3e89dd52d1f0722bc2ceeeb7d551dab4d7b99b3a1f5b28f3de57d9609261c34e

Analysis

max time kernel
129s
max time network
146s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
16-06-2023 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

对-账-单.exe
Size

2.9MB
MD5

6c8b326564fa1443176397db8f55d24c
SHA1

6bd9d50fd50f07e77e8579023fcda7e50ed3cf4b
SHA256

6b59d8adcdc20b894e27975d2c351b652f8721254a34aeb3dafaf747f7c9d1ae
SHA512

88f57a3f59820cbea15b88ece7df2fa70b588ef1342d603d026a559a7111442413682d701c855bc9bd7a4922d1c4016181a6a7ad992e7e48d1a5a7edcc77ef87
SSDEEP

49152:LRwInKwV0jd+CBukNbWJZ6ZbaHcYz5aAVKiw6ZWqTG93jJ3hWpVc+:1weL0jICBPig3Yz5J/693kD

Score

8^/10

aspackv2

Malware Config

Signatures

Downloads MZ/PE file

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Users\Public\xiaodaxzqxia\jecxz.exe	aspack_v212_v242
C:\Users\Public\xiaodaxzqxia\jecxz.exe	aspack_v212_v242
C:\Users\Public\xiaodaxzqxia\jecxz.exe	aspack_v212_v242

Executes dropped EXE 2 IoCs

Processes:

jecxz.exev.exe

pid process

1968 jecxz.exe
632 v.exe
Loads dropped DLL 3 IoCs

Processes:

对-账-单.exe

pid process

2044 对-账-单.exe
2044 对-账-单.exe
2044 对-账-单.exe

pid	process
1968	jecxz.exe
632	v.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

jecxz.exe

description	ioc	process
File opened (read-only)	\??\B:	jecxz.exe
File opened (read-only)	\??\N:	jecxz.exe
File opened (read-only)	\??\S:	jecxz.exe
File opened (read-only)	\??\G:	jecxz.exe
File opened (read-only)	\??\H:	jecxz.exe
File opened (read-only)	\??\I:	jecxz.exe
File opened (read-only)	\??\J:	jecxz.exe
File opened (read-only)	\??\L:	jecxz.exe
File opened (read-only)	\??\U:	jecxz.exe
File opened (read-only)	\??\V:	jecxz.exe
File opened (read-only)	\??\E:	jecxz.exe
File opened (read-only)	\??\F:	jecxz.exe
File opened (read-only)	\??\O:	jecxz.exe
File opened (read-only)	\??\Q:	jecxz.exe
File opened (read-only)	\??\X:	jecxz.exe
File opened (read-only)	\??\Z:	jecxz.exe
File opened (read-only)	\??\K:	jecxz.exe
File opened (read-only)	\??\M:	jecxz.exe
File opened (read-only)	\??\P:	jecxz.exe
File opened (read-only)	\??\R:	jecxz.exe
File opened (read-only)	\??\T:	jecxz.exe
File opened (read-only)	\??\W:	jecxz.exe
File opened (read-only)	\??\Y:	jecxz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

jecxz.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	jecxz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	jecxz.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

对-账-单.exejecxz.exe

pid	process
2044	对-账-单.exe
1968	jecxz.exe
1968	jecxz.exe
1968	jecxz.exe
1968	jecxz.exe
1968	jecxz.exe
1968	jecxz.exe
1968	jecxz.exe
1968	jecxz.exe
1968	jecxz.exe
1968	jecxz.exe
1968	jecxz.exe
1968	jecxz.exe
1968	jecxz.exe
1968	jecxz.exe
1968	jecxz.exe
1968	jecxz.exe
1968	jecxz.exe
1968	jecxz.exe
1968	jecxz.exe
1968	jecxz.exe
1968	jecxz.exe
1968	jecxz.exe
1968	jecxz.exe
1968	jecxz.exe
1968	jecxz.exe
1968	jecxz.exe
1968	jecxz.exe
1968	jecxz.exe
1968	jecxz.exe
1968	jecxz.exe
1968	jecxz.exe
1968	jecxz.exe
1968	jecxz.exe
1968	jecxz.exe
1968	jecxz.exe
1968	jecxz.exe
1968	jecxz.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

对-账-单.exejecxz.exe

pid process

2044 对-账-单.exe
2044 对-账-单.exe
1968 jecxz.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

对-账-单.exe

description	pid	process	target process
PID 2044 wrote to memory of 1968	2044	对-账-单.exe	jecxz.exe
PID 2044 wrote to memory of 1968	2044	对-账-单.exe	jecxz.exe
PID 2044 wrote to memory of 1968	2044	对-账-单.exe	jecxz.exe
PID 2044 wrote to memory of 1968	2044	对-账-单.exe	jecxz.exe
PID 2044 wrote to memory of 632	2044	对-账-单.exe	v.exe
PID 2044 wrote to memory of 632	2044	对-账-单.exe	v.exe
PID 2044 wrote to memory of 632	2044	对-账-单.exe	v.exe
PID 2044 wrote to memory of 632	2044	对-账-单.exe	v.exe

