Analysis
-
max time kernel
140s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
25-06-2023 18:30
Behavioral task
behavioral1
Sample
fd4ed6dde2c2439e8f32441bf9d00877efa9147d449ae50e2e391a4d04f3283c.exe
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
fd4ed6dde2c2439e8f32441bf9d00877efa9147d449ae50e2e391a4d04f3283c.exe
Resource
win10v2004-20230621-en
General
-
Target
fd4ed6dde2c2439e8f32441bf9d00877efa9147d449ae50e2e391a4d04f3283c.exe
-
Size
1.8MB
-
MD5
8d535ad4b5e90f01fce0faed11659e96
-
SHA1
b6516dd03259d31aacf7398c21993aff47733ed5
-
SHA256
fd4ed6dde2c2439e8f32441bf9d00877efa9147d449ae50e2e391a4d04f3283c
-
SHA512
48013c9fe16139e079e1f84c52fc2c5d3a5e512a10ebf4cca5708cf6f797584909cc7d5ce049e6a54228e24e1d9dbcdb72a327b7a7297a43ba9a29fc949ba4d0
-
SSDEEP
49152:WtX0zooTO8k0MmKoQMmiUXyTeOctXj8xe8gQU:WtdAeoQji3Kj8c
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 3 IoCs
Processes:
netsh.exenetsh.exenetsh.exepid process 2892 netsh.exe 324 netsh.exe 3960 netsh.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rundll32.exerundll32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\Geo\Nation rundll32.exe Key value queried \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\Geo\Nation rundll32.exe -
Modifies Control Panel 55 IoCs
Processes:
rundll32.exerundll32.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\Desktop\PreferredUILanguagesPending = 65006e002d005500530000000000 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\User Profile\zh-Hans-CN rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\sDecimal = "." rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\sNativeDigits = "0123456789" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\iFirstDayOfWeek = "0" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\sPositiveSign rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\iCurrency = "0" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\sLanguage = "CHS" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\iDate = "2" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\sGrouping = "3;0" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\sTime = ":" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\sLongDate = "yyyy'年'M'月'd'日'" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\sThousand = "," rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\iMeasure = "0" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\iCalendarType = "1" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\s1159 = "上午" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\NumShape = "1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\iTLZero = "0" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\sYearMonth = "yyyy'年'M'月'" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\sCurrency = "¥" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\🌎🌏 rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\sMonGrouping = "3;0" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\User Profile\zh-Hans-CN\0804:{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}{FA550B04-5AD7-411F-A5AC-CA038EC515D7} = "1" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\LocaleName = "zh-CN" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\🌎🌏🌍\Calendar = "Gregorian" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\Locale = "00000804" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\User Profile\ShowAutoCorrection = "1" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\User Profile\ShowCasing = "1" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\sMonThousandSep = "," rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\sNegativeSign = "-" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\iPaperSize = "9" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\sShortTime = "H:mm" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\iCountry = "86" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\User Profile\ShowTextPrediction = "1" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\iCurrDigits = "2" rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\User Profile\Languages = 65006e002d005500530000007a0068002d00480061006e0073002d0043004e0000000000 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\Desktop\PreviousPreferredUILanguages = 65006e002d005500530000000000 rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\User Profile\ShowShiftLock = "1" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\User Profile\zh-Hans-CN\0804:{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}{FA550B04-5AD7-411F-A5AC-CA038EC515D7} = "1" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\iFirstWeekOfYear = "0" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\sTimeFormat = "H:mm:ss" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\iTime = "1" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\sShortDate = "yyyy/M/d" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\iNegCurr = "2" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\iLZero = "1" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\sList = "," rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\iDigits = "2" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\iNegNumber = "1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\iTimePrefix = "0" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\sDate = "/" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\sMonDecimalSep = "." rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\User Profile\en-US rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\s2359 = "下午" rundll32.exe -
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\SOFTWARE\Microsoft\Internet Explorer\International\AcceptLanguage = "en-US,en;q=0.8,zh-Hans-CN;q=0.5,zh-Hans;q=0.2" rundll32.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
fd4ed6dde2c2439e8f32441bf9d00877efa9147d449ae50e2e391a4d04f3283c.execmd.execontrol.execontrol.exedescription pid process target process PID 2912 wrote to memory of 4824 2912 fd4ed6dde2c2439e8f32441bf9d00877efa9147d449ae50e2e391a4d04f3283c.exe splwow64.exe PID 2912 wrote to memory of 4824 2912 fd4ed6dde2c2439e8f32441bf9d00877efa9147d449ae50e2e391a4d04f3283c.exe splwow64.exe PID 2912 wrote to memory of 1460 2912 fd4ed6dde2c2439e8f32441bf9d00877efa9147d449ae50e2e391a4d04f3283c.exe cmd.exe PID 2912 wrote to memory of 1460 2912 fd4ed6dde2c2439e8f32441bf9d00877efa9147d449ae50e2e391a4d04f3283c.exe cmd.exe PID 2912 wrote to memory of 1460 2912 fd4ed6dde2c2439e8f32441bf9d00877efa9147d449ae50e2e391a4d04f3283c.exe cmd.exe PID 1460 wrote to memory of 2892 1460 cmd.exe netsh.exe PID 1460 wrote to memory of 2892 1460 cmd.exe netsh.exe PID 1460 wrote to memory of 2892 1460 cmd.exe netsh.exe PID 1460 wrote to memory of 324 1460 cmd.exe netsh.exe PID 1460 wrote to memory of 324 1460 cmd.exe netsh.exe PID 1460 wrote to memory of 324 1460 cmd.exe netsh.exe PID 1460 wrote to memory of 3960 1460 cmd.exe netsh.exe PID 1460 wrote to memory of 3960 1460 cmd.exe netsh.exe PID 1460 wrote to memory of 3960 1460 cmd.exe netsh.exe PID 1460 wrote to memory of 3980 1460 cmd.exe control.exe PID 1460 wrote to memory of 3980 1460 cmd.exe control.exe PID 1460 wrote to memory of 3980 1460 cmd.exe control.exe PID 3980 wrote to memory of 4680 3980 control.exe rundll32.exe PID 3980 wrote to memory of 4680 3980 control.exe rundll32.exe PID 3980 wrote to memory of 4680 3980 control.exe rundll32.exe PID 1460 wrote to memory of 5108 1460 cmd.exe control.exe PID 1460 wrote to memory of 5108 1460 cmd.exe control.exe PID 1460 wrote to memory of 5108 1460 cmd.exe control.exe PID 5108 wrote to memory of 792 5108 control.exe rundll32.exe PID 5108 wrote to memory of 792 5108 control.exe rundll32.exe PID 5108 wrote to memory of 792 5108 control.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd4ed6dde2c2439e8f32441bf9d00877efa9147d449ae50e2e391a4d04f3283c.exe"C:\Users\Admin\AppData\Local\Temp\fd4ed6dde2c2439e8f32441bf9d00877efa9147d449ae50e2e391a4d04f3283c.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\#set.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set allowedprogram "C:\Users\Admin\AppData\Local\Temp\fd4ed6dde2c2439e8f32441bf9d00877efa9147d449ae50e2e391a4d04f3283c.exe" Sjms_App_Ys95 ENABLE3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set portopening tcp 3933 Sjms_3933_Tcp ENABLE subnet3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set portopening udp 3934 Sjms_3934_Udp ENABLE subnet3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\control.exeControl intl.cpl,,/f:"C:\Users\Admin\AppData\Local\Temp\#data_cn.xml"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL intl.cpl,,/f:"C:\Users\Admin\AppData\Local\Temp\#data_cn.xml"4⤵
- Checks computer location settings
- Modifies Control Panel
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\control.exeControl intl.cpl,,/f:"C:\Users\Admin\AppData\Local\Temp\#language_cn.xml"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL intl.cpl,,/f:"C:\Users\Admin\AppData\Local\Temp\#language_cn.xml"4⤵
- Checks computer location settings
- Modifies Control Panel
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵
-
C:\Windows\System32\InputMethod\CHS\ChsIME.exeC:\Windows\System32\InputMethod\CHS\ChsIME.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\#data_cn.xmlFilesize
328B
MD5135b54ee584457e38900aa5ef4927e93
SHA1a2ea4f0470bc7e2536be5253837138056bf36ab0
SHA256df684c2110c297ae55896108604307257a15976c2cdf31cfdfe24f9d43fa4c1e
SHA512cf40c4d10c5bd0b3c3606e05cd10b6017f1d7741cc558eade1d72c7878908ff7fa1ae203b71351c16a74859b063e8dbcf6485e0c3b2a931494fbc036939008aa
-
C:\Users\Admin\AppData\Local\Temp\#language_cn.xmlFilesize
272B
MD52d1bf0ad83e940dc1719b47be2610968
SHA1f3faa11de3c7596c2ca115731b01421c1962ec6b
SHA25610a47d686608af38651d8ee34395a7cd7ccbbc56edc47ab313e9a8305f08da29
SHA512f3ce04c5ebbae7d325a89b0dc552f2dac5d4634246fca6aef9496308f9767d07daf546c61a48e6faa71a2e823cca71a693c675cc7f8cd721fec660650fa0d9ac
-
C:\Users\Admin\AppData\Local\Temp\#set.batFilesize
607B
MD5e96c888d0105eec33bd43078fe9e3465
SHA118e5717b27c58fa6b42237e96a9801fb915dfdab
SHA25649140826870c6fa7ed453bd3fdbbd3b771b7ceaeb829d5113a6e88de6bb36cb4
SHA5123856fae17e6863d3a5b0fa4fd4b74d5008e43dbd524f17faeab747f31a5acdca476c91e0949b5f83be73a3f5c6a4e1780d5770977c47a7bb5abac83eb32cd5ec
-
memory/2912-133-0x00000000043F0000-0x00000000043F1000-memory.dmpFilesize
4KB
-
memory/2912-140-0x0000000000400000-0x0000000003FFC000-memory.dmpFilesize
60.0MB
-
memory/2912-142-0x00000000043F0000-0x00000000043F1000-memory.dmpFilesize
4KB
-
memory/2912-144-0x0000000000400000-0x0000000003FFC000-memory.dmpFilesize
60.0MB