8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075

Analysis

max time kernel
129s
max time network
142s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
16-06-2023 04:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075.exe
Size

1.1MB
MD5

12582f03681c3c66a54e316e66a623e3
SHA1

ded792ecdabf84864fbf6efb2514027f27dddd3e
SHA256

8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075
SHA512

ab6c75cc0e27ce318b9715689b2380675c0c37058c08c425b0662b24f8ebcc049223b27f49e6843b5919ad02a7f9970635d402fad061969f9eac6883f5e2d564
SSDEEP

24576:AP/XWN/neHqEEWyHuiS8psW/06LvmHAx8ebSTL18vArOx4Xg2dOlJ5GRfvTT:APvvqkzy/06TmgaebE1sArdjOlG5

Score

8^/10

aspackv2

Malware Config

Signatures

Downloads MZ/PE file

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Users\Public\xiaodaxzqxia\jecxz.exe	aspack_v212_v242
C:\Users\Public\xiaodaxzqxia\jecxz.exe	aspack_v212_v242
C:\Users\Public\xiaodaxzqxia\jecxz.exe	aspack_v212_v242

Executes dropped EXE 2 IoCs

Processes:

jecxz.exev.exe

pid process

1164 jecxz.exe
1156 v.exe

pid	process
1164	jecxz.exe
1156	v.exe

Loads dropped DLL 3 IoCs

Processes:

8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075.exe

pid	process
2004	8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075.exe
2004	8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075.exe
2004	8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

jecxz.exe

description	ioc	process
File opened (read-only)	\??\F:	jecxz.exe
File opened (read-only)	\??\J:	jecxz.exe
File opened (read-only)	\??\K:	jecxz.exe
File opened (read-only)	\??\O:	jecxz.exe
File opened (read-only)	\??\P:	jecxz.exe
File opened (read-only)	\??\I:	jecxz.exe
File opened (read-only)	\??\M:	jecxz.exe
File opened (read-only)	\??\T:	jecxz.exe
File opened (read-only)	\??\V:	jecxz.exe
File opened (read-only)	\??\X:	jecxz.exe
File opened (read-only)	\??\Y:	jecxz.exe
File opened (read-only)	\??\B:	jecxz.exe
File opened (read-only)	\??\L:	jecxz.exe
File opened (read-only)	\??\N:	jecxz.exe
File opened (read-only)	\??\Q:	jecxz.exe
File opened (read-only)	\??\R:	jecxz.exe
File opened (read-only)	\??\S:	jecxz.exe
File opened (read-only)	\??\W:	jecxz.exe
File opened (read-only)	\??\Z:	jecxz.exe
File opened (read-only)	\??\E:	jecxz.exe
File opened (read-only)	\??\G:	jecxz.exe
File opened (read-only)	\??\H:	jecxz.exe
File opened (read-only)	\??\U:	jecxz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

jecxz.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	jecxz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	jecxz.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075.exejecxz.exe

pid	process
2004	8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe
1164	jecxz.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075.exejecxz.exe

pid	process
2004	8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075.exe
2004	8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075.exe
1164	jecxz.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075.execmd.exe

description	pid	process	target process
PID 2004 wrote to memory of 1964	2004	8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075.exe	cmd.exe
PID 2004 wrote to memory of 1964	2004	8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075.exe	cmd.exe
PID 2004 wrote to memory of 1964	2004	8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075.exe	cmd.exe
PID 2004 wrote to memory of 1964	2004	8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075.exe	cmd.exe
PID 1964 wrote to memory of 384	1964	cmd.exe	reg.exe
PID 1964 wrote to memory of 384	1964	cmd.exe	reg.exe
PID 1964 wrote to memory of 384	1964	cmd.exe	reg.exe
PID 1964 wrote to memory of 384	1964	cmd.exe	reg.exe
PID 2004 wrote to memory of 1164	2004	8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075.exe	jecxz.exe
PID 2004 wrote to memory of 1164	2004	8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075.exe	jecxz.exe
PID 2004 wrote to memory of 1164	2004	8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075.exe	jecxz.exe
PID 2004 wrote to memory of 1164	2004	8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075.exe	jecxz.exe
PID 2004 wrote to memory of 1156	2004	8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075.exe	v.exe
PID 2004 wrote to memory of 1156	2004	8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075.exe	v.exe
PID 2004 wrote to memory of 1156	2004	8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075.exe	v.exe
PID 2004 wrote to memory of 1156	2004	8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075.exe	v.exe

C:\Users\Admin\AppData\Local\Temp\8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075.exe
"C:\Users\Admin\AppData\Local\Temp\8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Public\xiaodaxzqxia\n.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "1201" /d "0" /t REG_DWORD /f
3⤵
PID:384

C:\Users\Public\xiaodaxzqxia\jecxz.exe
C:\Users\Public\xiaodaxzqxia\jecxz.exe
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1164

C:\Users\Public\xiaodaxzqxia\v.exe
"C:\Users\Public\xiaodaxzqxia\v.exe" -o -d C:\Users\Public\xiaodaxzqxia C:\Users\Public\xiaodaxzqxia\111
2⤵
- Executes dropped EXE
PID:1156

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\xiaodaxzqxia\1
Filesize
291KB

MD5
b938d78f48fa0a80a622d6425ac0318a

SHA1
68c8600461927d43ada9adc17f6a809f2d6692de

SHA256
ec47537e438223ca46e0c436057b4e14c01f0929ca1c9f4ff040152ae4152a75

SHA512
74f971bdf2e1faf34334129dc6dea3aff82b8a2f69670cf030528b4efff49b06fe78b3df4b0815ab15a7415b62c05922cfa5eb5de38afc2e81555f75053234a7

Download Submit
C:\Users\Public\xiaodaxzqxia\111
Filesize
1.1MB

MD5
a1d0cb481b88ef9784c705d15ab53f32

SHA1
80e69bdb8d3b29db9b6971130a1c958998cb1f5a

SHA256
28cdd7883dab8fd8c0b65136cd0b4d4ed3d5d3a24f2e7166da41a13791ab99c4

SHA512
b69033d51f8ca60f08b80bfeeb5038ccce960b3735f0589bec6351486baf4fc448ce8044ce8008e6a339afe35f039987181b0c790e00e36d2104d64700f592c9

Download Submit
C:\Users\Public\xiaodaxzqxia\jecxz.exe
Filesize
96KB

MD5
8df0fffd4e3267d6a5cfacbd68a952be

SHA1
4af4909b27a595697a6bc469994481dcf3bfb6ba

SHA256
cd83b592632760553060f889ebdd97f636aa1c8ca2b5d0511cd7553bdb1b104c

SHA512
7422322d06099131fc817372c0ac484c6960330987c7e00e683fe814f1c2108352a23735945d938093c2d10fb8e59659a2c04c203feb2e2c8bafdd2e1d10a79a

Download Submit
C:\Users\Public\xiaodaxzqxia\jecxz.exe
Filesize
96KB

MD5
8df0fffd4e3267d6a5cfacbd68a952be

SHA1
4af4909b27a595697a6bc469994481dcf3bfb6ba

SHA256
cd83b592632760553060f889ebdd97f636aa1c8ca2b5d0511cd7553bdb1b104c

SHA512
7422322d06099131fc817372c0ac484c6960330987c7e00e683fe814f1c2108352a23735945d938093c2d10fb8e59659a2c04c203feb2e2c8bafdd2e1d10a79a

Download Submit
C:\Users\Public\xiaodaxzqxia\n.bat
Filesize
263B

MD5
c7d8b33e05722104d63de564a5d92b01

SHA1
fd703f1c71ac1dae65dc34f3521854604cec8091

SHA256
538ce88a3eed5a98c6a021a4c541080c5cfb652962f37da620e35b537513317a

SHA512
54a80fc6ad3f08743dc1655c379de79f9496086a9a18f4716fc9a9d6a6fe4fd527dd4ac099c57408090b73903c64fa38d4723783708068878aa6e18c6cc0d08e

Download Submit
C:\Users\Public\xiaodaxzqxia\n.bat
Filesize
263B

MD5
c7d8b33e05722104d63de564a5d92b01

SHA1
fd703f1c71ac1dae65dc34f3521854604cec8091

SHA256
538ce88a3eed5a98c6a021a4c541080c5cfb652962f37da620e35b537513317a

SHA512
54a80fc6ad3f08743dc1655c379de79f9496086a9a18f4716fc9a9d6a6fe4fd527dd4ac099c57408090b73903c64fa38d4723783708068878aa6e18c6cc0d08e

Download Submit
C:\Users\Public\xiaodaxzqxia\v.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
C:\Users\Public\xiaodaxzqxia\v.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
\Users\Public\xiaodaxzqxia\jecxz.exe
Filesize
96KB

MD5
8df0fffd4e3267d6a5cfacbd68a952be

SHA1
4af4909b27a595697a6bc469994481dcf3bfb6ba

SHA256
cd83b592632760553060f889ebdd97f636aa1c8ca2b5d0511cd7553bdb1b104c

SHA512
7422322d06099131fc817372c0ac484c6960330987c7e00e683fe814f1c2108352a23735945d938093c2d10fb8e59659a2c04c203feb2e2c8bafdd2e1d10a79a

Download Submit
\Users\Public\xiaodaxzqxia\v.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
\Users\Public\xiaodaxzqxia\v.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
memory/1156-103-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1164-127-0x00000000003B0000-0x00000000003FA000-memory.dmp

