Malware Analysis Report

2024-09-09 12:22

Sample ID 240612-e6wkls1cnp
Target b6138bd31f0930d6f489ac8ef0dad8333b30bcebc51c0940b19ab4cb3ffbab73
SHA256 b6138bd31f0930d6f489ac8ef0dad8333b30bcebc51c0940b19ab4cb3ffbab73
Tags
persistence oss_ak execution evasion
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

b6138bd31f0930d6f489ac8ef0dad8333b30bcebc51c0940b19ab4cb3ffbab73

Threat Level: Likely malicious

The file b6138bd31f0930d6f489ac8ef0dad8333b30bcebc51c0940b19ab4cb3ffbab73 was found to be: Likely malicious.

Malicious Activity Summary

persistence oss_ak execution evasion

detect oss ak

Stops running service(s)

Creates new service(s)

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Launches sc.exe

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-12 04:33

Signatures

detect oss ak

oss_ak
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-12 04:33

Reported

2024-06-12 04:36

Platform

win10v2004-20240226-en

Max time kernel

138s

Max time network

160s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3560 wrote to memory of 4148 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3560 wrote to memory of 4148 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3560 wrote to memory of 4148 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4148 -ip 4148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4292 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.178.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 10.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-12 04:33

Reported

2024-06-12 04:36

Platform

win7-20240611-en

Max time kernel

117s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SystemClockHook.dll,#1

Signatures

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2448 wrote to memory of 1980 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2448 wrote to memory of 1980 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2448 wrote to memory of 1980 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2448 wrote to memory of 1980 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2448 wrote to memory of 1980 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2448 wrote to memory of 1980 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2448 wrote to memory of 1980 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SystemClockHook.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SystemClockHook.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-12 04:33

Reported

2024-06-12 04:36

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

56s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SystemClockHookHost_x64.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SystemClockHookHost_x64.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\优效日历 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\YXCalendar.exe\" --autorun" C:\Users\Admin\AppData\Local\Temp\YXCalendar.exe N/A

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\YXCalendar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YXCalendar.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SystemClockHookHost_x64.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SystemClockHookHost_x64.exe

"C:\Users\Admin\AppData\Local\Temp\SystemClockHookHost_x64.exe"

C:\Users\Admin\AppData\Local\Temp\YXCalendar.exe

"C:\Users\Admin\AppData\Local\Temp\YXCalendar.exe" --autorun

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-12 04:33

Reported

2024-06-12 04:36

Platform

win7-20240611-en

Max time kernel

120s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SystemClockHook_x64.dll,#1

Signatures

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SystemClockHook_x64.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-12 04:33

Reported

2024-06-12 04:36

Platform

win7-20240221-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 240

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-12 04:33

Reported

2024-06-12 04:36

Platform

win10v2004-20240611-en

Max time kernel

93s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 532 wrote to memory of 4244 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 532 wrote to memory of 4244 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 532 wrote to memory of 4244 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4244 -ip 4244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-12 04:33

Reported

2024-06-12 04:36

Platform

win7-20240508-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CrashReport.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\CrashReport.exe

"C:\Users\Admin\AppData\Local\Temp\CrashReport.exe"

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-12 04:33

Reported

2024-06-12 04:36

Platform

win7-20240508-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SystemTimeSyncService.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SystemTimeSyncService.exe

"C:\Users\Admin\AppData\Local\Temp\SystemTimeSyncService.exe"

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-12 04:33

Reported

2024-06-12 04:36

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4216 wrote to memory of 2968 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4216 wrote to memory of 2968 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4216 wrote to memory of 2968 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2968 -ip 2968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 624

Network

Files

memory/2968-0-0x0000000075260000-0x0000000075302000-memory.dmp

memory/2968-1-0x0000000075260000-0x0000000075302000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-12 04:33

Reported

2024-06-12 04:36

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\InstallSystemTimeSyncService.bat"

Signatures

Creates new service(s)

persistence execution

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2548 wrote to memory of 4284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2548 wrote to memory of 4284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2548 wrote to memory of 1000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2548 wrote to memory of 1000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2548 wrote to memory of 216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2548 wrote to memory of 216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\InstallSystemTimeSyncService.bat"

