Analysis
-
max time kernel
143s -
max time network
112s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 04:06
Static task
static1
Behavioral task
behavioral1
Sample
捆绑 工具/cdgpj.scr
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
捆绑 工具/cdgpj.scr
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
捆绑 工具/浴血凤凰JPG TXT捆绑器.exe
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
捆绑 工具/浴血凤凰JPG TXT捆绑器.exe
Resource
win10v2004-20220812-en
General
-
Target
捆绑 工具/cdgpj.scr
-
Size
892KB
-
MD5
90803dcaf894fc823203e0c2de6b9973
-
SHA1
8dcaac8b782b0b6430e28cf38b5687fa01f5d798
-
SHA256
6aba460394207b0a9182163bfeb818070ab42b9d4f85f3f061e95d63f20f9352
-
SHA512
01da48c040036a8d28d034d4e08d946af61ca1fe641e7de581604562dc1f0a85c07e4f39a4777472be5c7f1dcf61102b3caf02fc7b4b765745e21f842761ff51
-
SSDEEP
24576:SA3LStU4gf2EW5A2DJr/kS4vGIk6v3Hfx:SAbh43Dp/wPHZ
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
MicrosoftT6c1aa3.exeWindowsUpdate.exeHacker.com.cn.exepid process 1524 MicrosoftT6c1aa3.exe 1052 WindowsUpdate.exe 1472 Hacker.com.cn.exe -
Loads dropped DLL 6 IoCs
Processes:
cdgpj.scrMicrosoftT6c1aa3.exeWindowsUpdate.exepid process 1328 cdgpj.scr 1328 cdgpj.scr 1524 MicrosoftT6c1aa3.exe 1052 WindowsUpdate.exe 1052 WindowsUpdate.exe 1052 WindowsUpdate.exe -
Drops file in System32 directory 1 IoCs
Processes:
Hacker.com.cn.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat Hacker.com.cn.exe -
Drops file in Windows directory 3 IoCs
Processes:
WindowsUpdate.exedescription ioc process File created C:\Windows\Hacker.com.cn.exe WindowsUpdate.exe File opened for modification C:\Windows\Hacker.com.cn.exe WindowsUpdate.exe File created C:\Windows\uninstal.bat WindowsUpdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 28 IoCs
Processes:
Hacker.com.cn.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-07-a8-3f-ea-82\WpadDecisionReason = "1" Hacker.com.cn.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-07-a8-3f-ea-82\WpadDecisionTime = 40308fd8b401d901 Hacker.com.cn.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" Hacker.com.cn.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-07-a8-3f-ea-82\WpadDetectedUrl Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9E35C5D7-4ECF-42C3-AE14-E05545E1BE84}\WpadDecisionReason = "1" Hacker.com.cn.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9E35C5D7-4ECF-42C3-AE14-E05545E1BE84}\WpadDecisionTime = 40308fd8b401d901 Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9E35C5D7-4ECF-42C3-AE14-E05545E1BE84} Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-07-a8-3f-ea-82\WpadDecision = "0" Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections Hacker.com.cn.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-07-a8-3f-ea-82 Hacker.com.cn.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix Hacker.com.cn.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9E35C5D7-4ECF-42C3-AE14-E05545E1BE84}\WpadNetworkName = "Network 2" Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" Hacker.com.cn.