Windows Analysis Report
zixing.exe

Overview

General Information

Sample name: zixing.exe
Analysis ID: 1467146
MD5: 4d35a83ceaada68b77334f26d7cb3f77
SHA1: 70b6cf7e98e3a8696a91c59ce0ed65bce41c2749
SHA256: f7ef51b598dc9640454122ba1bcdb7fb62cee20ac510e5359e0be0178a65a574
Tags: exe
Infos:

Detection

Score: 8
Range: 0 - 100
Whitelisted: false
Confidence: 0%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Drops PE files
File is packed with WinRar
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Uses 32bit PE files
Source: zixing.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: zixing.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: zixing.exe
Source: C:\Users\user\Desktop\zixing.exe Code function: 0_2_00DEA534 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 0_2_00DEA534
Source: C:\Users\user\Desktop\zixing.exe Code function: 0_2_00DFB820 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 0_2_00DFB820
Source: C:\Users\user\Desktop\zixing.exe Code function: 0_2_00E0A928 FindFirstFileExA, 0_2_00E0A928
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: 206.23.85.13.in-addr.arpa replaycode: Name error (3)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa
Source: zwei.exe.0.dr String found in binary or memory: http://192.168.0.188:9011/mon?monNo=
Source: zwei.exe.0.dr String found in binary or memory: http://j32303f290.zicp.vip:9011/imageszt/
Source: zwei.exe.0.dr String found in binary or memory: http://www.Jewsys.com
Source: zwei.exe.0.dr String found in binary or memory: http://www.zwei.com__vbaFailedFriend
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\zixing.exe Code function: 0_2_00DE7165: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW, 0_2_00DE7165
Detected potential crypto function
Source: C:\Users\user\Desktop\zixing.exe Code function: 0_2_00DF65B6 0_2_00DF65B6
Source: C:\Users\user\Desktop\zixing.exe Code function: 0_2_00DE8525 0_2_00DE8525
Source: C:\Users\user\Desktop\zixing.exe Code function: 0_2_00DE404E 0_2_00DE404E
Source: C:\Users\user\Desktop\zixing.exe Code function: 0_2_00DF702F 0_2_00DF702F
Source: C:\Users\user\Desktop\zixing.exe Code function: 0_2_00DEE1E0 0_2_00DEE1E0
Source: C:\Users\user\Desktop\zixing.exe Code function: 0_2_00E00146 0_2_00E00146
Source: C:\Users\user\Desktop\zixing.exe Code function: 0_2_00DE326D 0_2_00DE326D
Source: C:\Users\user\Desktop\zixing.exe Code function: 0_2_00E0457A 0_2_00E0457A
Source: C:\Users\user\Desktop\zixing.exe Code function: 0_2_00E0055E 0_2_00E0055E
Source: C:\Users\user\Desktop\zixing.exe Code function: 0_2_00DE27D4 0_2_00DE27D4
Source: C:\Users\user\Desktop\zixing.exe Code function: 0_2_00DEE7E0 0_2_00DEE7E0
Source: C:\Users\user\Desktop\zixing.exe Code function: 0_2_00E047A9 0_2_00E047A9
Source: C:\Users\user\Desktop\zixing.exe Code function: 0_2_00DF3731 0_2_00DF3731
Source: C:\Users\user\Desktop\zixing.exe Code function: 0_2_00DEF8A8 0_2_00DEF8A8
Source: C:\Users\user\Desktop\zixing.exe Code function: 0_2_00DF69EB 0_2_00DF69EB
Source: C:\Users\user\Desktop\zixing.exe Code function: 0_2_00DF39AC 0_2_00DF39AC
Source: C:\Users\user\Desktop\zixing.exe Code function: 0_2_00E00993 0_2_00E00993
Source: C:\Users\user\Desktop\zixing.exe Code function: 0_2_00E0CA20 0_2_00E0CA20
Source: C:\Users\user\Desktop\zixing.exe Code function: 0_2_00DF5BE7 0_2_00DF5BE7
Source: C:\Users\user\Desktop\zixing.exe Code function: 0_2_00DF3CDD 0_2_00DF3CDD
Source: C:\Users\user\Desktop\zixing.exe Code function: 0_2_00DEEC54 0_2_00DEEC54
Source: C:\Users\user\Desktop\zixing.exe Code function: 0_2_00DFFC4A 0_2_00DFFC4A
Source: C:\Users\user\Desktop\zixing.exe Code function: 0_2_00E00DC8 0_2_00E00DC8
Source: C:\Users\user\Desktop\zixing.exe Code function: 0_2_00DEDDAC 0_2_00DEDDAC
Source: C:\Users\user\Desktop\zixing.exe Code function: 0_2_00DEBD53 0_2_00DEBD53
Source: C:\Users\user\Desktop\zixing.exe Code function: 0_2_00E0CECE 0_2_00E0CECE
Source: C:\Users\user\Desktop\zixing.exe Code function: 0_2_00E10FD4 0_2_00E10FD4
Source: C:\Users\user\Desktop\zixing.exe Code function: 0_2_00DE5F0C 0_2_00DE5F0C
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\zixing.exe Code function: String function: 00DFE1C0 appears 52 times
Source: C:\Users\user\Desktop\zixing.exe Code function: String function: 00DFE0E4 appears 35 times
Source: C:\Users\user\Desktop\zixing.exe Code function: String function: 00DFEB60 appears 31 times
Sample file is different than original file name gathered from version info
Source: zixing.exe, 00000000.00000003.1235618538.00000000077D4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamezwei.exe vs zixing.exe
Uses 32bit PE files
Source: zixing.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: zwei.exe.0.dr Binary or memory string: *\AD:\AAcode\sjgc-zx\code\zwei.vbp
Source: classification engine Classification label: clean8.winEXE@1/6@1/0
Source: C:\Users\user\Desktop\zixing.exe Code function: 0_2_00DE6E5E GetLastError,FormatMessageW, 0_2_00DE6E5E
Source: C:\Users\user\Desktop\zixing.exe Code function: 0_2_00DF9D9A FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree, 0_2_00DF9D9A