C:\Windows\system32\sc.exe

sc create "╙┼╨º╚╒└·═°┬τ╩▒╝Σ═¼▓╜╖■╬±" binPath= "C:\Users\Admin\AppData\Local\Temp\\SystemTimeSyncService.exe"

C:\Windows\system32\sc.exe

sc start "╙┼╨º╚╒└·═°┬τ╩▒╝Σ═¼▓╜╖■╬±"

C:\Users\Admin\AppData\Local\Temp\SystemTimeSyncService.exe

C:\Users\Admin\AppData\Local\Temp\\SystemTimeSyncService.exe

C:\Windows\system32\sc.exe

sc config "╙┼╨º╚╒└·═°┬τ╩▒╝Σ═¼▓╜╖■╬±" start= AUTO

Network

Country Destination Domain Proto
US 8.8.8.8:53 quan.suning.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 api.m.taobao.com udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-12 04:33

Reported

2024-06-12 04:36

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SystemTimeSyncService.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SystemTimeSyncService.exe

"C:\Users\Admin\AppData\Local\Temp\SystemTimeSyncService.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-12 04:33

Reported

2024-06-12 04:36

Platform

win10v2004-20240611-en

Max time kernel

92s

Max time network

122s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\UninstallSystemTimeSyncService.bat"

Signatures

Stops running service(s)

evasion execution

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2516 wrote to memory of 692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2516 wrote to memory of 692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2516 wrote to memory of 1924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2516 wrote to memory of 1924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\UninstallSystemTimeSyncService.bat"

C:\Windows\system32\sc.exe

sc stop "╙┼╨º╚╒└·═°┬τ╩▒╝Σ═¼▓╜╖■╬±"

C:\Windows\system32\sc.exe

sc delete "╙┼╨º╚╒└·═°┬τ╩▒╝Σ═¼▓╜╖■╬±"

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 04:33

Reported

2024-06-12 04:36

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b6138bd31f0930d6f489ac8ef0dad8333b30bcebc51c0940b19ab4cb3ffbab73.exe"

Signatures

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\b6138bd31f0930d6f489ac8ef0dad8333b30bcebc51c0940b19ab4cb3ffbab73.exe

"C:\Users\Admin\AppData\Local\Temp\b6138bd31f0930d6f489ac8ef0dad8333b30bcebc51c0940b19ab4cb3ffbab73.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\nse37FA.tmp\LogEx.dll

MD5 0f96d9eb959ad4e8fd205e6d58cf01b8
SHA1 7c45512cbdb24216afd23a9e8cdce0cfeaa7660f
SHA256 57ede354532937e38c4ae9da3710ee295705ea9770c402dfb3a5c56a32fd4314
SHA512 9f3afb61d75ac7b7dc84abcbf1b04f759b7055992d46140dc5dcc269aed22268d044ee8030f5ea260bbb912774e5bbb751560c16e54efa99c700b9fc7d48832c

C:\Users\Admin\AppData\Local\Temp\nse37FA.tmp\nsProcess.dll

MD5 f0438a894f3a7e01a4aae8d1b5dd0289
SHA1 b058e3fcfb7b550041da16bf10d8837024c38bf6
SHA256 30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
SHA512 f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

C:\Users\Admin\AppData\Local\Temp\nse37FA.tmp\nsDialogs.dll

MD5 6c3f8c94d0727894d706940a8a980543
SHA1 0d1bcad901be377f38d579aafc0c41c0ef8dcefd
SHA256 56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2
SHA512 2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

C:\Users\Admin\AppData\Local\Temp\nse37FA.tmp\System.dll

MD5 cff85c549d536f651d4fb8387f1976f2
SHA1 d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA256 8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512 531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-12 04:33

Reported

2024-06-12 04:36

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CrashReport.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\CrashReport.exe

"C:\Users\Admin\AppData\Local\Temp\CrashReport.exe"

Network

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-12 04:33

Reported

2024-06-12 04:36

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

160s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SystemClockHook.dll,#1

Signatures

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4748 wrote to memory of 1528 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4748 wrote to memory of 1528 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4748 wrote to memory of 1528 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SystemClockHook.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SystemClockHook.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4104 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
GB 23.44.234.16:80 tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-12 04:33

Reported

2024-06-12 04:36

Platform

win7-20240220-en

Max time kernel

126s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SystemClockHookHost_x64.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\优效日历 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\YXCalendar.exe\" --autorun" C:\Users\Admin\AppData\Local\Temp\YXCalendar.exe N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SystemClockHookHost_x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SystemClockHookHost_x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SystemClockHookHost_x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YXCalendar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YXCalendar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YXCalendar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YXCalendar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YXCalendar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YXCalendar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YXCalendar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YXCalendar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YXCalendar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YXCalendar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YXCalendar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YXCalendar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YXCalendar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YXCalendar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YXCalendar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SystemClockHookHost_x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SystemClockHookHost_x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YXCalendar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YXCalendar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YXCalendar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YXCalendar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YXCalendar.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\YXCalendar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YXCalendar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YXCalendar.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SystemClockHookHost_x64.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SystemClockHookHost_x64.exe

"C:\Users\Admin\AppData\Local\Temp\SystemClockHookHost_x64.exe"

C:\Users\Admin\AppData\Local\Temp\YXCalendar.exe

"C:\Users\Admin\AppData\Local\Temp\YXCalendar.exe" --autorun

C:\Users\Admin\AppData\Local\Temp\SystemClockHookHost_x64.exe

"C:\Users\Admin\AppData\Local\Temp\SystemClockHookHost_x64.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.yxcal.com udp
CN 39.108.156.233:443 www.yxcal.com tcp
US 8.8.8.8:53 v0.yiketianqi.com udp
CN 43.142.61.38:443 v0.yiketianqi.com tcp
US 8.8.8.8:53 www.youxiao.cn udp
CN 58.218.215.166:443 www.youxiao.cn tcp
CN 58.218.215.168:443 www.youxiao.cn tcp
CN 58.218.215.169:443 www.youxiao.cn tcp
US 8.8.8.8:53 www.tianqiapi.com udp
CN 58.218.215.167:443 www.youxiao.cn tcp
CN 101.201.64.149:443 www.tianqiapi.com tcp
CN 58.218.215.164:443 www.youxiao.cn tcp
CN 58.218.215.165:443 www.youxiao.cn tcp
CN 58.218.215.162:443 www.youxiao.cn tcp
CN 58.218.215.163:443 www.youxiao.cn tcp
CN 43.142.61.38:443 v0.yiketianqi.com tcp
CN 39.108.156.233:443 www.yxcal.com tcp
CN 43.142.61.38:443 v0.yiketianqi.com tcp
CN 43.142.61.38:443 v0.yiketianqi.com tcp
CN 43.142.61.38:443 v0.yiketianqi.com tcp
CN 43.142.61.38:443 v0.yiketianqi.com tcp
CN 43.142.61.38:443 v0.yiketianqi.com tcp
CN 43.142.61.38:443 v0.yiketianqi.com tcp
CN 43.142.61.38:443 v0.yiketianqi.com tcp
CN 43.142.61.38:443 v0.yiketianqi.com tcp
CN 43.142.61.38:443 v0.yiketianqi.com tcp
CN 43.142.61.38:443 v0.yiketianqi.com tcp
CN 43.142.61.38:443 v0.yiketianqi.com tcp
CN 43.142.61.38:443 v0.yiketianqi.com tcp
CN 43.142.61.38:443 v0.yiketianqi.com tcp
CN 43.142.61.38:443 v0.yiketianqi.com tcp
CN 43.142.61.38:443 v0.yiketianqi.com tcp
CN 43.142.61.38:443 v0.yiketianqi.com tcp
CN 43.142.61.38:443 v0.yiketianqi.com tcp
CN 43.142.61.38:443 v0.yiketianqi.com tcp
CN 43.142.61.38:443 v0.yiketianqi.com tcp
CN 43.142.61.38:443 v0.yiketianqi.com tcp
CN 43.142.61.38:443 v0.yiketianqi.com tcp
CN 43.142.61.38:443 v0.yiketianqi.com tcp
CN 43.142.61.38:443 v0.yiketianqi.com tcp
CN 43.142.61.38:443 v0.yiketianqi.com tcp
CN 43.142.61.38:443 v0.yiketianqi.com tcp
CN 43.142.61.38:443 v0.yiketianqi.com tcp
CN 43.142.61.38:443 v0.yiketianqi.com tcp
CN 43.142.61.38:443 v0.yiketianqi.com tcp
CN 43.142.61.38:443 v0.yiketianqi.com tcp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-12 04:33

