8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075

Analysis

max time kernel
145s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
16-06-2023 04:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075.exe
Size

1.1MB
MD5

12582f03681c3c66a54e316e66a623e3
SHA1

ded792ecdabf84864fbf6efb2514027f27dddd3e
SHA256

8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075
SHA512

ab6c75cc0e27ce318b9715689b2380675c0c37058c08c425b0662b24f8ebcc049223b27f49e6843b5919ad02a7f9970635d402fad061969f9eac6883f5e2d564
SSDEEP

24576:AP/XWN/neHqEEWyHuiS8psW/06LvmHAx8ebSTL18vArOx4Xg2dOlJ5GRfvTT:APvvqkzy/06TmgaebE1sArdjOlG5

Score

8^/10

aspackv2

Malware Config

Signatures

Downloads MZ/PE file

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Public\xiaodaxzqxia\jecxz.exe	aspack_v212_v242
C:\Users\Public\xiaodaxzqxia\jecxz.exe	aspack_v212_v242

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075.exe

Executes dropped EXE 2 IoCs

Processes:

jecxz.exev.exe

pid process

2592 jecxz.exe
4856 v.exe

pid	process
2592	jecxz.exe
4856	v.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

jecxz.exe

description	ioc	process
File opened (read-only)	\??\J:	jecxz.exe
File opened (read-only)	\??\R:	jecxz.exe
File opened (read-only)	\??\Y:	jecxz.exe
File opened (read-only)	\??\E:	jecxz.exe
File opened (read-only)	\??\F:	jecxz.exe
File opened (read-only)	\??\M:	jecxz.exe
File opened (read-only)	\??\O:	jecxz.exe
File opened (read-only)	\??\P:	jecxz.exe
File opened (read-only)	\??\B:	jecxz.exe
File opened (read-only)	\??\H:	jecxz.exe
File opened (read-only)	\??\I:	jecxz.exe
File opened (read-only)	\??\S:	jecxz.exe
File opened (read-only)	\??\T:	jecxz.exe
File opened (read-only)	\??\X:	jecxz.exe
File opened (read-only)	\??\W:	jecxz.exe
File opened (read-only)	\??\G:	jecxz.exe
File opened (read-only)	\??\K:	jecxz.exe
File opened (read-only)	\??\L:	jecxz.exe
File opened (read-only)	\??\N:	jecxz.exe
File opened (read-only)	\??\Q:	jecxz.exe
File opened (read-only)	\??\U:	jecxz.exe
File opened (read-only)	\??\V:	jecxz.exe
File opened (read-only)	\??\Z:	jecxz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

jecxz.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	jecxz.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	jecxz.exe

Modifies registry class 1 IoCs

Processes:

8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075.exejecxz.exe

pid	process
4800	8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075.exe
4800	8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe
2592	jecxz.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075.exejecxz.exehh.exehh.exe

pid	process
4800	8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075.exe
4800	8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075.exe
2592	jecxz.exe
3832	hh.exe
3832	hh.exe
4944	hh.exe
4944	hh.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075.execmd.exe

description	pid	process	target process
PID 4800 wrote to memory of 4108	4800	8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075.exe	cmd.exe
PID 4800 wrote to memory of 4108	4800	8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075.exe	cmd.exe
PID 4800 wrote to memory of 4108	4800	8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075.exe	cmd.exe
PID 4108 wrote to memory of 4788	4108	cmd.exe	reg.exe
PID 4108 wrote to memory of 4788	4108	cmd.exe	reg.exe
PID 4108 wrote to memory of 4788	4108	cmd.exe	reg.exe
PID 4800 wrote to memory of 2592	4800	8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075.exe	jecxz.exe
PID 4800 wrote to memory of 2592	4800	8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075.exe	jecxz.exe
PID 4800 wrote to memory of 2592	4800	8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075.exe	jecxz.exe
PID 4800 wrote to memory of 4856	4800	8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075.exe	v.exe
PID 4800 wrote to memory of 4856	4800	8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075.exe	v.exe
PID 4800 wrote to memory of 4856	4800	8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075.exe	v.exe

