f2beafc9c07213ded42ab2c977086901a4c2c27fa7cc728aac76bfd615409dce

Analysis

max time kernel
144s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2023, 13:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e93954b1b1464748a0b18f7c2c59a9b.exe
Size

14.0MB
MD5

9e93954b1b1464748a0b18f7c2c59a9b
SHA1

cfa6a2185311fabc4eafd6b845c1d6b57622c62b
SHA256

f2beafc9c07213ded42ab2c977086901a4c2c27fa7cc728aac76bfd615409dce
SHA512

f466c9a2171ed7e5ae93805d71de9142f5fcb09f2db44d5d9498c2e5fa948d887b85fe09804191057a35e54ea547210ffc536e66015dc9009fdb30dfc11aa212
SSDEEP

393216:tah/nVE7bryzaPsVpURhWRwTItLfaaZO8MEZm9Ct2d:tWdE7brXup+hF2JTEgt2d

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	9e93954b1b1464748a0b18f7c2c59a9b.tmp

Executes dropped EXE 1 IoCs

pid	Process
452	9e93954b1b1464748a0b18f7c2c59a9b.tmp

Loads dropped DLL 5 IoCs

pid	Process
452	9e93954b1b1464748a0b18f7c2c59a9b.tmp
452	9e93954b1b1464748a0b18f7c2c59a9b.tmp
452	9e93954b1b1464748a0b18f7c2c59a9b.tmp
452	9e93954b1b1464748a0b18f7c2c59a9b.tmp
452	9e93954b1b1464748a0b18f7c2c59a9b.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 5 IoCs

evasion

pid	Process
2360	taskkill.exe
2032	taskkill.exe
1664	taskkill.exe
3204	taskkill.exe
4440	taskkill.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4440	taskkill.exe
Token: SeDebugPrivilege	1664	taskkill.exe
Token: SeDebugPrivilege	3204	taskkill.exe
Token: SeDebugPrivilege	2032	taskkill.exe
Token: SeDebugPrivilege	2360	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
452	9e93954b1b1464748a0b18f7c2c59a9b.tmp

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1268 wrote to memory of 452	1268	9e93954b1b1464748a0b18f7c2c59a9b.exe	92
PID 1268 wrote to memory of 452	1268	9e93954b1b1464748a0b18f7c2c59a9b.exe	92
PID 1268 wrote to memory of 452	1268	9e93954b1b1464748a0b18f7c2c59a9b.exe	92
PID 452 wrote to memory of 4440	452	9e93954b1b1464748a0b18f7c2c59a9b.tmp	104
PID 452 wrote to memory of 4440	452	9e93954b1b1464748a0b18f7c2c59a9b.tmp	104
PID 452 wrote to memory of 4440	452	9e93954b1b1464748a0b18f7c2c59a9b.tmp	104
PID 452 wrote to memory of 3204	452	9e93954b1b1464748a0b18f7c2c59a9b.tmp	103
PID 452 wrote to memory of 3204	452	9e93954b1b1464748a0b18f7c2c59a9b.tmp	103
PID 452 wrote to memory of 3204	452	9e93954b1b1464748a0b18f7c2c59a9b.tmp	103
PID 452 wrote to memory of 1664	452	9e93954b1b1464748a0b18f7c2c59a9b.tmp	101
PID 452 wrote to memory of 1664	452	9e93954b1b1464748a0b18f7c2c59a9b.tmp	101
PID 452 wrote to memory of 1664	452	9e93954b1b1464748a0b18f7c2c59a9b.tmp	101
PID 452 wrote to memory of 2032	452	9e93954b1b1464748a0b18f7c2c59a9b.tmp	100
PID 452 wrote to memory of 2032	452	9e93954b1b1464748a0b18f7c2c59a9b.tmp	100
PID 452 wrote to memory of 2032	452	9e93954b1b1464748a0b18f7c2c59a9b.tmp	100
PID 452 wrote to memory of 2360	452	9e93954b1b1464748a0b18f7c2c59a9b.tmp	96
PID 452 wrote to memory of 2360	452	9e93954b1b1464748a0b18f7c2c59a9b.tmp	96
PID 452 wrote to memory of 2360	452	9e93954b1b1464748a0b18f7c2c59a9b.tmp	96

