50751790e18e917268c6ea71774806cf857de4f9fa85ff38585d17751e3ddd75

Analysis

max time kernel
130s
max time network
149s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
12-06-2023 08:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50751790e18e917268c6ea71774806cf857de4f9fa85ff38585d17751e3ddd75.exe
Size

1.5MB
MD5

2fa219cd06321548dfcd5fbe7a3ea717
SHA1

4c9e1cfdf6eae91a862d5bccb8031acdc8399771
SHA256

50751790e18e917268c6ea71774806cf857de4f9fa85ff38585d17751e3ddd75
SHA512

8c045ccf10827dca95a7bbde72d7eedc1ccee3acbfa50450c5995c0ec9d7b777fa4f3743ce69d8a946763cba03d50138abc338c5eb27b0b8f4750e328ca9b2af
SSDEEP

24576:BUBOm6E14+kMHm2wGYeAI2/FwBuqJNblwRCJFFOSyzQO:BUBOmXe+FHmyJAI2WBukNbWcOSA

Score

10^/10

aspackv2 evasion trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe
Downloads MZ/PE file

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Users\Public\xiaodaxzqxia\jecxz.exe	aspack_v212_v242
C:\Users\Public\xiaodaxzqxia\jecxz.exe	aspack_v212_v242
C:\Users\Public\xiaodaxzqxia\jecxz.exe	aspack_v212_v242

Executes dropped EXE 2 IoCs

Processes:

jecxz.exev.exe

pid process

1748 jecxz.exe
1980 v.exe

pid	process
1748	jecxz.exe
1980	v.exe

Loads dropped DLL 3 IoCs

Processes:

50751790e18e917268c6ea71774806cf857de4f9fa85ff38585d17751e3ddd75.exe

pid	process
1920	50751790e18e917268c6ea71774806cf857de4f9fa85ff38585d17751e3ddd75.exe
1920	50751790e18e917268c6ea71774806cf857de4f9fa85ff38585d17751e3ddd75.exe
1920	50751790e18e917268c6ea71774806cf857de4f9fa85ff38585d17751e3ddd75.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

jecxz.exe

description	ioc	process
File opened (read-only)	\??\Y:	jecxz.exe
File opened (read-only)	\??\I:	jecxz.exe
File opened (read-only)	\??\O:	jecxz.exe
File opened (read-only)	\??\X:	jecxz.exe
File opened (read-only)	\??\K:	jecxz.exe
File opened (read-only)	\??\P:	jecxz.exe
File opened (read-only)	\??\Q:	jecxz.exe
File opened (read-only)	\??\R:	jecxz.exe
File opened (read-only)	\??\V:	jecxz.exe
File opened (read-only)	\??\E:	jecxz.exe
File opened (read-only)	\??\H:	jecxz.exe
File opened (read-only)	\??\J:	jecxz.exe
File opened (read-only)	\??\W:	jecxz.exe
File opened (read-only)	\??\S:	jecxz.exe
File opened (read-only)	\??\T:	jecxz.exe
File opened (read-only)	\??\U:	jecxz.exe
File opened (read-only)	\??\Z:	jecxz.exe
File opened (read-only)	\??\F:	jecxz.exe
File opened (read-only)	\??\M:	jecxz.exe
File opened (read-only)	\??\N:	jecxz.exe
File opened (read-only)	\??\B:	jecxz.exe
File opened (read-only)	\??\G:	jecxz.exe
File opened (read-only)	\??\L:	jecxz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

jecxz.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	jecxz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	jecxz.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1512 reg.exe

pid	process
1512	reg.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

50751790e18e917268c6ea71774806cf857de4f9fa85ff38585d17751e3ddd75.exejecxz.exe

pid	process
1920	50751790e18e917268c6ea71774806cf857de4f9fa85ff38585d17751e3ddd75.exe
1748	jecxz.exe
1748	jecxz.exe
1748	jecxz.exe
1748	jecxz.exe
1748	jecxz.exe
1748	jecxz.exe
1748	jecxz.exe
1748	jecxz.exe
1748	jecxz.exe
1748	jecxz.exe
1748	jecxz.exe
1748	jecxz.exe
1748	jecxz.exe
1748	jecxz.exe
1748	jecxz.exe
1748	jecxz.exe
1748	jecxz.exe
1748	jecxz.exe
1748	jecxz.exe
1748	jecxz.exe
1748	jecxz.exe
1748	jecxz.exe
1748	jecxz.exe
1748	jecxz.exe
1748	jecxz.exe
1748	jecxz.exe
1748	jecxz.exe
1748	jecxz.exe
1748	jecxz.exe
1748	jecxz.exe
1748	jecxz.exe
1748	jecxz.exe
1748	jecxz.exe
1748	jecxz.exe
1748	jecxz.exe
1748	jecxz.exe
1748	jecxz.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