C:\Users\Admin\AppData\Local\Temp\8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075.exe
"C:\Users\Admin\AppData\Local\Temp\8088c57eed8da5c30ec102d8f5ab0455619c8dd85fcfe0826870f46922e52075.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Public\xiaodaxzqxia\n.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:4108

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "1201" /d "0" /t REG_DWORD /f
3⤵
PID:4788

C:\Users\Public\xiaodaxzqxia\jecxz.exe
C:\Users\Public\xiaodaxzqxia\jecxz.exe
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2592

C:\Users\Public\xiaodaxzqxia\v.exe
"C:\Users\Public\xiaodaxzqxia\v.exe" -o -d C:\Users\Public\xiaodaxzqxia C:\Users\Public\xiaodaxzqxia\111
2⤵
- Executes dropped EXE
PID:4856

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:772

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Public\cxzvasdfg\0200222764019865\A11.chm
1⤵
- Suspicious use of SetWindowsHookEx
PID:3832

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Public\cxzvasdfg\0200222764019865\A11.chm
1⤵
- Suspicious use of SetWindowsHookEx
PID:4944

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\HTML Help\hh.dat
Filesize
8KB

MD5
39c5c741750d56c1ddc207bbb48b16de

SHA1
dc2f7f08312c7cd74fc9879b723e8f44e1c2987d

SHA256
4aa3403507fa4ffacae28abaa74af6d0048205df13710e9d8a99dfd593d23995

SHA512
72049ad37d3e6961050c86e17ccaa7c80d42e07d5f169a70914c4ab523ef5cf7abed6991037284da94b6972154cfa9df6701284293e81755850c590ea11b506b

Download Submit
C:\Users\Public\cxzvasdfg\0200222764019865\A11.chm
Filesize
11KB

MD5
db7961bf21e69e9cdbbfbc5357b6ae84

SHA1
6b43da6f1a502cc3ede9a46a71536e79335e3169

SHA256
49c7fc9d58e588bdcac23d7d576b699d49d5497de8afcb73be23cab89edf3b0e

SHA512
e0c7f502e60c9a15d407416645266614dd1e29c42c4711f1f3e10bd0de4c2404994fc71d3cb73a5ca56977afdf36f96c4e60b2bccce7459a1988877f197312f8

Download Submit
C:\Users\Public\xiaodaxzqxia\1
Filesize
291KB

MD5
b938d78f48fa0a80a622d6425ac0318a

SHA1
68c8600461927d43ada9adc17f6a809f2d6692de

SHA256
ec47537e438223ca46e0c436057b4e14c01f0929ca1c9f4ff040152ae4152a75

SHA512
74f971bdf2e1faf34334129dc6dea3aff82b8a2f69670cf030528b4efff49b06fe78b3df4b0815ab15a7415b62c05922cfa5eb5de38afc2e81555f75053234a7

Download Submit
C:\Users\Public\xiaodaxzqxia\111
Filesize
1.1MB

MD5
a1d0cb481b88ef9784c705d15ab53f32

SHA1
80e69bdb8d3b29db9b6971130a1c958998cb1f5a

SHA256
28cdd7883dab8fd8c0b65136cd0b4d4ed3d5d3a24f2e7166da41a13791ab99c4

SHA512
b69033d51f8ca60f08b80bfeeb5038ccce960b3735f0589bec6351486baf4fc448ce8044ce8008e6a339afe35f039987181b0c790e00e36d2104d64700f592c9

Download Submit
C:\Users\Public\xiaodaxzqxia\jecxz.exe
Filesize
96KB

MD5
8df0fffd4e3267d6a5cfacbd68a952be

SHA1
4af4909b27a595697a6bc469994481dcf3bfb6ba

SHA256
cd83b592632760553060f889ebdd97f636aa1c8ca2b5d0511cd7553bdb1b104c

SHA512
7422322d06099131fc817372c0ac484c6960330987c7e00e683fe814f1c2108352a23735945d938093c2d10fb8e59659a2c04c203feb2e2c8bafdd2e1d10a79a