Filesize
296KB

Download
memory/1164-118-0x00000000003B0000-0x00000000003FA000-memory.dmp

Filesize
296KB

Download
memory/1164-83-0x00000000003B0000-0x00000000003FA000-memory.dmp

Filesize
296KB

Download
memory/1164-80-0x00000000003B0000-0x00000000003FA000-memory.dmp

Filesize
296KB

Download
memory/1164-147-0x00000000003B0000-0x00000000003FA000-memory.dmp

Filesize
296KB

Download
memory/1164-87-0x00000000003B0000-0x00000000003FA000-memory.dmp

Filesize
296KB

Download
memory/1164-88-0x00000000003B0000-0x00000000003FA000-memory.dmp

Filesize
296KB

Download
memory/1164-79-0x00000000001A0000-0x00000000001E9000-memory.dmp

Filesize
292KB

Download
memory/1164-78-0x0000000000990000-0x00000000009C3000-memory.dmp

Filesize
204KB

Download
memory/1164-146-0x00000000003B0000-0x00000000003FA000-memory.dmp

Filesize
296KB

Download
memory/1164-74-0x0000000000990000-0x00000000009C3000-memory.dmp

Filesize
204KB

Download
memory/1164-75-0x0000000000990000-0x00000000009C3000-memory.dmp

Filesize
204KB

Download
memory/1164-145-0x00000000003B0000-0x00000000003FA000-memory.dmp

Filesize
296KB

Download
memory/1164-144-0x00000000003B0000-0x00000000003FA000-memory.dmp

Filesize
296KB

Download
memory/1164-108-0x00000000003B0000-0x00000000003FA000-memory.dmp

Filesize
296KB

Download
memory/1164-142-0x00000000003B0000-0x00000000003FA000-memory.dmp

Filesize
296KB

Download
memory/1164-111-0x00000000003B0000-0x00000000003FA000-memory.dmp

Filesize
296KB

Download
memory/1164-112-0x00000000003B0000-0x00000000003FA000-memory.dmp

Filesize
296KB

Download
memory/1164-113-0x00000000003B0000-0x00000000003FA000-memory.dmp

Filesize
296KB

Download
memory/1164-115-0x00000000003B0000-0x00000000003FA000-memory.dmp

Filesize
296KB

Download
memory/1164-117-0x00000000003B0000-0x00000000003FA000-memory.dmp

Filesize
296KB

Download
memory/1164-82-0x00000000003B0000-0x00000000003FA000-memory.dmp

Filesize
296KB

Download
memory/1164-119-0x00000000003B0000-0x00000000003FA000-memory.dmp

Filesize
296KB

Download
memory/1164-121-0x00000000003B0000-0x00000000003FA000-memory.dmp

Filesize
296KB

Download
memory/1164-123-0x00000000003B0000-0x00000000003FA000-memory.dmp

Filesize
296KB

Download
memory/1164-124-0x00000000003B0000-0x00000000003FA000-memory.dmp

Filesize
296KB

Download
memory/1164-125-0x00000000003B0000-0x00000000003FA000-memory.dmp

Filesize
296KB

Download
memory/1164-141-0x00000000003B0000-0x00000000003FA000-memory.dmp

Filesize
296KB

Download
memory/1164-128-0x00000000003B0000-0x00000000003FA000-memory.dmp

Filesize
296KB

Download
memory/1164-129-0x00000000003B0000-0x00000000003FA000-memory.dmp

Filesize
296KB

Download
memory/1164-130-0x00000000003B0000-0x00000000003FA000-memory.dmp

Filesize
296KB

Download
memory/1164-132-0x00000000003B0000-0x00000000003FA000-memory.dmp

Filesize
296KB

Download
memory/1164-134-0x00000000003B0000-0x00000000003FA000-memory.dmp

Filesize
296KB

Download
memory/1164-135-0x00000000003B0000-0x00000000003FA000-memory.dmp

Filesize
296KB

Download
memory/1164-136-0x00000000003B0000-0x00000000003FA000-memory.dmp

Filesize
296KB

Download
memory/1164-138-0x00000000003B0000-0x00000000003FA000-memory.dmp

Filesize
296KB

Download
memory/1164-140-0x00000000003B0000-0x00000000003FA000-memory.dmp

Filesize
296KB

Download
memory/2004-62-0x0000000000400000-0x0000000000715000-memory.dmp

Filesize
3.1MB

Download
memory/2004-110-0x0000000000400000-0x0000000000715000-memory.dmp

Filesize
3.1MB

Download
memory/2004-107-0x0000000000400000-0x0000000000715000-memory.dmp

Filesize
3.1MB

Download
memory/2004-63-0x0000000000230000-0x0000000000235000-memory.dmp

Filesize
20KB

Download
memory/2004-77-0x00000000031D0000-0x0000000003203000-memory.dmp

Filesize
204KB

Download
memory/2004-85-0x0000000000400000-0x0000000000715000-memory.dmp

Filesize
3.1MB

Download