C:\Users\Admin\AppData\Local\Temp\9e93954b1b1464748a0b18f7c2c59a9b.exe
"C:\Users\Admin\AppData\Local\Temp\9e93954b1b1464748a0b18f7c2c59a9b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Users\Admin\AppData\Local\Temp\is-DKD06.tmp\9e93954b1b1464748a0b18f7c2c59a9b.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-DKD06.tmp\9e93954b1b1464748a0b18f7c2c59a9b.tmp" /SL5="$A01CC,14231157,297472,C:\Users\Admin\AppData\Local\Temp\9e93954b1b1464748a0b18f7c2c59a9b.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:452
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im QQPMInstall.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2360
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im QQPhoneManagerWeb_990566.1.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2032
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im adb.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1664
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im zhuodashiupdater.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3204
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im ZhuoDaShi.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-9HHF7.tmp\Office2007.cjstyles

Filesize
139KB

MD5
b23b40a169b17c388f0666bb4374c13a

SHA1
13b8c9cc6111aaa330e8f26d878ccb6044c2c9c2

SHA256
c7494288c6b7bb9660b46661aeefb8f6371b0a9fdc9c2d902f5e176c368a11c4

SHA512
872e9c9c1a4efdba91b59c15bad5de362f80c0d33018a6db50a84af23b0d2e03ee3bf5e1fdc5c71e61f8eba26b06d57b82aa3cb2f30672a823cadf6509799acc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9HHF7.tmp\Office2007.cjstyles

Filesize
116KB

MD5
22ec759a8ea22b763b3ca65140aace89

SHA1
fdeef5747118160970857a6acd4be57b1c02b901

SHA256
dcd89e76bae3f7a6b557295ee5532d41db5714ae838cf6190c63d1e45ce7ca91

SHA512
02b80de1efe7b5a44f57e2e3f1d70a066f795980e3190e18d630fd48dccbb5a2d6a85f9e4e75c4c7d63565a93a150b5d8abb39a61b372dac10fd8aef98b372f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9HHF7.tmp\isskin.dll

Filesize
132KB

MD5
5def04ef1f2b05c116d0536a8c928488

SHA1
05f69833c52da0f0589f3e15285302392f8ca541

SHA256
d5cdc1d18d8a063d81805c97063cc923b604e86d8e7b647ac04ac7e1c87c3836

SHA512
b71cc36e69956b6319f50a6031005950d30731e388dc3a9c832e94dc4882904e8443ea9f794f919ac3c9bde588cdf6c50069ca83d60a4c1b7b99ab129b7aa0e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9HHF7.tmp\isskin.dll

Filesize
64KB

MD5
bf4201440da50a26146ad94e89aff62d

SHA1
6a6ea67b29d45ac370d35346a7c689f6b9095e7b

SHA256
9fea7cd4830c2af2ec65cabd6b6f9d4015c7a1ca7a3c522e63184661e3359adb

SHA512
874e38378c76e8fcea8a6af8a16f72dc3a76968f6a099a2d0b91fe0fe05e8297fb1747e891801a8c6c43d41651b30ccd0316cb00daa91d01e5a94c0a1eb88675

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9HHF7.tmp\isxdl.dll

Filesize
121KB

MD5
48ad1a1c893ce7bf456277a0a085ed01

SHA1
803997ef17eedf50969115c529a2bf8de585dc91

SHA256
b0cc4697b2fd1b4163fddca2050fc62a9e7d221864f1bd11e739144c90b685b3

SHA512
7c9e7fe9f00c62cccb5921cb55ba0dd96a0077ad52962473c1e79cda1fd9aa101129637043955703121443e1f8b6b2860cd4dfdb71052b20a322e05deed101a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DKD06.tmp\9e93954b1b1464748a0b18f7c2c59a9b.tmp

Filesize
335KB

MD5
6e0095e7fee30b8f0a22bd5fac868a7f

SHA1
8206e3ec3c8d20be7f7a7e8b9e383fb812b43207

SHA256
c8ec49ae58706b4edde1f566ad2782ac6b69a781236aa56450eb9440f20f4a17

SHA512
de30365272d8f2b0ad3b5422e4c5ff5df0c4aca6816442c9c2f4d4cf4546210a7fda2b614b8f495a7d20695ceb29766379bc15c7f8091954af6175e7280e19b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DKD06.tmp\9e93954b1b1464748a0b18f7c2c59a9b.tmp

Filesize
383KB

MD5
bb9a4d803d722c87d7f1992ea9ad2ae1

SHA1
c5eb886cfa6a2c6774a75db4e95bbb9bf1855c1c

SHA256
2e86f8cac08d086351ac524138dc5c0a8b183b71d7ce77eedb399cfaf6e07958

SHA512
fe1e2aa5517cccbbc9622f37bdfc5f02d777d092cb9e7c38e33a398edd7b92e5ab473da964774f590c0df42e0e1516fdc5898e4b722a0c206216603764ec3c5d

Download Submit
memory/452-77-0x0000000075D20000-0x0000000075DCF000-memory.dmp

Filesize
700KB

Download
memory/452-69-0x0000000075310000-0x0000000075520000-memory.dmp

Filesize
2.1MB

Download
memory/452-71-0x0000000075AC0000-0x0000000075AE5000-memory.dmp

Filesize
148KB

Download
memory/452-46-0x0000000003980000-0x00000000039E0000-memory.dmp

Filesize
384KB

Download
memory/452-49-0x00000000755C0000-0x00000000756A3000-memory.dmp

Filesize
908KB

Download
memory/452-48-0x0000000003980000-0x00000000039E0000-memory.dmp

Filesize
384KB

Download
memory/452-50-0x0000000075E40000-0x00000000763F3000-memory.dmp

Filesize
5.7MB

Download
memory/452-53-0x0000000003980000-0x00000000039E0000-memory.dmp

Filesize
384KB

Download
memory/452-55-0x00000000755C0000-0x00000000756A3000-memory.dmp

Filesize
908KB

Download
memory/452-61-0x0000000003980000-0x00000000039E0000-memory.dmp

Filesize
384KB

Download
memory/452-67-0x0000000003980000-0x00000000039E0000-memory.dmp

Filesize
384KB

Download
memory/452-68-0x0000000075E40000-0x00000000763F3000-memory.dmp

Filesize
5.7MB

Download
memory/452-74-0x0000000003980000-0x00000000039E0000-memory.dmp

Filesize
384KB

Download
memory/452-75-0x0000000075E40000-0x00000000763F3000-memory.dmp

Filesize
5.7MB

Download
memory/452-76-0x0000000075310000-0x0000000075520000-memory.dmp

Filesize
2.1MB

Download
memory/452-82-0x00000000755C0000-0x00000000756A3000-memory.dmp

Filesize
908KB

Download
memory/452-88-0x0000000003980000-0x00000000039E0000-memory.dmp

Filesize
384KB

Download
memory/452-87-0x00000000747D0000-0x00000000748F4000-memory.dmp

Filesize
1.1MB

Download
memory/452-91-0x0000000003980000-0x00000000039E0000-memory.dmp

Filesize
384KB

Download
memory/452-90-0x0000000075310000-0x0000000075520000-memory.dmp

Filesize
2.1MB

Download
memory/452-89-0x0000000075E40000-0x00000000763F3000-memory.dmp

Filesize
5.7MB

Download
memory/452-86-0x0000000075290000-0x0000000075304000-memory.dmp

Filesize
464KB

Download
memory/452-85-0x0000000075D20000-0x0000000075DCF000-memory.dmp

Filesize
700KB

Download
memory/452-84-0x0000000075310000-0x0000000075520000-memory.dmp

Filesize
2.1MB

Download
memory/452-83-0x0000000075E40000-0x00000000763F3000-memory.dmp

Filesize
5.7MB

Download
memory/452-81-0x0000000075B90000-0x0000000075C6C000-memory.dmp

Filesize
880KB

Download
memory/452-80-0x0000000003980000-0x00000000039E0000-memory.dmp

Filesize
384KB

Download
memory/452-79-0x00000000747D0000-0x00000000748F4000-memory.dmp

Filesize
1.1MB

Download