Source: C:\Users\user\Desktop\zixing.exe File created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_6141312 Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe Command line argument: q 0_2_00DFD42A
Source: C:\Users\user\Desktop\zixing.exe Command line argument: sfxname 0_2_00DFD42A
Source: C:\Users\user\Desktop\zixing.exe Command line argument: sfxstime 0_2_00DFD42A
Source: C:\Users\user\Desktop\zixing.exe Command line argument: STARTDLG 0_2_00DFD42A
Source: C:\Users\user\Desktop\zixing.exe Command line argument: pZ 0_2_00DFD42A
Source: zixing.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\zixing.exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe File read: C:\Users\user\Desktop\zixing.exe Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe Section loaded: <pi-ms-win-core-localization-l1-2-1.dll Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe Section loaded: dxgidebug.dll Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\zixing.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: zixing.exe Static file information: File size 3412029 > 1048576
Source: zixing.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: zixing.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: zixing.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: zixing.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: zixing.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: zixing.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: zixing.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: zixing.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: zixing.exe
Source: zixing.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: zixing.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: zixing.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: zixing.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: zixing.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
File is packed with WinRar
Source: C:\Users\user\Desktop\zixing.exe File created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_6141312 Jump to behavior
PE file contains sections with non-standard names
Source: zixing.exe Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\zixing.exe Code function: 0_2_00DFE0E4 push eax; ret 0_2_00DFE102
Source: C:\Users\user\Desktop\zixing.exe Code function: 0_2_00DFEBA6 push ecx; ret 0_2_00DFEBB9
Drops PE files
Source: C:\Users\user\Desktop\zixing.exe File created: C:\Users\user\Desktop\update\zwei.exe Jump to dropped file
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\zixing.exe Dropped PE file which has not been started: C:\Users\user\Desktop\update\zwei.exe Jump to dropped file
Source: C:\Users\user\Desktop\zixing.exe Code function: 0_2_00DEA534 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 0_2_00DEA534
Source: C:\Users\user\Desktop\zixing.exe Code function: 0_2_00DFB820 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 0_2_00DFB820
Source: C:\Users\user\Desktop\zixing.exe Code function: 0_2_00E0A928 FindFirstFileExA, 0_2_00E0A928
Source: C:\Users\user\Desktop\zixing.exe Code function: 0_2_00DFDBC8 VirtualQuery,GetSystemInfo, 0_2_00DFDBC8
Source: C:\Users\user\Desktop\zixing.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\zixing.exe Code function: 0_2_00E084EF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00E084EF
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\zixing.exe Code function: 0_2_00E07363 mov eax, dword ptr fs:[00000030h] 0_2_00E07363
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\zixing.exe Code function: 0_2_00E0B610 GetProcessHeap, 0_2_00E0B610
Source: C:\Users\user\Desktop\zixing.exe Code function: 0_2_00DFF07B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00DFF07B
Source: C:\Users\user\Desktop\zixing.exe Code function: 0_2_00E084EF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00E084EF
Source: C:\Users\user\Desktop\zixing.exe Code function: 0_2_00DFED65 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00DFED65
Source: C:\Users\user\Desktop\zixing.exe Code function: 0_2_00DFEEB3 SetUnhandledExceptionFilter, 0_2_00DFEEB3
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\zixing.exe Code function: 0_2_00DFEBBB cpuid 0_2_00DFEBBB
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\zixing.exe Code function: GetLocaleInfoW,GetNumberFormatW, 0_2_00DFA5BC
Source: C:\Users\user\Desktop\zixing.exe Code function: 0_2_00DFD42A GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle, 0_2_00DFD42A
Source: C:\Users\user\Desktop\zixing.exe Code function: 0_2_00DEAC35 GetVersionExW, 0_2_00DEAC35
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1467146 Sample: zixing.exe Startdate: 03/07/2024 Architecture: WINDOWS Score: 8 10 206.23.85.13.in-addr.arpa 2->10 5 zixing.exe 11 2->5         started        process3 file4 8 C:\Users\user\Desktop\update\zwei.exe, PE32 5->8 dropped
No contacted IP infos

Contacted Domains

Name IP Active
206.23.85.13.in-addr.arpa unknown unknown