Analysis
-
max time kernel
141s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20230621-en -
resource tags
arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system -
submitted
25-06-2023 18:30
Behavioral task
behavioral1
Sample
fd4ed6dde2c2439e8f32441bf9d00877efa9147d449ae50e2e391a4d04f3283c.exe
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
fd4ed6dde2c2439e8f32441bf9d00877efa9147d449ae50e2e391a4d04f3283c.exe
Resource
win10v2004-20230621-en
General
-
Target
fd4ed6dde2c2439e8f32441bf9d00877efa9147d449ae50e2e391a4d04f3283c.exe
-
Size
1.8MB
-
MD5
8d535ad4b5e90f01fce0faed11659e96
-
SHA1
b6516dd03259d31aacf7398c21993aff47733ed5
-
SHA256
fd4ed6dde2c2439e8f32441bf9d00877efa9147d449ae50e2e391a4d04f3283c
-
SHA512
48013c9fe16139e079e1f84c52fc2c5d3a5e512a10ebf4cca5708cf6f797584909cc7d5ce049e6a54228e24e1d9dbcdb72a327b7a7297a43ba9a29fc949ba4d0
-
SSDEEP
49152:WtX0zooTO8k0MmKoQMmiUXyTeOctXj8xe8gQU:WtdAeoQji3Kj8c
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 3 IoCs
Processes:
netsh.exenetsh.exenetsh.exepid process 1200 netsh.exe 1912 netsh.exe 536 netsh.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rundll32.exerundll32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\Geo\Nation rundll32.exe Key value queried \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\Geo\Nation rundll32.exe -
Drops file in Windows directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\INF\setupapi.app.log rundll32.exe -
Modifies Control Panel 43 IoCs
Processes:
rundll32.exerundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\sDate = "/" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\sGrouping = "3;0" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\iCountry = "86" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\Locale = "00000804" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\s1159 = "上午" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\s2359 = "下午" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\iCurrency = "0" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\sDecimal = "." rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\iLZero = "0" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\sLongDate = "yyyy'年'M'月'd'日'" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\iFirstWeekOfYear = "0" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\sCountry = "People's Republic of China" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\sTimeFormat = "H:mm:ss" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\iTLZero = "0" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\iTimePrefix = "0" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\sTime = ":" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\iDate = "2" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\sMonGrouping = "3;0" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\sNegativeSign = "-" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\LocaleName = "zh-CN" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\iTime = "1" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\sThousand = "," rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\sMonThousandSep = "," rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\sList = "," rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\sShortDate = "yyyy/M/d" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\iCurrDigits = "2" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\sNativeDigits = "0123456789" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\iCalendarType = "1" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\sMonDecimalSep = "." rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\sLanguage = "CHS" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\iMeasure = "0" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\iPaperSize = "9" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\sYearMonth = "yyyy'年'M'月'" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\iNegCurr = "2" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\iDigits = "2" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\iNegNumber = "1" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\NumShape = "1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\sCurrency = "¥" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\iFirstDayOfWeek = "6" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\sPositiveSign rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\sShortTime = "H:mm" rundll32.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
rundll32.exedescription pid process Token: SeRestorePrivilege 1636 rundll32.exe Token: SeRestorePrivilege 1636 rundll32.exe Token: SeRestorePrivilege 1636 rundll32.exe Token: SeRestorePrivilege 1636 rundll32.exe Token: SeRestorePrivilege 1636 rundll32.exe Token: SeRestorePrivilege 1636 rundll32.exe Token: SeRestorePrivilege 1636 rundll32.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
fd4ed6dde2c2439e8f32441bf9d00877efa9147d449ae50e2e391a4d04f3283c.execmd.execontrol.execontrol.exedescription pid process target process PID 2020 wrote to memory of 1712 2020 fd4ed6dde2c2439e8f32441bf9d00877efa9147d449ae50e2e391a4d04f3283c.exe splwow64.exe PID 2020 wrote to memory of 1712 2020 fd4ed6dde2c2439e8f32441bf9d00877efa9147d449ae50e2e391a4d04f3283c.exe splwow64.exe PID 2020 wrote to memory of 1712 2020 fd4ed6dde2c2439e8f32441bf9d00877efa9147d449ae50e2e391a4d04f3283c.exe splwow64.exe PID 2020 wrote to memory of 1712 2020 fd4ed6dde2c2439e8f32441bf9d00877efa9147d449ae50e2e391a4d04f3283c.exe splwow64.exe PID 2020 wrote to memory of 460 2020 fd4ed6dde2c2439e8f32441bf9d00877efa9147d449ae50e2e391a4d04f3283c.exe cmd.exe PID 2020 wrote to memory of 460 2020 fd4ed6dde2c2439e8f32441bf9d00877efa9147d449ae50e2e391a4d04f3283c.exe cmd.exe PID 2020 wrote to memory of 460 2020 fd4ed6dde2c2439e8f32441bf9d00877efa9147d449ae50e2e391a4d04f3283c.exe cmd.exe PID 2020 wrote to memory of 460 2020 fd4ed6dde2c2439e8f32441bf9d00877efa9147d449ae50e2e391a4d04f3283c.exe cmd.exe PID 460 wrote to memory of 1200 460 cmd.exe netsh.exe PID 460 wrote to memory of 1200 460 cmd.exe netsh.exe PID 460 wrote to memory of 1200 460 cmd.exe netsh.exe PID 460 wrote to memory of 1200 460 cmd.exe netsh.exe PID 460 wrote to memory of 1912 460 cmd.exe netsh.exe PID 460 wrote to memory of 1912 460 cmd.exe netsh.exe PID 460 wrote to memory of 1912 460 cmd.exe netsh.exe PID 460 wrote to memory of 1912 460 cmd.exe netsh.exe PID 460 wrote to memory of 536 460 cmd.exe netsh.exe PID 460 wrote to memory of 536 460 cmd.exe netsh.exe PID 460 wrote to memory of 536 460 cmd.exe netsh.exe PID 460 wrote to memory of 536 460 cmd.exe netsh.exe PID 460 wrote to memory of 1628 460 cmd.exe control.exe PID 460 wrote to memory of 1628 460 cmd.exe control.exe PID 460 wrote to memory of 1628 460 cmd.exe control.exe PID 460 wrote to memory of 1628 460 cmd.exe control.exe PID 1628 wrote to memory of 1972 1628 control.exe rundll32.exe PID 1628 wrote to memory of 1972 1628 control.exe rundll32.exe PID 1628 wrote to memory of 1972 1628 control.exe rundll32.exe PID 1628 wrote to memory of 1972 1628 control.exe rundll32.exe PID 1628 wrote to memory of 1972 1628 control.exe rundll32.exe PID 1628 wrote to memory of 1972 1628 control.exe rundll32.exe PID 1628 wrote to memory of 1972 1628 control.exe rundll32.exe PID 460 wrote to memory of 1524 460 cmd.exe control.exe PID 460 wrote to memory of 1524 460 cmd.exe control.exe PID 460 wrote to memory of 1524 460 cmd.exe control.exe PID 460 wrote to memory of 1524 460 cmd.exe control.exe PID 1524 wrote to memory of 1636 1524 control.exe rundll32.exe PID 1524 wrote to memory of 1636 1524 control.exe rundll32.exe PID 1524 wrote to memory of 1636 1524 control.exe rundll32.exe PID 1524 wrote to memory of 1636 1524 control.exe rundll32.exe PID 1524 wrote to memory of 1636 1524 control.exe rundll32.exe PID 1524 wrote to memory of 1636 1524 control.exe rundll32.exe PID 1524 wrote to memory of 1636 1524 control.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd4ed6dde2c2439e8f32441bf9d00877efa9147d449ae50e2e391a4d04f3283c.exe"C:\Users\Admin\AppData\Local\Temp\fd4ed6dde2c2439e8f32441bf9d00877efa9147d449ae50e2e391a4d04f3283c.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\#set.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set allowedprogram "C:\Users\Admin\AppData\Local\Temp\fd4ed6dde2c2439e8f32441bf9d00877efa9147d449ae50e2e391a4d04f3283c.exe" Sjms_App_Ys95 ENABLE3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set portopening tcp 3933 Sjms_3933_Tcp ENABLE subnet3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set portopening udp 3934 Sjms_3934_Udp ENABLE subnet3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\control.exeControl intl.cpl,,/f:"C:\Users\Admin\AppData\Local\Temp\#data_cn.xml"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL intl.cpl,,/f:"C:\Users\Admin\AppData\Local\Temp\#data_cn.xml"4⤵
- Checks computer location settings
- Modifies Control Panel
-
C:\Windows\SysWOW64\control.exeControl intl.cpl,,/f:"C:\Users\Admin\AppData\Local\Temp\#language_cn.xml"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL intl.cpl,,/f:"C:\Users\Admin\AppData\Local\Temp\#language_cn.xml"4⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\#data_cn.xmlFilesize
328B
MD5135b54ee584457e38900aa5ef4927e93
SHA1a2ea4f0470bc7e2536be5253837138056bf36ab0
SHA256df684c2110c297ae55896108604307257a15976c2cdf31cfdfe24f9d43fa4c1e
SHA512cf40c4d10c5bd0b3c3606e05cd10b6017f1d7741cc558eade1d72c7878908ff7fa1ae203b71351c16a74859b063e8dbcf6485e0c3b2a931494fbc036939008aa
-
C:\Users\Admin\AppData\Local\Temp\#language_cn.xmlFilesize
272B
MD52d1bf0ad83e940dc1719b47be2610968
SHA1f3faa11de3c7596c2ca115731b01421c1962ec6b
SHA25610a47d686608af38651d8ee34395a7cd7ccbbc56edc47ab313e9a8305f08da29
SHA512f3ce04c5ebbae7d325a89b0dc552f2dac5d4634246fca6aef9496308f9767d07daf546c61a48e6faa71a2e823cca71a693c675cc7f8cd721fec660650fa0d9ac
-
C:\Users\Admin\AppData\Local\Temp\#set.batFilesize
607B
MD5e96c888d0105eec33bd43078fe9e3465
SHA118e5717b27c58fa6b42237e96a9801fb915dfdab
SHA25649140826870c6fa7ed453bd3fdbbd3b771b7ceaeb829d5113a6e88de6bb36cb4
SHA5123856fae17e6863d3a5b0fa4fd4b74d5008e43dbd524f17faeab747f31a5acdca476c91e0949b5f83be73a3f5c6a4e1780d5770977c47a7bb5abac83eb32cd5ec
-
C:\Users\Admin\AppData\Local\Temp\#set.batFilesize
607B
MD5e96c888d0105eec33bd43078fe9e3465
SHA118e5717b27c58fa6b42237e96a9801fb915dfdab
SHA25649140826870c6fa7ed453bd3fdbbd3b771b7ceaeb829d5113a6e88de6bb36cb4
SHA5123856fae17e6863d3a5b0fa4fd4b74d5008e43dbd524f17faeab747f31a5acdca476c91e0949b5f83be73a3f5c6a4e1780d5770977c47a7bb5abac83eb32cd5ec
-
memory/2020-55-0x00000000003E0000-0x00000000003E1000-memory.dmpFilesize
4KB
-
memory/2020-67-0x0000000000400000-0x0000000003FFC000-memory.dmpFilesize
60.0MB
-
memory/2020-70-0x00000000003E0000-0x00000000003E1000-memory.dmpFilesize
4KB
-
memory/2020-71-0x0000000000400000-0x0000000003FFC000-memory.dmpFilesize
60.0MB
-
memory/2020-72-0x0000000000400000-0x0000000003FFC000-memory.dmpFilesize
60.0MB