Download Submit
C:\Users\Public\xiaodaxzqxia\jecxz.exe
Filesize
96KB

MD5
8df0fffd4e3267d6a5cfacbd68a952be

SHA1
4af4909b27a595697a6bc469994481dcf3bfb6ba

SHA256
cd83b592632760553060f889ebdd97f636aa1c8ca2b5d0511cd7553bdb1b104c

SHA512
7422322d06099131fc817372c0ac484c6960330987c7e00e683fe814f1c2108352a23735945d938093c2d10fb8e59659a2c04c203feb2e2c8bafdd2e1d10a79a

Download Submit
C:\Users\Public\xiaodaxzqxia\n.bat
Filesize
263B

MD5
c7d8b33e05722104d63de564a5d92b01

SHA1
fd703f1c71ac1dae65dc34f3521854604cec8091

SHA256
538ce88a3eed5a98c6a021a4c541080c5cfb652962f37da620e35b537513317a

SHA512
54a80fc6ad3f08743dc1655c379de79f9496086a9a18f4716fc9a9d6a6fe4fd527dd4ac099c57408090b73903c64fa38d4723783708068878aa6e18c6cc0d08e

Download Submit
C:\Users\Public\xiaodaxzqxia\v.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
C:\Users\Public\xiaodaxzqxia\v.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
memory/2592-195-0x0000000002C20000-0x0000000002C6A000-memory.dmp

Filesize
296KB

Download
memory/2592-202-0x0000000002C20000-0x0000000002C6A000-memory.dmp

Filesize
296KB

Download
memory/2592-154-0x0000000002C20000-0x0000000002C6A000-memory.dmp

Filesize
296KB

Download
memory/2592-155-0x0000000002C20000-0x0000000002C6A000-memory.dmp

Filesize
296KB

Download
memory/2592-156-0x0000000002C20000-0x0000000002C6A000-memory.dmp

Filesize
296KB

Download
memory/2592-159-0x0000000002C20000-0x0000000002C6A000-memory.dmp

Filesize
296KB

Download
memory/2592-151-0x0000000002B80000-0x0000000002BC9000-memory.dmp

Filesize
292KB

Download
memory/2592-150-0x00000000007F0000-0x0000000000823000-memory.dmp

Filesize
204KB

Download
memory/2592-148-0x00000000007F0000-0x0000000000823000-memory.dmp

Filesize
204KB

Download
memory/2592-236-0x0000000002C20000-0x0000000002C6A000-memory.dmp

Filesize
296KB

Download
memory/2592-147-0x00000000007F0000-0x0000000000823000-memory.dmp

Filesize
204KB

Download
memory/2592-235-0x0000000002C20000-0x0000000002C6A000-memory.dmp

Filesize
296KB

Download
memory/2592-233-0x0000000002C20000-0x0000000002C6A000-memory.dmp

Filesize
296KB

Download
memory/2592-232-0x0000000002C20000-0x0000000002C6A000-memory.dmp

Filesize
296KB

Download
memory/2592-231-0x0000000002C20000-0x0000000002C6A000-memory.dmp

Filesize
296KB

Download
memory/2592-185-0x0000000002C20000-0x0000000002C6A000-memory.dmp

Filesize
296KB

Download
memory/2592-186-0x0000000002C20000-0x0000000002C6A000-memory.dmp

Filesize
296KB

Download
memory/2592-187-0x0000000002C20000-0x0000000002C6A000-memory.dmp

Filesize
296KB

Download
memory/2592-188-0x0000000002C20000-0x0000000002C6A000-memory.dmp

Filesize
296KB

Download
memory/2592-190-0x0000000002C20000-0x0000000002C6A000-memory.dmp

Filesize
296KB

Download
memory/2592-191-0x0000000002C20000-0x0000000002C6A000-memory.dmp

Filesize
296KB

Download
memory/2592-192-0x0000000002C20000-0x0000000002C6A000-memory.dmp

Filesize
296KB

Download
memory/2592-193-0x0000000002C20000-0x0000000002C6A000-memory.dmp

Filesize
296KB

Download
memory/2592-230-0x0000000002C20000-0x0000000002C6A000-memory.dmp

Filesize
296KB

Download
memory/2592-196-0x0000000002C20000-0x0000000002C6A000-memory.dmp

Filesize
296KB

Download
memory/2592-197-0x0000000002C20000-0x0000000002C6A000-memory.dmp

Filesize
296KB

Download
memory/2592-198-0x0000000002C20000-0x0000000002C6A000-memory.dmp

Filesize
296KB

Download
memory/2592-200-0x0000000002C20000-0x0000000002C6A000-memory.dmp

Filesize
296KB

Download
memory/2592-201-0x0000000002C20000-0x0000000002C6A000-memory.dmp

Filesize
296KB

Download
memory/2592-152-0x0000000002C20000-0x0000000002C6A000-memory.dmp

Filesize
296KB

Download
memory/2592-203-0x0000000002C20000-0x0000000002C6A000-memory.dmp

Filesize
296KB

Download
memory/2592-205-0x0000000002C20000-0x0000000002C6A000-memory.dmp

Filesize
296KB

Download
memory/2592-206-0x0000000002C20000-0x0000000002C6A000-memory.dmp

Filesize
296KB

Download
memory/2592-207-0x0000000002C20000-0x0000000002C6A000-memory.dmp

Filesize
296KB

Download
memory/2592-208-0x0000000002C20000-0x0000000002C6A000-memory.dmp

Filesize
296KB

Download
memory/2592-210-0x0000000002C20000-0x0000000002C6A000-memory.dmp

Filesize
296KB

Download
memory/2592-211-0x0000000002C20000-0x0000000002C6A000-memory.dmp

Filesize
296KB

Download
memory/2592-212-0x0000000002C20000-0x0000000002C6A000-memory.dmp

Filesize
296KB

Download
memory/2592-213-0x0000000002C20000-0x0000000002C6A000-memory.dmp

Filesize
296KB

Download
memory/2592-215-0x0000000002C20000-0x0000000002C6A000-memory.dmp

Filesize
296KB

Download
memory/2592-216-0x0000000002C20000-0x0000000002C6A000-memory.dmp

Filesize
296KB

Download
memory/2592-217-0x0000000002C20000-0x0000000002C6A000-memory.dmp

Filesize
296KB

Download
memory/2592-218-0x0000000002C20000-0x0000000002C6A000-memory.dmp

Filesize
296KB

Download
memory/2592-220-0x0000000002C20000-0x0000000002C6A000-memory.dmp

Filesize
296KB

Download
memory/2592-221-0x0000000002C20000-0x0000000002C6A000-memory.dmp

Filesize
296KB

Download
memory/2592-222-0x0000000002C20000-0x0000000002C6A000-memory.dmp

Filesize
296KB

Download
memory/2592-223-0x0000000002C20000-0x0000000002C6A000-memory.dmp

Filesize
296KB

Download
memory/2592-225-0x0000000002C20000-0x0000000002C6A000-memory.dmp

Filesize
296KB

Download
memory/2592-226-0x0000000002C20000-0x0000000002C6A000-memory.dmp

Filesize
296KB

Download
memory/2592-227-0x0000000002C20000-0x0000000002C6A000-memory.dmp

Filesize
296KB

Download
memory/2592-228-0x0000000002C20000-0x0000000002C6A000-memory.dmp

Filesize
296KB

Download
memory/4800-133-0x0000000000400000-0x0000000000715000-memory.dmp

Filesize
3.1MB

Download
memory/4800-182-0x0000000000400000-0x0000000000715000-memory.dmp

Filesize
3.1MB

Download
memory/4800-134-0x0000000000870000-0x0000000000873000-memory.dmp

Filesize
12KB

Download
memory/4800-179-0x0000000000870000-0x0000000000873000-memory.dmp

Filesize
12KB

Download
memory/4800-177-0x0000000000400000-0x0000000000715000-memory.dmp

Filesize
3.1MB

Download
memory/4856-169-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download