0536e8097943b8cbbff2056942a33995ba30e961333dd5c133ba554fd14fc071

General

Target

捆绑工具/cd‮gpj.scr
Size

892KB
MD5

90803dcaf894fc823203e0c2de6b9973
SHA1

8dcaac8b782b0b6430e28cf38b5687fa01f5d798
SHA256

6aba460394207b0a9182163bfeb818070ab42b9d4f85f3f061e95d63f20f9352
SHA512

01da48c040036a8d28d034d4e08d946af61ca1fe641e7de581604562dc1f0a85c07e4f39a4777472be5c7f1dcf61102b3caf02fc7b4b765745e21f842761ff51
SSDEEP

24576:SA3LStU4gf2EW5A2DJr/kS4vGIk6v3Hfx:SAbh43Dp/wPHZ

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

MicrosoftTe569148.exeWindowsUpdate.exeHacker.com.cn.exe

pid process

3956 MicrosoftTe569148.exe
3984 WindowsUpdate.exe
1416 Hacker.com.cn.exe

pid	process
3956	MicrosoftTe569148.exe
3984	WindowsUpdate.exe
1416	Hacker.com.cn.exe

Drops file in Windows directory 3 IoCs

Processes:

WindowsUpdate.exe

description	ioc	process
File created	C:\Windows\Hacker.com.cn.exe	WindowsUpdate.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	WindowsUpdate.exe
File created	C:\Windows\uninstal.bat	WindowsUpdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 5 IoCs

Processes:

Hacker.com.cn.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Hacker.com.cn.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

WindowsUpdate.exeHacker.com.cn.exe

description pid process

Token: SeDebugPrivilege 3984 WindowsUpdate.exe
Token: SeDebugPrivilege 1416 Hacker.com.cn.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

rundll32.exeHacker.com.cn.exe

pid process

3416 rundll32.exe
1416 Hacker.com.cn.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

cd‮gpj.scrMicrosoftTe569148.exe

pid process

4792 cd‮gpj.scr
4792 cd‮gpj.scr
3956 MicrosoftTe569148.exe
3956 MicrosoftTe569148.exe

description	pid	process
Token: SeDebugPrivilege	3984	WindowsUpdate.exe
Token: SeDebugPrivilege	1416	Hacker.com.cn.exe

pid	process
3416	rundll32.exe
1416	Hacker.com.cn.exe

pid	process
4792	cd‮gpj.scr
4792	cd‮gpj.scr
3956	MicrosoftTe569148.exe
3956	MicrosoftTe569148.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

cd‮gpj.scrMicrosoftTe569148.exeHacker.com.cn.exeWindowsUpdate.exe

description	pid	process	target process
PID 4792 wrote to memory of 3956	4792	cd‮gpj.scr	MicrosoftTe569148.exe
PID 4792 wrote to memory of 3956	4792	cd‮gpj.scr	MicrosoftTe569148.exe
PID 4792 wrote to memory of 3956	4792	cd‮gpj.scr	MicrosoftTe569148.exe
PID 3956 wrote to memory of 3416	3956	MicrosoftTe569148.exe	rundll32.exe
PID 3956 wrote to memory of 3416	3956	MicrosoftTe569148.exe	rundll32.exe
PID 3956 wrote to memory of 3416	3956	MicrosoftTe569148.exe	rundll32.exe
PID 3956 wrote to memory of 3984	3956	MicrosoftTe569148.exe	WindowsUpdate.exe
PID 3956 wrote to memory of 3984	3956	MicrosoftTe569148.exe	WindowsUpdate.exe
PID 3956 wrote to memory of 3984	3956	MicrosoftTe569148.exe	WindowsUpdate.exe
PID 1416 wrote to memory of 1432	1416	Hacker.com.cn.exe	IEXPLORE.EXE
PID 1416 wrote to memory of 1432	1416	Hacker.com.cn.exe	IEXPLORE.EXE
PID 3984 wrote to memory of 4976	3984	WindowsUpdate.exe	cmd.exe
PID 3984 wrote to memory of 4976	3984	WindowsUpdate.exe	cmd.exe
PID 3984 wrote to memory of 4976	3984	WindowsUpdate.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\捆绑工具\cd‮gpj.scr
"C:\Users\Admin\AppData\Local\Temp\捆绑工具\cd‮gpj.scr" /S
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4792

C:\Users\Admin\AppData\Roaming\MicrosoftTe569148.exe
"C:\Users\Admin\AppData\Roaming\MicrosoftTe569148.exe" dmedmedme "C:\Users\Admin\AppData\Local\Temp\捆绑工具\cd‮gpj.scr"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3956

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe shimgvw.dll,ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\cdrcs.jpg
3⤵
- Suspicious use of FindShellTrayWindow
PID:3416

C:\Users\Admin\AppData\Roaming\Microsoft\WindowsUpdate.exe
C:\Users\Admin\AppData\Roaming\Microsoft\WindowsUpdate.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
4⤵
PID:4976

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1416

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
2⤵
PID:1432

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cdrcs.jpg
Filesize
101KB

MD5
1a8f05f7be42ac31b63073eb4ae5caf6

SHA1
3fcd89b2c0af639242cffc810de19587af873310

SHA256
8b1cdf954057c38855ecef86730a32396cc7171edb2fb678a0e2278e1cd5f2e8

SHA512
c470883526cadbdf361dc4688799840b17cbc4afa36f593b81d8311fbb1e06d6f82011c71d47da60f020d05f141b8854994a599d28abea71241d3135eb26be6d

Download Submit
C:\Users\Admin\AppData\Roaming\MicrosoftTe569148.exe
Filesize
892KB

MD5
90803dcaf894fc823203e0c2de6b9973

SHA1
8dcaac8b782b0b6430e28cf38b5687fa01f5d798

SHA256
6aba460394207b0a9182163bfeb818070ab42b9d4f85f3f061e95d63f20f9352

SHA512
01da48c040036a8d28d034d4e08d946af61ca1fe641e7de581604562dc1f0a85c07e4f39a4777472be5c7f1dcf61102b3caf02fc7b4b765745e21f842761ff51

Download Submit
C:\Users\Admin\AppData\Roaming\MicrosoftTe569148.exe
Filesize
892KB

MD5
90803dcaf894fc823203e0c2de6b9973

SHA1
8dcaac8b782b0b6430e28cf38b5687fa01f5d798

SHA256
6aba460394207b0a9182163bfeb818070ab42b9d4f85f3f061e95d63f20f9352

SHA512
01da48c040036a8d28d034d4e08d946af61ca1fe641e7de581604562dc1f0a85c07e4f39a4777472be5c7f1dcf61102b3caf02fc7b4b765745e21f842761ff51

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\WindowsUpdate.exe
Filesize
743KB

MD5
8f3497f4c9474b330c69513fc253ea86

SHA1
86fedc8abdc2ab7e4c476df2d412f5127dd25ed7

SHA256
9250d9a336372cdd7771ebe5c52581befc8c5f73a4760c23879d389f1e1945b2

SHA512
17beffb9bdae1658657d4a30f78aecc5f68c779a034fb1c361f59a7c885150a34b7abff00a18d54983a2aff2544f9f7caf3ef5332c6833de241240330a696512

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\WindowsUpdate.exe
Filesize
743KB

MD5
8f3497f4c9474b330c69513fc253ea86

SHA1
86fedc8abdc2ab7e4c476df2d412f5127dd25ed7

SHA256
9250d9a336372cdd7771ebe5c52581befc8c5f73a4760c23879d389f1e1945b2

SHA512
17beffb9bdae1658657d4a30f78aecc5f68c779a034fb1c361f59a7c885150a34b7abff00a18d54983a2aff2544f9f7caf3ef5332c6833de241240330a696512

Download Submit
C:\Windows\Hacker.com.cn.exe
Filesize
743KB

MD5
8f3497f4c9474b330c69513fc253ea86

SHA1
86fedc8abdc2ab7e4c476df2d412f5127dd25ed7

SHA256
9250d9a336372cdd7771ebe5c52581befc8c5f73a4760c23879d389f1e1945b2

SHA512
17beffb9bdae1658657d4a30f78aecc5f68c779a034fb1c361f59a7c885150a34b7abff00a18d54983a2aff2544f9f7caf3ef5332c6833de241240330a696512

Download Submit
C:\Windows\Hacker.com.cn.exe
Filesize
743KB

MD5
8f3497f4c9474b330c69513fc253ea86

SHA1
86fedc8abdc2ab7e4c476df2d412f5127dd25ed7

SHA256
9250d9a336372cdd7771ebe5c52581befc8c5f73a4760c23879d389f1e1945b2

SHA512
17beffb9bdae1658657d4a30f78aecc5f68c779a034fb1c361f59a7c885150a34b7abff00a18d54983a2aff2544f9f7caf3ef5332c6833de241240330a696512

Download Submit
C:\Windows\uninstal.bat
Filesize
166B

MD5
fd330ecb3cd2db88d610ebc99c8fab16

SHA1
21cd421e82b3e9a50fa78d9487c159eb5e8e63c7

SHA256
ac1a53e6387ca397d0544c71ed12171a12c33748678d016434fc34055b217d1c

SHA512
0c6e080f016ecae3715f077b178a50d62f7241138c131ed0624593afcb63883a41eb251b0885bf49a826c4ec1902263489f0ee2623d5791c5428273487c4d0ca

Download Submit
memory/3416-135-0x0000000000000000-mapping.dmp

Download
memory/3956-132-0x0000000000000000-mapping.dmp

Download
memory/3984-137-0x0000000000000000-mapping.dmp

Download
memory/4976-142-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads