3e89dd52d1f0722bc2ceeeb7d551dab4d7b99b3a1f5b28f3de57d9609261c34e

Analysis

max time kernel
145s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
16-06-2023 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

对-账-单.exe
Size

2.9MB
MD5

6c8b326564fa1443176397db8f55d24c
SHA1

6bd9d50fd50f07e77e8579023fcda7e50ed3cf4b
SHA256

6b59d8adcdc20b894e27975d2c351b652f8721254a34aeb3dafaf747f7c9d1ae
SHA512

88f57a3f59820cbea15b88ece7df2fa70b588ef1342d603d026a559a7111442413682d701c855bc9bd7a4922d1c4016181a6a7ad992e7e48d1a5a7edcc77ef87
SSDEEP

49152:LRwInKwV0jd+CBukNbWJZ6ZbaHcYz5aAVKiw6ZWqTG93jJ3hWpVc+:1weL0jICBPig3Yz5J/693kD

Score

8^/10

aspackv2

Malware Config

Signatures

Downloads MZ/PE file

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Public\xiaodaxzqxia\jecxz.exe	aspack_v212_v242
C:\Users\Public\xiaodaxzqxia\jecxz.exe	aspack_v212_v242

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

对-账-单.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	对-账-单.exe

Executes dropped EXE 4 IoCs

Processes:

jecxz.exev.exev.exev.exe

pid process

1184 jecxz.exe
3716 v.exe
1496 v.exe
4552 v.exe

pid	process
1184	jecxz.exe
3716	v.exe
1496	v.exe
4552	v.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

jecxz.exe

description	ioc	process
File opened (read-only)	\??\H:	jecxz.exe
File opened (read-only)	\??\U:	jecxz.exe
File opened (read-only)	\??\X:	jecxz.exe
File opened (read-only)	\??\Y:	jecxz.exe
File opened (read-only)	\??\M:	jecxz.exe
File opened (read-only)	\??\P:	jecxz.exe
File opened (read-only)	\??\R:	jecxz.exe
File opened (read-only)	\??\B:	jecxz.exe
File opened (read-only)	\??\E:	jecxz.exe
File opened (read-only)	\??\G:	jecxz.exe
File opened (read-only)	\??\I:	jecxz.exe
File opened (read-only)	\??\L:	jecxz.exe
File opened (read-only)	\??\K:	jecxz.exe
File opened (read-only)	\??\Q:	jecxz.exe
File opened (read-only)	\??\V:	jecxz.exe
File opened (read-only)	\??\Z:	jecxz.exe
File opened (read-only)	\??\T:	jecxz.exe
File opened (read-only)	\??\W:	jecxz.exe
File opened (read-only)	\??\F:	jecxz.exe
File opened (read-only)	\??\J:	jecxz.exe
File opened (read-only)	\??\N:	jecxz.exe
File opened (read-only)	\??\O:	jecxz.exe
File opened (read-only)	\??\S:	jecxz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

jecxz.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	jecxz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	jecxz.exe

Modifies registry class 1 IoCs

Processes:

对-账-单.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings 对-账-单.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	对-账-单.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

对-账-单.exejecxz.exe

pid	process
2548	对-账-单.exe
2548	对-账-单.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe
1184	jecxz.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

对-账-单.exejecxz.exe

pid process

2548 对-账-单.exe
2548 对-账-单.exe
1184 jecxz.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

对-账-单.exe

description	pid	process	target process
PID 2548 wrote to memory of 1184	2548	对-账-单.exe	jecxz.exe
PID 2548 wrote to memory of 1184	2548	对-账-单.exe	jecxz.exe
PID 2548 wrote to memory of 1184	2548	对-账-单.exe	jecxz.exe
PID 2548 wrote to memory of 3716	2548	对-账-单.exe	v.exe
PID 2548 wrote to memory of 3716	2548	对-账-单.exe	v.exe
PID 2548 wrote to memory of 3716	2548	对-账-单.exe	v.exe

C:\Users\Admin\AppData\Local\Temp\对-账-单.exe
"C:\Users\Admin\AppData\Local\Temp\对-账-单.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2548

C:\Users\Public\xiaodaxzqxia\jecxz.exe
C:\Users\Public\xiaodaxzqxia\jecxz.exe
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1184

C:\Users\Public\xiaodaxzqxia\v.exe
"C:\Users\Public\xiaodaxzqxia\v.exe" -o -d C:\Users\Public\xiaodaxzqxia C:\Users\Public\xiaodaxzqxia\111
2⤵
- Executes dropped EXE
PID:3716

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3384

C:\Users\Public\xiaodaxzqxia\v.exe
"C:\Users\Public\xiaodaxzqxia\v.exe" -n -d C:\ProgramData C:\Users\Public\xiaodaxzqxia\b
1⤵
- Executes dropped EXE
PID:1496

C:\Users\Public\xiaodaxzqxia\v.exe
"C:\Users\Public\xiaodaxzqxia\v.exe" -n -d C:\ProgramData C:\Users\Public\xiaodaxzqxia\b
1⤵
- Executes dropped EXE
PID:4552