Reported

2024-06-12 04:36

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\YXCalendar.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\优效日历 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\YXCalendar.exe\" --autorun" C:\Users\Admin\AppData\Local\Temp\YXCalendar.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\YXCalendar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YXCalendar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YXCalendar.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\YXCalendar.exe

"C:\Users\Admin\AppData\Local\Temp\YXCalendar.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3404,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4624 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-12 04:33

Reported

2024-06-12 04:36

Platform

win10v2004-20240226-en

Max time kernel

140s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\YXCapture.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1384 wrote to memory of 4892 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1384 wrote to memory of 4892 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1384 wrote to memory of 4892 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\YXCapture.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\YXCapture.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3180 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-12 04:33

Reported

2024-06-12 04:36

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LogEx.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3772 wrote to memory of 232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3772 wrote to memory of 232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3772 wrote to memory of 232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LogEx.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LogEx.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 232 -ip 232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-12 04:33

Reported

2024-06-12 04:36

Platform

win7-20240611-en

Max time kernel

122s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 220

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-12 04:33

Reported

2024-06-12 04:36

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3340 wrote to memory of 3348 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3340 wrote to memory of 3348 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3340 wrote to memory of 3348 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3348 -ip 3348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3348 -s 636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4028,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=3984 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-12 04:33

Reported

2024-06-12 04:36

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SystemClockHookHost.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SystemClockHookHost.exe

"C:\Users\Admin\AppData\Local\Temp\SystemClockHookHost.exe"

Network

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-12 04:33

Reported

2024-06-12 04:36

Platform

win7-20240220-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LogEx.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LogEx.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LogEx.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 224

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-12 04:33

Reported

2024-06-12 04:36

Platform

win7-20240419-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\YXCalendar.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\优效日历 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\YXCalendar.exe\" --autorun" C:\Users\Admin\AppData\Local\Temp\YXCalendar.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\YXCalendar.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\YXCalendar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YXCalendar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YXCalendar.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\YXCalendar.exe

"C:\Users\Admin\AppData\Local\Temp\YXCalendar.exe"

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-12 04:33

Reported

2024-06-12 04:36

Platform

win7-20240221-en

Max time kernel

120s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 232

Network

N/A

Files

memory/2364-1-0x0000000074DD0000-0x0000000074E72000-memory.dmp

memory/2364-0-0x0000000074DD0000-0x0000000074E72000-memory.dmp

memory/2364-2-0x0000000074DB0000-0x0000000074E52000-memory.dmp

memory/2364-3-0x0000000074DD0000-0x0000000074E72000-memory.dmp

memory/2364-4-0x0000000074DD0000-0x0000000074E72000-memory.dmp

memory/2364-5-0x0000000074D10000-0x0000000074DB2000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-12 04:33

Reported

2024-06-12 04:36

Platform

win7-20240508-en

Max time kernel

119s

Max time network

120s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\InstallSystemTimeSyncService.bat"

Signatures

Creates new service(s)

persistence execution

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2416 wrote to memory of 2144 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2416 wrote to memory of 2144 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2416 wrote to memory of 2144 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2416 wrote to memory of 2352 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2416 wrote to memory of 2352 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2416 wrote to memory of 2352 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2416 wrote to memory of 2908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2416 wrote to memory of 2908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2416 wrote to memory of 2908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\InstallSystemTimeSyncService.bat"

C:\Windows\system32\sc.exe

sc create "╙┼╨º╚╒└·═°┬τ╩▒╝Σ═¼▓╜╖■╬±" binPath= "C:\Users\Admin\AppData\Local\Temp\\SystemTimeSyncService.exe"

C:\Windows\system32\sc.exe

sc start "╙┼╨º╚╒└·═°┬τ╩▒╝Σ═¼▓╜╖■╬±"