C:\Users\Admin\AppData\Local\Temp\对-账-单.exe
"C:\Users\Admin\AppData\Local\Temp\对-账-单.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2044

C:\Users\Public\xiaodaxzqxia\jecxz.exe
C:\Users\Public\xiaodaxzqxia\jecxz.exe
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1968

C:\Users\Public\xiaodaxzqxia\v.exe
"C:\Users\Public\xiaodaxzqxia\v.exe" -o -d C:\Users\Public\xiaodaxzqxia C:\Users\Public\xiaodaxzqxia\111
2⤵
- Executes dropped EXE
PID:632

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\xiaodaxzqxia\1
Filesize
291KB

MD5
b22aaa05e33245581a8fb11318af854b

SHA1
47f212f66740148e5296c14f842183d9fb89f15b

SHA256
2b57108315431d81846aeb4049b71dffa2c5e915d4ee8765e11a816a75db903f

SHA512
bf03c43e792b368bd9ba13c01586847d1bcb19a4d23fa1a4d6fc6195930a3e1254724cb17137b3fdbdea22ae04f219bfd8d3ba26d1507e9a95d32925d65cd7a1

Download Submit
C:\Users\Public\xiaodaxzqxia\111
Filesize
1.1MB

MD5
ccf996ca84edeffeb0c18cb980ea677f

SHA1
1eeb72e23a024bcbd709df05220bff4886e9784c

SHA256
d72f7de471e210aed98c88ebb29816a9ff71f4620c5c66275b03eb432ec20f5c

SHA512
bd6a045705261309bd2939c8e3bcfa0379d27bab41c638036364487f1e2a75ba074f545a9642c201e4c1c2ad71ef3947ca6824ef11d80bab44f7ee4432bc3484

Download Submit
C:\Users\Public\xiaodaxzqxia\jecxz.exe
Filesize
96KB

MD5
8df0fffd4e3267d6a5cfacbd68a952be

SHA1
4af4909b27a595697a6bc469994481dcf3bfb6ba

SHA256
cd83b592632760553060f889ebdd97f636aa1c8ca2b5d0511cd7553bdb1b104c

SHA512
7422322d06099131fc817372c0ac484c6960330987c7e00e683fe814f1c2108352a23735945d938093c2d10fb8e59659a2c04c203feb2e2c8bafdd2e1d10a79a

Download Submit
C:\Users\Public\xiaodaxzqxia\jecxz.exe
Filesize
96KB

MD5
8df0fffd4e3267d6a5cfacbd68a952be

SHA1
4af4909b27a595697a6bc469994481dcf3bfb6ba

SHA256
cd83b592632760553060f889ebdd97f636aa1c8ca2b5d0511cd7553bdb1b104c

SHA512
7422322d06099131fc817372c0ac484c6960330987c7e00e683fe814f1c2108352a23735945d938093c2d10fb8e59659a2c04c203feb2e2c8bafdd2e1d10a79a

Download Submit
C:\Users\Public\xiaodaxzqxia\v.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
C:\Users\Public\xiaodaxzqxia\v.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
\Users\Public\xiaodaxzqxia\jecxz.exe
Filesize
96KB

MD5
8df0fffd4e3267d6a5cfacbd68a952be

SHA1
4af4909b27a595697a6bc469994481dcf3bfb6ba

SHA256
cd83b592632760553060f889ebdd97f636aa1c8ca2b5d0511cd7553bdb1b104c

SHA512
7422322d06099131fc817372c0ac484c6960330987c7e00e683fe814f1c2108352a23735945d938093c2d10fb8e59659a2c04c203feb2e2c8bafdd2e1d10a79a

Download Submit
\Users\Public\xiaodaxzqxia\v.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
\Users\Public\xiaodaxzqxia\v.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
memory/632-91-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1968-67-0x0000000000510000-0x000000000055A000-memory.dmp

Filesize
296KB

Download
memory/1968-74-0x0000000000510000-0x000000000055A000-memory.dmp

Filesize
296KB

Download
memory/1968-76-0x0000000000510000-0x000000000055A000-memory.dmp

Filesize
296KB

Download
memory/1968-72-0x0000000000470000-0x00000000004B9000-memory.dmp

Filesize
292KB

Download
memory/1968-71-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/1968-68-0x0000000000510000-0x000000000055A000-memory.dmp

Filesize
296KB

Download
memory/1968-65-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/1968-64-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/1968-95-0x0000000000510000-0x000000000055A000-memory.dmp

Filesize
296KB

Download
memory/2044-70-0x00000000033B0000-0x00000000033E3000-memory.dmp

Filesize
204KB

Download