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" Hacker.com.cn.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9E35C5D7-4ECF-42C3-AE14-E05545E1BE84}\WpadDecisionTime = 6089e10cb501d901 Hacker.com.cn.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Hacker.com.cn.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0011000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9E35C5D7-4ECF-42C3-AE14-E05545E1BE84}\WpadDecision = "0" Hacker.com.cn.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0011000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Hacker.com.cn.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-07-a8-3f-ea-82\WpadDecisionTime = 6089e10cb501d901 Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9E35C5D7-4ECF-42C3-AE14-E05545E1BE84}\b6-07-a8-3f-ea-82 Hacker.com.cn.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
WindowsUpdate.exeHacker.com.cn.exedescription pid process Token: SeDebugPrivilege 1052 WindowsUpdate.exe Token: SeDebugPrivilege 1472 Hacker.com.cn.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
rundll32.exeHacker.com.cn.exepid process 812 rundll32.exe 1472 Hacker.com.cn.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
cdgpj.scrMicrosoftT6c1aa3.exepid process 1328 cdgpj.scr 1328 cdgpj.scr 1524 MicrosoftT6c1aa3.exe 1524 MicrosoftT6c1aa3.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
cdgpj.scrMicrosoftT6c1aa3.exeHacker.com.cn.exeWindowsUpdate.exedescription pid process target process PID 1328 wrote to memory of 1524 1328 cdgpj.scr MicrosoftT6c1aa3.exe PID 1328 wrote to memory of 1524 1328 cdgpj.scr MicrosoftT6c1aa3.exe PID 1328 wrote to memory of 1524 1328 cdgpj.scr MicrosoftT6c1aa3.exe PID 1328 wrote to memory of 1524 1328 cdgpj.scr MicrosoftT6c1aa3.exe PID 1524 wrote to memory of 812 1524 MicrosoftT6c1aa3.exe rundll32.exe PID 1524 wrote to memory of 812 1524 MicrosoftT6c1aa3.exe rundll32.exe PID 1524 wrote to memory of 812 1524 MicrosoftT6c1aa3.exe rundll32.exe PID 1524 wrote to memory of 812 1524 MicrosoftT6c1aa3.exe rundll32.exe PID 1524 wrote to memory of 812 1524 MicrosoftT6c1aa3.exe rundll32.exe PID 1524 wrote to memory of 812 1524 MicrosoftT6c1aa3.exe rundll32.exe PID 1524 wrote to memory of 812 1524 MicrosoftT6c1aa3.exe rundll32.exe PID 1524 wrote to memory of 1052 1524 MicrosoftT6c1aa3.exe WindowsUpdate.exe PID 1524 wrote to memory of 1052 1524 MicrosoftT6c1aa3.exe WindowsUpdate.exe PID 1524 wrote to memory of 1052 1524 MicrosoftT6c1aa3.exe WindowsUpdate.exe PID 1524 wrote to memory of 1052 1524 MicrosoftT6c1aa3.exe WindowsUpdate.exe PID 1524 wrote to memory of 1052 1524 MicrosoftT6c1aa3.exe WindowsUpdate.exe PID 1524 wrote to memory of 1052 1524 MicrosoftT6c1aa3.exe WindowsUpdate.exe PID 1524 wrote to memory of 1052 1524 MicrosoftT6c1aa3.exe WindowsUpdate.exe PID 1472 wrote to memory of 856 1472 Hacker.com.cn.exe IEXPLORE.EXE PID 1472 wrote to memory of 856 1472 Hacker.com.cn.exe IEXPLORE.EXE PID 1472 wrote to memory of 856 1472 Hacker.com.cn.exe IEXPLORE.EXE PID 1472 wrote to memory of 856 1472 Hacker.com.cn.exe IEXPLORE.EXE PID 1052 wrote to memory of 1656 1052 WindowsUpdate.exe cmd.exe PID 1052 wrote to memory of 1656 1052 WindowsUpdate.exe cmd.exe PID 1052 wrote to memory of 1656 1052 WindowsUpdate.exe cmd.exe PID 1052 wrote to memory of 1656 1052 WindowsUpdate.exe cmd.exe PID 1052 wrote to memory of 1656 1052 WindowsUpdate.exe cmd.exe PID 1052 wrote to memory of 1656 1052 WindowsUpdate.exe cmd.exe PID 1052 wrote to memory of 1656 1052 WindowsUpdate.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\捆绑 工具\cdgpj.scr"C:\Users\Admin\AppData\Local\Temp\捆绑 工具\cdgpj.scr" /S1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\MicrosoftT6c1aa3.exe"C:\Users\Admin\AppData\Roaming\MicrosoftT6c1aa3.exe" dmedmedme "C:\Users\Admin\AppData\Local\Temp\捆绑 工具\cdgpj.scr"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe shimgvw.dll,ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\cdrcs.jpg3⤵
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Roaming\Microsoft\WindowsUpdate.exeC:\Users\Admin\AppData\Roaming\Microsoft\WindowsUpdate.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\uninstal.bat4⤵
-
C:\Windows\Hacker.com.cn.exeC:\Windows\Hacker.com.cn.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\cdrcs.jpgFilesize
101KB
MD51a8f05f7be42ac31b63073eb4ae5caf6
SHA13fcd89b2c0af639242cffc810de19587af873310
SHA2568b1cdf954057c38855ecef86730a32396cc7171edb2fb678a0e2278e1cd5f2e8
SHA512c470883526cadbdf361dc4688799840b17cbc4afa36f593b81d8311fbb1e06d6f82011c71d47da60f020d05f141b8854994a599d28abea71241d3135eb26be6d
-
C:\Users\Admin\AppData\Roaming\MicrosoftT6c1aa3.exeFilesize
892KB
MD590803dcaf894fc823203e0c2de6b9973
SHA18dcaac8b782b0b6430e28cf38b5687fa01f5d798
SHA2566aba460394207b0a9182163bfeb818070ab42b9d4f85f3f061e95d63f20f9352
SHA51201da48c040036a8d28d034d4e08d946af61ca1fe641e7de581604562dc1f0a85c07e4f39a4777472be5c7f1dcf61102b3caf02fc7b4b765745e21f842761ff51
-
C:\Users\Admin\AppData\Roaming\Microsoft\WindowsUpdate.exeFilesize
743KB
MD58f3497f4c9474b330c69513fc253ea86
SHA186fedc8abdc2ab7e4c476df2d412f5127dd25ed7
SHA2569250d9a336372cdd7771ebe5c52581befc8c5f73a4760c23879d389f1e1945b2
SHA51217beffb9bdae1658657d4a30f78aecc5f68c779a034fb1c361f59a7c885150a34b7abff00a18d54983a2aff2544f9f7caf3ef5332c6833de241240330a696512
-
C:\Users\Admin\AppData\Roaming\Microsoft\WindowsUpdate.exeFilesize
743KB
MD58f3497f4c9474b330c69513fc253ea86
SHA186fedc8abdc2ab7e4c476df2d412f5127dd25ed7
SHA2569250d9a336372cdd7771ebe5c52581befc8c5f73a4760c23879d389f1e1945b2
SHA51217beffb9bdae1658657d4a30f78aecc5f68c779a034fb1c361f59a7c885150a34b7abff00a18d54983a2aff2544f9f7caf3ef5332c6833de241240330a696512
-
C:\Windows\Hacker.com.cn.exeFilesize
743KB
MD58f3497f4c9474b330c69513fc253ea86
SHA186fedc8abdc2ab7e4c476df2d412f5127dd25ed7
SHA2569250d9a336372cdd7771ebe5c52581befc8c5f73a4760c23879d389f1e1945b2
SHA51217beffb9bdae1658657d4a30f78aecc5f68c779a034fb1c361f59a7c885150a34b7abff00a18d54983a2aff2544f9f7caf3ef5332c6833de241240330a696512
-
C:\Windows\Hacker.com.cn.exeFilesize
743KB
MD58f3497f4c9474b330c69513fc253ea86
SHA186fedc8abdc2ab7e4c476df2d412f5127dd25ed7
SHA2569250d9a336372cdd7771ebe5c52581befc8c5f73a4760c23879d389f1e1945b2
SHA51217beffb9bdae1658657d4a30f78aecc5f68c779a034fb1c361f59a7c885150a34b7abff00a18d54983a2aff2544f9f7caf3ef5332c6833de241240330a696512
-
C:\Windows\uninstal.batFilesize
166B
MD5fd330ecb3cd2db88d610ebc99c8fab16
SHA121cd421e82b3e9a50fa78d9487c159eb5e8e63c7
SHA256ac1a53e6387ca397d0544c71ed12171a12c33748678d016434fc34055b217d1c
SHA5120c6e080f016ecae3715f077b178a50d62f7241138c131ed0624593afcb63883a41eb251b0885bf49a826c4ec1902263489f0ee2623d5791c5428273487c4d0ca
-
\Users\Admin\AppData\Roaming\MicrosoftT6c1aa3.exeFilesize
892KB
MD590803dcaf894fc823203e0c2de6b9973
SHA18dcaac8b782b0b6430e28cf38b5687fa01f5d798
SHA2566aba460394207b0a9182163bfeb818070ab42b9d4f85f3f061e95d63f20f9352
SHA51201da48c040036a8d28d034d4e08d946af61ca1fe641e7de581604562dc1f0a85c07e4f39a4777472be5c7f1dcf61102b3caf02fc7b4b765745e21f842761ff51
-
\Users\Admin\AppData\Roaming\MicrosoftT6c1aa3.exeFilesize
892KB
MD590803dcaf894fc823203e0c2de6b9973
SHA18dcaac8b782b0b6430e28cf38b5687fa01f5d798
SHA2566aba460394207b0a9182163bfeb818070ab42b9d4f85f3f061e95d63f20f9352
SHA51201da48c040036a8d28d034d4e08d946af61ca1fe641e7de581604562dc1f0a85c07e4f39a4777472be5c7f1dcf61102b3caf02fc7b4b765745e21f842761ff51
-
\Users\Admin\AppData\Roaming\Microsoft\WindowsUpdate.exeFilesize
743KB
MD58f3497f4c9474b330c69513fc253ea86
SHA186fedc8abdc2ab7e4c476df2d412f5127dd25ed7
SHA2569250d9a336372cdd7771ebe5c52581befc8c5f73a4760c23879d389f1e1945b2
SHA51217beffb9bdae1658657d4a30f78aecc5f68c779a034fb1c361f59a7c885150a34b7abff00a18d54983a2aff2544f9f7caf3ef5332c6833de241240330a696512
-
\Users\Admin\AppData\Roaming\Microsoft\WindowsUpdate.exeFilesize
743KB
MD58f3497f4c9474b330c69513fc253ea86
SHA186fedc8abdc2ab7e4c476df2d412f5127dd25ed7
SHA2569250d9a336372cdd7771ebe5c52581befc8c5f73a4760c23879d389f1e1945b2
SHA51217beffb9bdae1658657d4a30f78aecc5f68c779a034fb1c361f59a7c885150a34b7abff00a18d54983a2aff2544f9f7caf3ef5332c6833de241240330a696512
-
\Users\Admin\AppData\Roaming\Microsoft\WindowsUpdate.exeFilesize
743KB
MD58f3497f4c9474b330c69513fc253ea86
SHA186fedc8abdc2ab7e4c476df2d412f5127dd25ed7
SHA2569250d9a336372cdd7771ebe5c52581befc8c5f73a4760c23879d389f1e1945b2
SHA51217beffb9bdae1658657d4a30f78aecc5f68c779a034fb1c361f59a7c885150a34b7abff00a18d54983a2aff2544f9f7caf3ef5332c6833de241240330a696512
-
\Users\Admin\AppData\Roaming\Microsoft\WindowsUpdate.exeFilesize
743KB
MD58f3497f4c9474b330c69513fc253ea86
SHA186fedc8abdc2ab7e4c476df2d412f5127dd25ed7
SHA2569250d9a336372cdd7771ebe5c52581befc8c5f73a4760c23879d389f1e1945b2
SHA51217beffb9bdae1658657d4a30f78aecc5f68c779a034fb1c361f59a7c885150a34b7abff00a18d54983a2aff2544f9f7caf3ef5332c6833de241240330a696512
-
memory/812-62-0x0000000000000000-mapping.dmp
-
memory/1052-68-0x0000000000000000-mapping.dmp
-
memory/1328-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmpFilesize
8KB
-
memory/1524-65-0x0000000001DA0000-0x0000000001E5A000-memory.dmpFilesize
744KB
-
memory/1524-57-0x0000000000000000-mapping.dmp
-
memory/1656-78-0x0000000000000000-mapping.dmp