fd4ed6dde2c2439e8f32441bf9d00877efa9147d449ae50e2e391a4d04f3283c

General

Target

fd4ed6dde2c2439e8f32441bf9d00877efa9147d449ae50e2e391a4d04f3283c.exe
Size

1.8MB
MD5

8d535ad4b5e90f01fce0faed11659e96
SHA1

b6516dd03259d31aacf7398c21993aff47733ed5
SHA256

fd4ed6dde2c2439e8f32441bf9d00877efa9147d449ae50e2e391a4d04f3283c
SHA512

48013c9fe16139e079e1f84c52fc2c5d3a5e512a10ebf4cca5708cf6f797584909cc7d5ce049e6a54228e24e1d9dbcdb72a327b7a7297a43ba9a29fc949ba4d0
SSDEEP

49152:WtX0zooTO8k0MmKoQMmiUXyTeOctXj8xe8gQU:WtdAeoQji3Kj8c

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 3 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exenetsh.exe

pid process

1200 netsh.exe
1912 netsh.exe
536 netsh.exe

pid	process
1200	netsh.exe
1912	netsh.exe
536	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\Geo\Nation	rundll32.exe

Drops file in Windows directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File opened for modification C:\Windows\INF\setupapi.app.log rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\INF\setupapi.app.log	rundll32.exe

Modifies Control Panel 43 IoCs

evasion

Processes:

rundll32.exerundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\sDate = "/"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\sGrouping = "3;0"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\iCountry = "86"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\Locale = "00000804"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\s1159 = "上午"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\s2359 = "下午"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\iCurrency = "0"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\sDecimal = "."	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\iLZero = "0"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\sLongDate = "yyyy'年'M'月'd'日'"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\iFirstWeekOfYear = "0"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\sCountry = "People's Republic of China"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\sTimeFormat = "H:mm:ss"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\iTLZero = "0"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\iTimePrefix = "0"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\sTime = ":"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\iDate = "2"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\sMonGrouping = "3;0"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\sNegativeSign = "-"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\LocaleName = "zh-CN"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\iTime = "1"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\sThousand = ","	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\sMonThousandSep = ","	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\sList = ","	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\sShortDate = "yyyy/M/d"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\iCurrDigits = "2"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\sNativeDigits = "0123456789"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\iCalendarType = "1"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\sMonDecimalSep = "."	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\sLanguage = "CHS"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\iMeasure = "0"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\iPaperSize = "9"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\sYearMonth = "yyyy'年'M'月'"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\iNegCurr = "2"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\iDigits = "2"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\iNegNumber = "1"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\NumShape = "1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\sCurrency = "¥"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\iFirstDayOfWeek = "6"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\sPositiveSign	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\sShortTime = "H:mm"	rundll32.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

rundll32.exe

description	pid	process
Token: SeRestorePrivilege	1636	rundll32.exe
Token: SeRestorePrivilege	1636	rundll32.exe
Token: SeRestorePrivilege	1636	rundll32.exe
Token: SeRestorePrivilege	1636	rundll32.exe
Token: SeRestorePrivilege	1636	rundll32.exe
Token: SeRestorePrivilege	1636	rundll32.exe
Token: SeRestorePrivilege	1636	rundll32.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

fd4ed6dde2c2439e8f32441bf9d00877efa9147d449ae50e2e391a4d04f3283c.execmd.execontrol.execontrol.exe

description	pid	process	target process
PID 2020 wrote to memory of 1712	2020	fd4ed6dde2c2439e8f32441bf9d00877efa9147d449ae50e2e391a4d04f3283c.exe	splwow64.exe
PID 2020 wrote to memory of 1712	2020	fd4ed6dde2c2439e8f32441bf9d00877efa9147d449ae50e2e391a4d04f3283c.exe	splwow64.exe
PID 2020 wrote to memory of 1712	2020	fd4ed6dde2c2439e8f32441bf9d00877efa9147d449ae50e2e391a4d04f3283c.exe	splwow64.exe
PID 2020 wrote to memory of 1712	2020	fd4ed6dde2c2439e8f32441bf9d00877efa9147d449ae50e2e391a4d04f3283c.exe	splwow64.exe
PID 2020 wrote to memory of 460	2020	fd4ed6dde2c2439e8f32441bf9d00877efa9147d449ae50e2e391a4d04f3283c.exe	cmd.exe
PID 2020 wrote to memory of 460	2020	fd4ed6dde2c2439e8f32441bf9d00877efa9147d449ae50e2e391a4d04f3283c.exe	cmd.exe
PID 2020 wrote to memory of 460	2020	fd4ed6dde2c2439e8f32441bf9d00877efa9147d449ae50e2e391a4d04f3283c.exe	cmd.exe
PID 2020 wrote to memory of 460	2020	fd4ed6dde2c2439e8f32441bf9d00877efa9147d449ae50e2e391a4d04f3283c.exe	cmd.exe
PID 460 wrote to memory of 1200	460	cmd.exe	netsh.exe
PID 460 wrote to memory of 1200	460	cmd.exe	netsh.exe
PID 460 wrote to memory of 1200	460	cmd.exe	netsh.exe
PID 460 wrote to memory of 1200	460	cmd.exe	netsh.exe
PID 460 wrote to memory of 1912	460	cmd.exe	netsh.exe
PID 460 wrote to memory of 1912	460	cmd.exe	netsh.exe
PID 460 wrote to memory of 1912	460	cmd.exe	netsh.exe
PID 460 wrote to memory of 1912	460	cmd.exe	netsh.exe
PID 460 wrote to memory of 536	460	cmd.exe	netsh.exe
PID 460 wrote to memory of 536	460	cmd.exe	netsh.exe
PID 460 wrote to memory of 536	460	cmd.exe	netsh.exe
PID 460 wrote to memory of 536	460	cmd.exe	netsh.exe
PID 460 wrote to memory of 1628	460	cmd.exe	control.exe
PID 460 wrote to memory of 1628	460	cmd.exe	control.exe
PID 460 wrote to memory of 1628	460	cmd.exe	control.exe
PID 460 wrote to memory of 1628	460	cmd.exe	control.exe
PID 1628 wrote to memory of 1972	1628	control.exe	rundll32.exe
PID 1628 wrote to memory of 1972	1628	control.exe	rundll32.exe
PID 1628 wrote to memory of 1972	1628	control.exe	rundll32.exe
PID 1628 wrote to memory of 1972	1628	control.exe	rundll32.exe
PID 1628 wrote to memory of 1972	1628	control.exe	rundll32.exe
PID 1628 wrote to memory of 1972	1628	control.exe	rundll32.exe
PID 1628 wrote to memory of 1972	1628	control.exe	rundll32.exe
PID 460 wrote to memory of 1524	460	cmd.exe	control.exe
PID 460 wrote to memory of 1524	460	cmd.exe	control.exe
PID 460 wrote to memory of 1524	460	cmd.exe	control.exe
PID 460 wrote to memory of 1524	460	cmd.exe	control.exe
PID 1524 wrote to memory of 1636	1524	control.exe	rundll32.exe
PID 1524 wrote to memory of 1636	1524	control.exe	rundll32.exe
PID 1524 wrote to memory of 1636	1524	control.exe	rundll32.exe
PID 1524 wrote to memory of 1636	1524	control.exe	rundll32.exe
PID 1524 wrote to memory of 1636	1524	control.exe	rundll32.exe
PID 1524 wrote to memory of 1636	1524	control.exe	rundll32.exe
PID 1524 wrote to memory of 1636	1524	control.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\fd4ed6dde2c2439e8f32441bf9d00877efa9147d449ae50e2e391a4d04f3283c.exe
"C:\Users\Admin\AppData\Local\Temp\fd4ed6dde2c2439e8f32441bf9d00877efa9147d449ae50e2e391a4d04f3283c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1712

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\#set.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:460