C:\Users\Admin\AppData\Local\Temp\SystemTimeSyncService.exe

C:\Users\Admin\AppData\Local\Temp\\SystemTimeSyncService.exe

C:\Windows\system32\sc.exe

sc config "╙┼╨º╚╒└·═°┬τ╩▒╝Σ═¼▓╜╖■╬±" start= AUTO

Network

Country Destination Domain Proto
US 8.8.8.8:53 quan.suning.com udp
US 8.8.8.8:53 api.m.taobao.com udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-12 04:33

Reported

2024-06-12 04:36

Platform

win7-20240611-en

Max time kernel

119s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\YXCapture.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2968 wrote to memory of 1192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2968 wrote to memory of 1192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2968 wrote to memory of 1192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2968 wrote to memory of 1192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2968 wrote to memory of 1192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2968 wrote to memory of 1192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2968 wrote to memory of 1192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\YXCapture.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\YXCapture.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-12 04:33

Reported

2024-06-12 04:36

Platform

win7-20240611-en

Max time kernel

118s

Max time network

119s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\UninstallSystemTimeSyncService.bat"

Signatures

Stops running service(s)

evasion execution

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2472 wrote to memory of 2196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2472 wrote to memory of 2196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2472 wrote to memory of 2196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2472 wrote to memory of 2320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2472 wrote to memory of 2320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2472 wrote to memory of 2320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\UninstallSystemTimeSyncService.bat"

C:\Windows\system32\sc.exe

sc stop "╙┼╨º╚╒└·═°┬τ╩▒╝Σ═¼▓╜╖■╬±"

C:\Windows\system32\sc.exe

sc delete "╙┼╨º╚╒└·═°┬τ╩▒╝Σ═¼▓╜╖■╬±"

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 04:33

Reported

2024-06-12 04:36

Platform

win7-20240508-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b6138bd31f0930d6f489ac8ef0dad8333b30bcebc51c0940b19ab4cb3ffbab73.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\b6138bd31f0930d6f489ac8ef0dad8333b30bcebc51c0940b19ab4cb3ffbab73.exe

"C:\Users\Admin\AppData\Local\Temp\b6138bd31f0930d6f489ac8ef0dad8333b30bcebc51c0940b19ab4cb3ffbab73.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsi284A.tmp\nsProcess.dll

MD5 f0438a894f3a7e01a4aae8d1b5dd0289
SHA1 b058e3fcfb7b550041da16bf10d8837024c38bf6
SHA256 30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
SHA512 f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

\Users\Admin\AppData\Local\Temp\nsi284A.tmp\LogEx.dll

MD5 0f96d9eb959ad4e8fd205e6d58cf01b8
SHA1 7c45512cbdb24216afd23a9e8cdce0cfeaa7660f
SHA256 57ede354532937e38c4ae9da3710ee295705ea9770c402dfb3a5c56a32fd4314
SHA512 9f3afb61d75ac7b7dc84abcbf1b04f759b7055992d46140dc5dcc269aed22268d044ee8030f5ea260bbb912774e5bbb751560c16e54efa99c700b9fc7d48832c

\Users\Admin\AppData\Local\Temp\nsi284A.tmp\nsDialogs.dll

MD5 6c3f8c94d0727894d706940a8a980543
SHA1 0d1bcad901be377f38d579aafc0c41c0ef8dcefd
SHA256 56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2
SHA512 2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

\Users\Admin\AppData\Local\Temp\nsi284A.tmp\System.dll

MD5 cff85c549d536f651d4fb8387f1976f2
SHA1 d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA256 8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512 531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-12 04:33

Reported

2024-06-12 04:36

Platform

win7-20240611-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 224

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-12 04:33

Reported

2024-06-12 04:36

Platform

win7-20240221-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SystemClockHookHost.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SystemClockHookHost.exe

"C:\Users\Admin\AppData\Local\Temp\SystemClockHookHost.exe"

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-12 04:33

Reported

2024-06-12 04:36

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SystemClockHook_x64.dll,#1

Signatures

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SystemClockHook_x64.dll,#1

Network

Files

N/A