Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 17:15
Static task
static1
Behavioral task
behavioral1
Sample
约翰迪尔融资租赁有限公司.bmp
Resource
win7-20231215-en
windows7-x64
2 signatures
150 seconds
General
-
Target
约翰迪尔融资租赁有限公司.bmp
-
Size
1.9MB
-
MD5
0c82b65faf383bfc67c9e78c074f34ab
-
SHA1
b902acf84344894ef9f4267d1622297e3a3bcc2b
-
SHA256
1fbfd71dd3e01fbc430819c0d0e7057033a9ba996827da9c20d35234d3bb17e9
-
SHA512
6fd52f3885489145ff4d9ef6218fa18b338f573f9dcfe0386556366b162f50d98b451be103d9133f7a5555b9825adb9e51bc0062c319a46337b4eaf3ca26af45
-
SSDEEP
1536:8pobi/CKreZvXQ/v/fYJy0SE0+tVWdl3EwaDN6M21IdPMHlHE8hPzkOoY0ge/v/f:5
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation cmd.exe -
Drops file in Windows directory 1 IoCs
Processes:
mspaint.exedescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
mspaint.exepid process 3936 mspaint.exe 3936 mspaint.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
mspaint.exepid process 3936 mspaint.exe 3936 mspaint.exe 3936 mspaint.exe 3936 mspaint.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
cmd.exedescription pid process target process PID 1544 wrote to memory of 3936 1544 cmd.exe mspaint.exe PID 1544 wrote to memory of 3936 1544 cmd.exe mspaint.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\约翰迪尔融资租赁有限公司.bmp1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\约翰迪尔融资租赁有限公司.bmp"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3936
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵PID:2176