955387b03bed86e24be8f4940780114dfff1fe4f43050111b59f9d11e470790d

Analysis

max time kernel
129s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
14-06-2023 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

更新文件工具3.exe
Size

1.6MB
MD5

6399ce4642cdd36c01e99fefe8adc0cc
SHA1

01f35bd2853a0b74faac167f83644a54a7c690d2
SHA256

955387b03bed86e24be8f4940780114dfff1fe4f43050111b59f9d11e470790d
SHA512

beb0f8f0d8496ae5e30c3e40ea161cfee8108a269b9bf83b9cc8e7d5797679bf98b1420a6e05d7794275c1dd4d066d6e5f50a92085f5c76f7c202f699292a399
SSDEEP

12288:GLMxhyxv664BtysdhIl4t4plpgUqdR5nWFpPoSRMGgVKMnnp+Myg:GajBUsdhk4iplCUqAbUGgZnnpXyg

Score

7^/10

aspackv2 upx

Malware Config

Signatures

ASPack v2.12-2.42 5 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\yEjxOr.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\yEjxOr.exe	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\yEjxOr.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\yEjxOr.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\yEjxOr.exe	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

yEjxOr.exe

pid process

1368 yEjxOr.exe
Loads dropped DLL 2 IoCs

Processes:

更新文件工具3.exe

pid process

1212 更新文件工具3.exe
1212 更新文件工具3.exe

pid	process
1368	yEjxOr.exe

pid	process
1212	更新文件工具3.exe
1212	更新文件工具3.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1212-64-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1212-65-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1212-66-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1212-68-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1212-70-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1212-74-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1212-72-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1212-76-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1212-80-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1212-78-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1212-82-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1212-84-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1212-86-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1212-90-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1212-88-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1212-92-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1212-94-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1212-98-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1212-96-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1212-100-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1212-105-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1212-108-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1212-110-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1212-153-0x0000000010000000-0x000000001003E000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

yEjxOr.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE	yEjxOr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	yEjxOr.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	yEjxOr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE	yEjxOr.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	yEjxOr.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	yEjxOr.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	yEjxOr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	yEjxOr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE	yEjxOr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	yEjxOr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	yEjxOr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	yEjxOr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE	yEjxOr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE	yEjxOr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	yEjxOr.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	yEjxOr.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	yEjxOr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	yEjxOr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	yEjxOr.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe	yEjxOr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	yEjxOr.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	yEjxOr.exe
File opened for modification	C:\Program Files\Windows Mail\wabmig.exe	yEjxOr.exe
File opened for modification	C:\Program Files\Windows Mail\WinMail.exe	yEjxOr.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	yEjxOr.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	yEjxOr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	yEjxOr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	yEjxOr.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wabmig.exe	yEjxOr.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	yEjxOr.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe	yEjxOr.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe	yEjxOr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE	yEjxOr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe	yEjxOr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	yEjxOr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	yEjxOr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	yEjxOr.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wab.exe	yEjxOr.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	yEjxOr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE	yEjxOr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	yEjxOr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe	yEjxOr.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	yEjxOr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	yEjxOr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	yEjxOr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	yEjxOr.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe	yEjxOr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	yEjxOr.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	yEjxOr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE	yEjxOr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE	yEjxOr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	yEjxOr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	yEjxOr.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	yEjxOr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE	yEjxOr.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	yEjxOr.exe
File opened for modification	C:\Program Files\Windows Journal\Journal.exe	yEjxOr.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\WinMail.exe	yEjxOr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	yEjxOr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	yEjxOr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	yEjxOr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	yEjxOr.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\sidebar.exe	yEjxOr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	yEjxOr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

更新文件工具3.exe

pid process

1212 更新文件工具3.exe
1212 更新文件工具3.exe
1212 更新文件工具3.exe

pid	process
1212	更新文件工具3.exe
1212	更新文件工具3.exe
1212	更新文件工具3.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

