download
memory/4884-136-0x0000000000400000-0x00000000005BD000-memory.dmp

Filesize
1.7MB

Download
memory/4884-177-0x0000000000400000-0x00000000005BD000-memory.dmp

Filesize
1.7MB

Download
memory/4908-175-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download