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\wintnacloa.lnk
Filesize
1KB

MD5
57d76f6876e22e5accc836d7b75e290f

SHA1
267e73a63d0d1bf43da33561ac44dd045c5b964a

SHA256
1fde3738f9b65a65ac74552dba04b9d36e28f08a35a57ed78850a681ee7865be

SHA512
ef83dcc36fd134b31d2f001334ea3e1d1812452700ebe570e2daa6d99b6aeeba6dd75d8f35c1e2ef2291485e144a505ffa30c8df8a570b0c173db4a4146586e8

Download Submit
C:\Users\Public\xiaodaxzqxia\1
Filesize
291KB

MD5
b22aaa05e33245581a8fb11318af854b

SHA1
47f212f66740148e5296c14f842183d9fb89f15b

SHA256
2b57108315431d81846aeb4049b71dffa2c5e915d4ee8765e11a816a75db903f

SHA512
bf03c43e792b368bd9ba13c01586847d1bcb19a4d23fa1a4d6fc6195930a3e1254724cb17137b3fdbdea22ae04f219bfd8d3ba26d1507e9a95d32925d65cd7a1

Download Submit
C:\Users\Public\xiaodaxzqxia\111
Filesize
1.1MB

MD5
ccf996ca84edeffeb0c18cb980ea677f

SHA1
1eeb72e23a024bcbd709df05220bff4886e9784c

SHA256
d72f7de471e210aed98c88ebb29816a9ff71f4620c5c66275b03eb432ec20f5c

SHA512
bd6a045705261309bd2939c8e3bcfa0379d27bab41c638036364487f1e2a75ba074f545a9642c201e4c1c2ad71ef3947ca6824ef11d80bab44f7ee4432bc3484

Download Submit
C:\Users\Public\xiaodaxzqxia\b
Filesize
1KB

MD5
02021d939c179b882354e1ad071710e3

SHA1
261eb87da652c74e3403a0ed101ac7e28f5b8e55

SHA256
0a39c6cb2ef1db664950308b5f689b4f9ef0ed3c57526a51d210902b40e8d847

SHA512
fdc6f89ec13e06c187e41852726eee93f3e84765c02d5d05bba459668e8e680fb69356c44e13bf8734ac3aac5f0ea7844c57d02993b533806117dfbaec963b30

Download Submit
C:\Users\Public\xiaodaxzqxia\jecxz.exe
Filesize
96KB

MD5
8df0fffd4e3267d6a5cfacbd68a952be

SHA1
4af4909b27a595697a6bc469994481dcf3bfb6ba

SHA256
cd83b592632760553060f889ebdd97f636aa1c8ca2b5d0511cd7553bdb1b104c

SHA512
7422322d06099131fc817372c0ac484c6960330987c7e00e683fe814f1c2108352a23735945d938093c2d10fb8e59659a2c04c203feb2e2c8bafdd2e1d10a79a

Download Submit
C:\Users\Public\xiaodaxzqxia\jecxz.exe
Filesize
96KB

MD5
8df0fffd4e3267d6a5cfacbd68a952be

SHA1
4af4909b27a595697a6bc469994481dcf3bfb6ba

SHA256
cd83b592632760553060f889ebdd97f636aa1c8ca2b5d0511cd7553bdb1b104c

SHA512
7422322d06099131fc817372c0ac484c6960330987c7e00e683fe814f1c2108352a23735945d938093c2d10fb8e59659a2c04c203feb2e2c8bafdd2e1d10a79a

Download Submit
C:\Users\Public\xiaodaxzqxia\v.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
C:\Users\Public\xiaodaxzqxia\v.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
C:\Users\Public\xiaodaxzqxia\v.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
C:\Users\Public\xiaodaxzqxia\v.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
memory/1184-142-0x0000000000880000-0x00000000008B3000-memory.dmp

Filesize
204KB

Download
memory/1184-149-0x0000000002770000-0x00000000027BA000-memory.dmp

Filesize
296KB

Download
memory/1184-148-0x0000000002770000-0x00000000027BA000-memory.dmp

Filesize
296KB

Download
memory/1184-146-0x0000000002770000-0x00000000027BA000-memory.dmp

Filesize
296KB

Download
memory/1184-150-0x0000000000D10000-0x0000000000D59000-memory.dmp

Filesize
292KB

Download
memory/1184-144-0x0000000000880000-0x00000000008B3000-memory.dmp

Filesize
204KB

Download
memory/1184-171-0x0000000000880000-0x00000000008B3000-memory.dmp

Filesize
204KB

Download
memory/1184-151-0x0000000002770000-0x00000000027BA000-memory.dmp

Filesize
296KB

Download
memory/1184-143-0x0000000000880000-0x00000000008B3000-memory.dmp

Filesize
204KB

Download
memory/1184-177-0x0000000002770000-0x00000000027BA000-memory.dmp

Filesize
296KB

Download
memory/1496-168-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3716-163-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4552-176-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download