更新文件工具3.exeyEjxOr.exe

description	pid	process	target process
PID 1212 wrote to memory of 1368	1212	更新文件工具3.exe	yEjxOr.exe
PID 1212 wrote to memory of 1368	1212	更新文件工具3.exe	yEjxOr.exe
PID 1212 wrote to memory of 1368	1212	更新文件工具3.exe	yEjxOr.exe
PID 1212 wrote to memory of 1368	1212	更新文件工具3.exe	yEjxOr.exe
PID 1368 wrote to memory of 1376	1368	yEjxOr.exe	cmd.exe
PID 1368 wrote to memory of 1376	1368	yEjxOr.exe	cmd.exe
PID 1368 wrote to memory of 1376	1368	yEjxOr.exe	cmd.exe
PID 1368 wrote to memory of 1376	1368	yEjxOr.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\更新文件工具3.exe
"C:\Users\Admin\AppData\Local\Temp\更新文件工具3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1212

C:\Users\Admin\AppData\Local\Temp\yEjxOr.exe
C:\Users\Admin\AppData\Local\Temp\yEjxOr.exe
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\35cc6664.bat" "
3⤵
PID:1376

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\35cc6664.bat
Filesize
187B

MD5
e607f21a51df785a022755ff96e8a20d

SHA1
e542b80ca7230c619e2b7229b56577c9d3ee089b

SHA256
e48ac49166ceb1e776580c939a5e30283d158247df929e97e6cc013978b22d8f

SHA512
e8a47ebb16c117c424a7ed71c6421c39c3526db83d34fc9959b97b1066d93dc4248f8444bdd8900c5ff1c1d1607197ad31f74a15fe245ce58f4a6d72eaf77670

Download Submit
C:\Users\Admin\AppData\Local\Temp\35cc6664.bat
Filesize
187B

MD5
e607f21a51df785a022755ff96e8a20d

SHA1
e542b80ca7230c619e2b7229b56577c9d3ee089b

SHA256
e48ac49166ceb1e776580c939a5e30283d158247df929e97e6cc013978b22d8f

SHA512
e8a47ebb16c117c424a7ed71c6421c39c3526db83d34fc9959b97b1066d93dc4248f8444bdd8900c5ff1c1d1607197ad31f74a15fe245ce58f4a6d72eaf77670

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ABB1513.exe
Filesize
4B

MD5
20879c987e2f9a916e578386d499f629

SHA1
c7b33ddcc42361fdb847036fc07e880b81935d5d

SHA256
9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

SHA512
bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ABB1513.exe
Filesize
4B

MD5
20879c987e2f9a916e578386d499f629

SHA1
c7b33ddcc42361fdb847036fc07e880b81935d5d

SHA256
9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

SHA512
bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEjxOr.exe
Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEjxOr.exe
Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEjxOr.exe
Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
\Users\Admin\AppData\Local\Temp\yEjxOr.exe
Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
\Users\Admin\AppData\Local\Temp\yEjxOr.exe
Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
memory/1212-92-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1212-101-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/1212-72-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1212-76-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1212-80-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1212-78-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1212-82-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1212-84-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1212-86-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1212-90-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1212-88-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1212-70-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1212-94-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1212-98-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1212-96-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1212-74-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1212-102-0x00000000003C0000-0x00000000003C9000-memory.dmp

Filesize
36KB

Download
memory/1212-100-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1212-156-0x00000000003C0000-0x00000000003C9000-memory.dmp

Filesize
36KB

Download
memory/1212-105-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1212-108-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1212-104-0x00000000003C0000-0x00000000003C9000-memory.dmp

Filesize
36KB

Download
memory/1212-110-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1212-68-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1212-66-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1212-65-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1212-155-0x00000000003C0000-0x00000000003C9000-memory.dmp

Filesize
36KB

Download
memory/1212-64-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1212-152-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/1212-153-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1368-150-0x0000000000DD0000-0x0000000000DD9000-memory.dmp

Filesize
36KB

Download
memory/1368-106-0x0000000000DD0000-0x0000000000DD9000-memory.dmp

Filesize
36KB

Download