50751790e18e917268c6ea71774806cf857de4f9fa85ff38585d17751e3ddd75.exejecxz.exe

pid	process
1920	50751790e18e917268c6ea71774806cf857de4f9fa85ff38585d17751e3ddd75.exe
1920	50751790e18e917268c6ea71774806cf857de4f9fa85ff38585d17751e3ddd75.exe
1748	jecxz.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

50751790e18e917268c6ea71774806cf857de4f9fa85ff38585d17751e3ddd75.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1920 wrote to memory of 1288	1920	50751790e18e917268c6ea71774806cf857de4f9fa85ff38585d17751e3ddd75.exe	cmd.exe
PID 1920 wrote to memory of 1288	1920	50751790e18e917268c6ea71774806cf857de4f9fa85ff38585d17751e3ddd75.exe	cmd.exe
PID 1920 wrote to memory of 1288	1920	50751790e18e917268c6ea71774806cf857de4f9fa85ff38585d17751e3ddd75.exe	cmd.exe
PID 1920 wrote to memory of 1288	1920	50751790e18e917268c6ea71774806cf857de4f9fa85ff38585d17751e3ddd75.exe	cmd.exe
PID 1288 wrote to memory of 1364	1288	cmd.exe	reg.exe
PID 1288 wrote to memory of 1364	1288	cmd.exe	reg.exe
PID 1288 wrote to memory of 1364	1288	cmd.exe	reg.exe
PID 1288 wrote to memory of 1364	1288	cmd.exe	reg.exe
PID 1920 wrote to memory of 1748	1920	50751790e18e917268c6ea71774806cf857de4f9fa85ff38585d17751e3ddd75.exe	jecxz.exe
PID 1920 wrote to memory of 1748	1920	50751790e18e917268c6ea71774806cf857de4f9fa85ff38585d17751e3ddd75.exe	jecxz.exe
PID 1920 wrote to memory of 1748	1920	50751790e18e917268c6ea71774806cf857de4f9fa85ff38585d17751e3ddd75.exe	jecxz.exe
PID 1920 wrote to memory of 1748	1920	50751790e18e917268c6ea71774806cf857de4f9fa85ff38585d17751e3ddd75.exe	jecxz.exe
PID 1920 wrote to memory of 1980	1920	50751790e18e917268c6ea71774806cf857de4f9fa85ff38585d17751e3ddd75.exe	v.exe
PID 1920 wrote to memory of 1980	1920	50751790e18e917268c6ea71774806cf857de4f9fa85ff38585d17751e3ddd75.exe	v.exe
PID 1920 wrote to memory of 1980	1920	50751790e18e917268c6ea71774806cf857de4f9fa85ff38585d17751e3ddd75.exe	v.exe
PID 1920 wrote to memory of 1980	1920	50751790e18e917268c6ea71774806cf857de4f9fa85ff38585d17751e3ddd75.exe	v.exe
PID 1920 wrote to memory of 1992	1920	50751790e18e917268c6ea71774806cf857de4f9fa85ff38585d17751e3ddd75.exe	cmd.exe
PID 1920 wrote to memory of 1992	1920	50751790e18e917268c6ea71774806cf857de4f9fa85ff38585d17751e3ddd75.exe	cmd.exe
PID 1920 wrote to memory of 1992	1920	50751790e18e917268c6ea71774806cf857de4f9fa85ff38585d17751e3ddd75.exe	cmd.exe
PID 1920 wrote to memory of 1992	1920	50751790e18e917268c6ea71774806cf857de4f9fa85ff38585d17751e3ddd75.exe	cmd.exe
PID 1992 wrote to memory of 1948	1992	cmd.exe	cmd.exe
PID 1992 wrote to memory of 1948	1992	cmd.exe	cmd.exe
PID 1992 wrote to memory of 1948	1992	cmd.exe	cmd.exe
PID 1992 wrote to memory of 1948	1992	cmd.exe	cmd.exe
PID 1948 wrote to memory of 1512	1948	cmd.exe	reg.exe
PID 1948 wrote to memory of 1512	1948	cmd.exe	reg.exe
PID 1948 wrote to memory of 1512	1948	cmd.exe	reg.exe
PID 1948 wrote to memory of 1512	1948	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\50751790e18e917268c6ea71774806cf857de4f9fa85ff38585d17751e3ddd75.exe
"C:\Users\Admin\AppData\Local\Temp\50751790e18e917268c6ea71774806cf857de4f9fa85ff38585d17751e3ddd75.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Public\xiaodaxzqxia\n.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "1201" /d "0" /t REG_DWORD /f
3⤵
PID:1364

C:\Users\Public\xiaodaxzqxia\jecxz.exe
C:\Users\Public\xiaodaxzqxia\jecxz.exe
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1748

C:\Users\Public\xiaodaxzqxia\v.exe
"C:\Users\Public\xiaodaxzqxia\v.exe" -o -d C:\Users\Public\xiaodaxzqxia C:\Users\Public\xiaodaxzqxia\111
2⤵
- Executes dropped EXE
PID:1980

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Public\xiaodaxzqxia\v.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /k C:\Windows\System32\reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
4⤵
- UAC bypass
- Modifies registry key
PID:1512

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\xiaodaxzqxia\1
Filesize
291KB

MD5
dfcdbaf2077bc4da574f458b0000e0ab

SHA1
8b72d6ac63b2bf3e3b5ee5624f44339f441189fb

SHA256
0d21d048edf4aabe2e097944c6a3630c29fc3562ba9ac04ede712c782d2b59c7

SHA512
ce0601be14c54007b796dc8197f3f75339177acdd7dc1b9307d4bfb3b489456eb873a71e3655fc461b04c999105f5a14dcef4a60b6b2988f183221729caf4a1c

Download Submit
C:\Users\Public\xiaodaxzqxia\111
Filesize
1.1MB

MD5
98177615b432311fd25c0586412750f3

SHA1
33e5f441ed21c8cdadb82c9b78903b42dcf8619d

SHA256
b7be05419523ac5da9659155bb90f1d4a2d5ce41231ba43261fa208b8192a608

SHA512
a7e960f484612f9ebc1712658d19aee6d01c5b57170dbf0cbd31fc00b278a02d33db5ee3a384a61d4f5db1ff0be4cf5f24de4eadace5db7d9d572ece8ac3a0ce

Download Submit
C:\Users\Public\xiaodaxzqxia\jecxz.exe
Filesize
96KB

MD5
8c3ea8fdfa442a05368fe3b2def2da53

SHA1
9f75112983ffa8cee9bc556e5a70bce292825841

SHA256
4fa6d4b76f94f669622f226851e83d3fdfc89ea08e6599ebb3b37175a87720aa

SHA512
5a15b763ac42f31fc9200fc1dd01d1c28ff02553be2cbb4ca71f925cbec58ce1ff594872f3af6285aeb5b2ff6670b8291ca95563b310dd0fdc9a7f23b68c379e

Download Submit
C:\Users\Public\xiaodaxzqxia\jecxz.exe
Filesize
96KB

MD5
8c3ea8fdfa442a05368fe3b2def2da53

SHA1
9f75112983ffa8cee9bc556e5a70bce292825841

SHA256
4fa6d4b76f94f669622f226851e83d3fdfc89ea08e6599ebb3b37175a87720aa

SHA512
5a15b763ac42f31fc9200fc1dd01d1c28ff02553be2cbb4ca71f925cbec58ce1ff594872f3af6285aeb5b2ff6670b8291ca95563b310dd0fdc9a7f23b68c379e

Download Submit
C:\Users\Public\xiaodaxzqxia\n.bat
Filesize
263B

MD5
c7d8b33e05722104d63de564a5d92b01

SHA1
fd703f1c71ac1dae65dc34f3521854604cec8091

SHA256
538ce88a3eed5a98c6a021a4c541080c5cfb652962f37da620e35b537513317a

SHA512
54a80fc6ad3f08743dc1655c379de79f9496086a9a18f4716fc9a9d6a6fe4fd527dd4ac099c57408090b73903c64fa38d4723783708068878aa6e18c6cc0d08e