memory/452-78-0x0000000075290000-0x0000000075304000-memory.dmp

Filesize
464KB

Download
memory/452-22-0x0000000003980000-0x00000000039E0000-memory.dmp

Filesize
384KB

Download
memory/452-73-0x00000000747D0000-0x00000000748F4000-memory.dmp

Filesize
1.1MB

Download
memory/452-72-0x0000000075290000-0x0000000075304000-memory.dmp

Filesize
464KB

Download
memory/452-44-0x0000000003980000-0x00000000039E0000-memory.dmp

Filesize
384KB

Download
memory/452-40-0x0000000003980000-0x00000000039E0000-memory.dmp

Filesize
384KB

Download
memory/452-59-0x0000000075290000-0x0000000075304000-memory.dmp

Filesize
464KB

Download
memory/452-66-0x00000000747D0000-0x00000000748F4000-memory.dmp

Filesize
1.1MB

Download
memory/452-65-0x0000000075290000-0x0000000075304000-memory.dmp

Filesize
464KB

Download
memory/452-64-0x0000000075D20000-0x0000000075DCF000-memory.dmp

Filesize
700KB

Download
memory/452-63-0x0000000075310000-0x0000000075520000-memory.dmp

Filesize
2.1MB

Download
memory/452-62-0x0000000075E40000-0x00000000763F3000-memory.dmp

Filesize
5.7MB

Download
memory/452-60-0x00000000747D0000-0x00000000748F4000-memory.dmp

Filesize
1.1MB

Download
memory/452-70-0x0000000075D20000-0x0000000075DCF000-memory.dmp

Filesize
700KB

Download
memory/452-58-0x0000000075D20000-0x0000000075DCF000-memory.dmp

Filesize
700KB

Download
memory/452-57-0x0000000075310000-0x0000000075520000-memory.dmp

Filesize
2.1MB

Download
memory/452-56-0x0000000075E40000-0x00000000763F3000-memory.dmp

Filesize
5.7MB

Download
memory/452-54-0x0000000075B90000-0x0000000075C6C000-memory.dmp

Filesize
880KB

Download
memory/452-52-0x0000000075D20000-0x0000000075DCF000-memory.dmp

Filesize
700KB

Download
memory/452-51-0x0000000075310000-0x0000000075520000-memory.dmp

Filesize
2.1MB

Download
memory/452-47-0x00000000747D0000-0x00000000748F4000-memory.dmp

Filesize
1.1MB

Download
memory/452-45-0x0000000075AC0000-0x0000000075AE5000-memory.dmp

Filesize
148KB

Download
memory/452-43-0x0000000003980000-0x00000000039E0000-memory.dmp

Filesize
384KB

Download
memory/452-42-0x0000000075AC0000-0x0000000075AE5000-memory.dmp

Filesize
148KB

Download
memory/452-41-0x0000000076CA0000-0x0000000076D1A000-memory.dmp

Filesize
488KB

Download
memory/452-39-0x0000000075AC0000-0x0000000075AE5000-memory.dmp

Filesize
148KB

Download
memory/452-38-0x0000000076CA0000-0x0000000076D1A000-memory.dmp

Filesize
488KB

Download
memory/452-37-0x0000000003980000-0x00000000039E0000-memory.dmp

Filesize
384KB

Download
memory/452-36-0x0000000076CA0000-0x0000000076D1A000-memory.dmp

Filesize
488KB

Download
memory/452-35-0x0000000003980000-0x00000000039E0000-memory.dmp

Filesize
384KB

Download
memory/452-34-0x0000000076CA0000-0x0000000076D1A000-memory.dmp

Filesize
488KB

Download
memory/452-33-0x0000000003980000-0x00000000039E0000-memory.dmp

Filesize
384KB

Download
memory/452-32-0x0000000076CA0000-0x0000000076D1A000-memory.dmp

Filesize
488KB

Download
memory/452-7-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/452-175-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/1268-2-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1268-174-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1268-0-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download