Overview

overview

8

Static

static

7

fd4ed6dde2...3c.exe

windows7-x64

8

fd4ed6dde2...3c.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    140s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230621-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-06-2023 18:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fd4ed6dde2c2439e8f32441bf9d00877efa9147d449ae50e2e391a4d04f3283c.exe

  • Size

    1.8MB

  • MD5

    8d535ad4b5e90f01fce0faed11659e96

  • SHA1

    b6516dd03259d31aacf7398c21993aff47733ed5

  • SHA256

    fd4ed6dde2c2439e8f32441bf9d00877efa9147d449ae50e2e391a4d04f3283c

  • SHA512

    48013c9fe16139e079e1f84c52fc2c5d3a5e512a10ebf4cca5708cf6f797584909cc7d5ce049e6a54228e24e1d9dbcdb72a327b7a7297a43ba9a29fc949ba4d0

  • SSDEEP

    49152:WtX0zooTO8k0MmKoQMmiUXyTeOctXj8xe8gQU:WtdAeoQji3Kj8c

Score
8/10
evasion

Malware Config

Signatures

  • Modifies Windows Firewall 1 TTPs 3 IoCs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies Control Panel 55 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fd4ed6dde2c2439e8f32441bf9d00877efa9147d449ae50e2e391a4d04f3283c.exe
    "C:\Users\Admin\AppData\Local\Temp\fd4ed6dde2c2439e8f32441bf9d00877efa9147d449ae50e2e391a4d04f3283c.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2912
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:4824
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\#set.bat
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1460
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall set allowedprogram "C:\Users\Admin\AppData\Local\Temp\fd4ed6dde2c2439e8f32441bf9d00877efa9147d449ae50e2e391a4d04f3283c.exe" Sjms_App_Ys95 ENABLE
          3⤵
          • Modifies Windows Firewall
          PID:2892
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall set portopening tcp 3933 Sjms_3933_Tcp ENABLE subnet
          3⤵
          • Modifies Windows Firewall
          PID:324
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall set portopening udp 3934 Sjms_3934_Udp ENABLE subnet
          3⤵
          • Modifies Windows Firewall
          PID:3960
        • C:\Windows\SysWOW64\control.exe
          Control intl.cpl,,/f:"C:\Users\Admin\AppData\Local\Temp\#data_cn.xml"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3980
          • C:\Windows\SysWOW64\rundll32.exe
            "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL intl.cpl,,/f:"C:\Users\Admin\AppData\Local\Temp\#data_cn.xml"
            4⤵
            • Checks computer location settings
            • Modifies Control Panel
            • Modifies Internet Explorer settings
            PID:4680
        • C:\Windows\SysWOW64\control.exe
          Control intl.cpl,,/f:"C:\Users\Admin\AppData\Local\Temp\#language_cn.xml"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:5108
          • C:\Windows\SysWOW64\rundll32.exe
            "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL intl.cpl,,/f:"C:\Users\Admin\AppData\Local\Temp\#language_cn.xml"
            4⤵
            • Checks computer location settings
            • Modifies Control Panel
            PID:792
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
      1⤵
        PID:1728
      • C:\Windows\System32\InputMethod\CHS\ChsIME.exe
        C:\Windows\System32\InputMethod\CHS\ChsIME.exe -Embedding
        1⤵
          PID:4780

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Modify Existing Service

        1
        T1031

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\#data_cn.xml
          Filesize

          328B

          MD5

          135b54ee584457e38900aa5ef4927e93

          SHA1

          a2ea4f0470bc7e2536be5253837138056bf36ab0

          SHA256

          df684c2110c297ae55896108604307257a15976c2cdf31cfdfe24f9d43fa4c1e

          SHA512

          cf40c4d10c5bd0b3c3606e05cd10b6017f1d7741cc558eade1d72c7878908ff7fa1ae203b71351c16a74859b063e8dbcf6485e0c3b2a931494fbc036939008aa

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\#language_cn.xml
          Filesize

          272B

          MD5

          2d1bf0ad83e940dc1719b47be2610968

          SHA1

          f3faa11de3c7596c2ca115731b01421c1962ec6b

          SHA256

          10a47d686608af38651d8ee34395a7cd7ccbbc56edc47ab313e9a8305f08da29

          SHA512

          f3ce04c5ebbae7d325a89b0dc552f2dac5d4634246fca6aef9496308f9767d07daf546c61a48e6faa71a2e823cca71a693c675cc7f8cd721fec660650fa0d9ac

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\#set.bat
          Filesize

          607B

          MD5

          e96c888d0105eec33bd43078fe9e3465

          SHA1

          18e5717b27c58fa6b42237e96a9801fb915dfdab

          SHA256

          49140826870c6fa7ed453bd3fdbbd3b771b7ceaeb829d5113a6e88de6bb36cb4

          SHA512

          3856fae17e6863d3a5b0fa4fd4b74d5008e43dbd524f17faeab747f31a5acdca476c91e0949b5f83be73a3f5c6a4e1780d5770977c47a7bb5abac83eb32cd5ec

          Download Submit
        • memory/2912-133-0x00000000043F0000-0x00000000043F1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2912-140-0x0000000000400000-0x0000000003FFC000-memory.dmp
          Filesize

          60.0MB

          Download
        • memory/2912-142-0x00000000043F0000-0x00000000043F1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2912-144-0x0000000000400000-0x0000000003FFC000-memory.dmp
          Filesize

          60.0MB

          Download