Download Submit
C:\Users\Public\xiaodaxzqxia\n.bat
Filesize
263B

MD5
c7d8b33e05722104d63de564a5d92b01

SHA1
fd703f1c71ac1dae65dc34f3521854604cec8091

SHA256
538ce88a3eed5a98c6a021a4c541080c5cfb652962f37da620e35b537513317a

SHA512
54a80fc6ad3f08743dc1655c379de79f9496086a9a18f4716fc9a9d6a6fe4fd527dd4ac099c57408090b73903c64fa38d4723783708068878aa6e18c6cc0d08e

Download Submit
C:\Users\Public\xiaodaxzqxia\v.bat
Filesize
275B

MD5
be7bbc9c7f6b505918f84b006b871965

SHA1
62f62090deb64ebdd93e2d48a1b85b3d0082415b

SHA256
259d09385d3e18e569e36542ea92eee43747ec48244659ca21ff6e20e9a9d91d

SHA512
84afc35227b5b590b5db0bb0e3c1c991202c0d6eef6ecc3ec9d7c097dce3e60d32c85915c7103efa413586a62e0ee7ae773fe13186a2f37825d1f20ac3f705e9

Download Submit
C:\Users\Public\xiaodaxzqxia\v.bat
Filesize
275B

MD5
be7bbc9c7f6b505918f84b006b871965

SHA1
62f62090deb64ebdd93e2d48a1b85b3d0082415b

SHA256
259d09385d3e18e569e36542ea92eee43747ec48244659ca21ff6e20e9a9d91d

SHA512
84afc35227b5b590b5db0bb0e3c1c991202c0d6eef6ecc3ec9d7c097dce3e60d32c85915c7103efa413586a62e0ee7ae773fe13186a2f37825d1f20ac3f705e9

Download Submit
C:\Users\Public\xiaodaxzqxia\v.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
C:\Users\Public\xiaodaxzqxia\v.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
\Users\Public\xiaodaxzqxia\jecxz.exe
Filesize
96KB

MD5
8c3ea8fdfa442a05368fe3b2def2da53

SHA1
9f75112983ffa8cee9bc556e5a70bce292825841

SHA256
4fa6d4b76f94f669622f226851e83d3fdfc89ea08e6599ebb3b37175a87720aa

SHA512
5a15b763ac42f31fc9200fc1dd01d1c28ff02553be2cbb4ca71f925cbec58ce1ff594872f3af6285aeb5b2ff6670b8291ca95563b310dd0fdc9a7f23b68c379e

Download Submit
\Users\Public\xiaodaxzqxia\v.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
\Users\Public\xiaodaxzqxia\v.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
memory/1748-75-0x0000000001110000-0x0000000001143000-memory.dmp

Filesize
204KB

Download
memory/1748-77-0x0000000000460000-0x00000000004AA000-memory.dmp

Filesize
296KB

Download
memory/1748-82-0x0000000000460000-0x00000000004AA000-memory.dmp

Filesize
296KB

Download
memory/1748-85-0x0000000000460000-0x00000000004AA000-memory.dmp

Filesize
296KB

Download
memory/1748-81-0x00000000001C0000-0x0000000000209000-memory.dmp

Filesize
292KB

Download
memory/1748-80-0x0000000001110000-0x0000000001143000-memory.dmp

Filesize
204KB

Download
memory/1748-79-0x0000000000460000-0x00000000004AA000-memory.dmp

Filesize
296KB

Download
memory/1748-83-0x0000000000460000-0x00000000004AA000-memory.dmp

Filesize
296KB

Download
memory/1748-74-0x0000000001110000-0x0000000001143000-memory.dmp

Filesize
204KB

Download
memory/1748-114-0x0000000000460000-0x00000000004AA000-memory.dmp

Filesize
296KB

Download
memory/1920-72-0x0000000002360000-0x0000000002393000-memory.dmp

Filesize
204KB

Download
memory/1920-112-0x0000000000400000-0x00000000005B8000-memory.dmp

Filesize
1.7MB

Download
memory/1920-62-0x0000000000400000-0x00000000005B8000-memory.dmp

Filesize
1.7MB

Download
memory/1980-100-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download