C:\Windows\SysWOW64\netsh.exe
netsh firewall set allowedprogram "C:\Users\Admin\AppData\Local\Temp\fd4ed6dde2c2439e8f32441bf9d00877efa9147d449ae50e2e391a4d04f3283c.exe" Sjms_App_Ys95 ENABLE
3⤵
- Modifies Windows Firewall
PID:1200

C:\Windows\SysWOW64\netsh.exe
netsh firewall set portopening tcp 3933 Sjms_3933_Tcp ENABLE subnet
3⤵
- Modifies Windows Firewall
PID:1912

C:\Windows\SysWOW64\netsh.exe
netsh firewall set portopening udp 3934 Sjms_3934_Udp ENABLE subnet
3⤵
- Modifies Windows Firewall
PID:536

C:\Windows\SysWOW64\control.exe
Control intl.cpl,,/f:"C:\Users\Admin\AppData\Local\Temp\#data_cn.xml"
3⤵
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL intl.cpl,,/f:"C:\Users\Admin\AppData\Local\Temp\#data_cn.xml"
4⤵
- Checks computer location settings
- Modifies Control Panel
PID:1972

C:\Windows\SysWOW64\control.exe
Control intl.cpl,,/f:"C:\Users\Admin\AppData\Local\Temp\#language_cn.xml"
3⤵
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL intl.cpl,,/f:"C:\Users\Admin\AppData\Local\Temp\#language_cn.xml"
4⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
PID:1636

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\#data_cn.xml
Filesize
328B

MD5
135b54ee584457e38900aa5ef4927e93

SHA1
a2ea4f0470bc7e2536be5253837138056bf36ab0

SHA256
df684c2110c297ae55896108604307257a15976c2cdf31cfdfe24f9d43fa4c1e

SHA512
cf40c4d10c5bd0b3c3606e05cd10b6017f1d7741cc558eade1d72c7878908ff7fa1ae203b71351c16a74859b063e8dbcf6485e0c3b2a931494fbc036939008aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\#language_cn.xml
Filesize
272B

MD5
2d1bf0ad83e940dc1719b47be2610968

SHA1
f3faa11de3c7596c2ca115731b01421c1962ec6b

SHA256
10a47d686608af38651d8ee34395a7cd7ccbbc56edc47ab313e9a8305f08da29

SHA512
f3ce04c5ebbae7d325a89b0dc552f2dac5d4634246fca6aef9496308f9767d07daf546c61a48e6faa71a2e823cca71a693c675cc7f8cd721fec660650fa0d9ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\#set.bat
Filesize
607B

MD5
e96c888d0105eec33bd43078fe9e3465

SHA1
18e5717b27c58fa6b42237e96a9801fb915dfdab

SHA256
49140826870c6fa7ed453bd3fdbbd3b771b7ceaeb829d5113a6e88de6bb36cb4

SHA512
3856fae17e6863d3a5b0fa4fd4b74d5008e43dbd524f17faeab747f31a5acdca476c91e0949b5f83be73a3f5c6a4e1780d5770977c47a7bb5abac83eb32cd5ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\#set.bat
Filesize
607B

MD5
e96c888d0105eec33bd43078fe9e3465

SHA1
18e5717b27c58fa6b42237e96a9801fb915dfdab

SHA256
49140826870c6fa7ed453bd3fdbbd3b771b7ceaeb829d5113a6e88de6bb36cb4

SHA512
3856fae17e6863d3a5b0fa4fd4b74d5008e43dbd524f17faeab747f31a5acdca476c91e0949b5f83be73a3f5c6a4e1780d5770977c47a7bb5abac83eb32cd5ec

Download Submit
memory/2020-55-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2020-67-0x0000000000400000-0x0000000003FFC000-memory.dmp

Filesize
60.0MB

Download
memory/2020-70-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2020-71-0x0000000000400000-0x0000000003FFC000-memory.dmp

Filesize
60.0MB

Download
memory/2020-72-0x0000000000400000-0x0000000003FFC000-memory.dmp

Filesize
60.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads