Analysis
-
max time kernel
143s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 04:06
Static task
static1
Behavioral task
behavioral1
Sample
捆绑 工具/cdgpj.scr
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
捆绑 工具/cdgpj.scr
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
捆绑 工具/浴血凤凰JPG TXT捆绑器.exe
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
捆绑 工具/浴血凤凰JPG TXT捆绑器.exe
Resource
win10v2004-20220812-en
General
-
Target
捆绑 工具/cdgpj.scr
-
Size
892KB
-
MD5
90803dcaf894fc823203e0c2de6b9973
-
SHA1
8dcaac8b782b0b6430e28cf38b5687fa01f5d798
-
SHA256
6aba460394207b0a9182163bfeb818070ab42b9d4f85f3f061e95d63f20f9352
-
SHA512
01da48c040036a8d28d034d4e08d946af61ca1fe641e7de581604562dc1f0a85c07e4f39a4777472be5c7f1dcf61102b3caf02fc7b4b765745e21f842761ff51
-
SSDEEP
24576:SA3LStU4gf2EW5A2DJr/kS4vGIk6v3Hfx:SAbh43Dp/wPHZ
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
MicrosoftTe569148.exeWindowsUpdate.exeHacker.com.cn.exepid process 3956 MicrosoftTe569148.exe 3984 WindowsUpdate.exe 1416 Hacker.com.cn.exe -
Drops file in Windows directory 3 IoCs
Processes:
WindowsUpdate.exedescription ioc process File created C:\Windows\Hacker.com.cn.exe WindowsUpdate.exe File opened for modification C:\Windows\Hacker.com.cn.exe WindowsUpdate.exe File created C:\Windows\uninstal.bat WindowsUpdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 5 IoCs
Processes:
Hacker.com.cn.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" Hacker.com.cn.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
WindowsUpdate.exeHacker.com.cn.exedescription pid process Token: SeDebugPrivilege 3984 WindowsUpdate.exe Token: SeDebugPrivilege 1416 Hacker.com.cn.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
rundll32.exeHacker.com.cn.exepid process 3416 rundll32.exe 1416 Hacker.com.cn.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
cdgpj.scrMicrosoftTe569148.exepid process 4792 cdgpj.scr 4792 cdgpj.scr 3956 MicrosoftTe569148.exe 3956 MicrosoftTe569148.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
cdgpj.scrMicrosoftTe569148.exeHacker.com.cn.exeWindowsUpdate.exedescription pid process target process PID 4792 wrote to memory of 3956 4792 cdgpj.scr MicrosoftTe569148.exe PID 4792 wrote to memory of 3956 4792 cdgpj.scr MicrosoftTe569148.exe PID 4792 wrote to memory of 3956 4792 cdgpj.scr MicrosoftTe569148.exe PID 3956 wrote to memory of 3416 3956 MicrosoftTe569148.exe rundll32.exe PID 3956 wrote to memory of 3416 3956 MicrosoftTe569148.exe rundll32.exe PID 3956 wrote to memory of 3416 3956 MicrosoftTe569148.exe rundll32.exe PID 3956 wrote to memory of 3984 3956 MicrosoftTe569148.exe WindowsUpdate.exe PID 3956 wrote to memory of 3984 3956 MicrosoftTe569148.exe WindowsUpdate.exe PID 3956 wrote to memory of 3984 3956 MicrosoftTe569148.exe WindowsUpdate.exe PID 1416 wrote to memory of 1432 1416 Hacker.com.cn.exe IEXPLORE.EXE PID 1416 wrote to memory of 1432 1416 Hacker.com.cn.exe IEXPLORE.EXE PID 3984 wrote to memory of 4976 3984 WindowsUpdate.exe cmd.exe PID 3984 wrote to memory of 4976 3984 WindowsUpdate.exe cmd.exe PID 3984 wrote to memory of 4976 3984 WindowsUpdate.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\捆绑 工具\cdgpj.scr"C:\Users\Admin\AppData\Local\Temp\捆绑 工具\cdgpj.scr" /S1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\MicrosoftTe569148.exe"C:\Users\Admin\AppData\Roaming\MicrosoftTe569148.exe" dmedmedme "C:\Users\Admin\AppData\Local\Temp\捆绑 工具\cdgpj.scr"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe shimgvw.dll,ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\cdrcs.jpg3⤵
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Roaming\Microsoft\WindowsUpdate.exeC:\Users\Admin\AppData\Roaming\Microsoft\WindowsUpdate.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat4⤵
-
C:\Windows\Hacker.com.cn.exeC:\Windows\Hacker.com.cn.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\cdrcs.jpgFilesize
101KB
MD51a8f05f7be42ac31b63073eb4ae5caf6
SHA13fcd89b2c0af639242cffc810de19587af873310
SHA2568b1cdf954057c38855ecef86730a32396cc7171edb2fb678a0e2278e1cd5f2e8
SHA512c470883526cadbdf361dc4688799840b17cbc4afa36f593b81d8311fbb1e06d6f82011c71d47da60f020d05f141b8854994a599d28abea71241d3135eb26be6d
-
C:\Users\Admin\AppData\Roaming\MicrosoftTe569148.exeFilesize
892KB
MD590803dcaf894fc823203e0c2de6b9973
SHA18dcaac8b782b0b6430e28cf38b5687fa01f5d798
SHA2566aba460394207b0a9182163bfeb818070ab42b9d4f85f3f061e95d63f20f9352
SHA51201da48c040036a8d28d034d4e08d946af61ca1fe641e7de581604562dc1f0a85c07e4f39a4777472be5c7f1dcf61102b3caf02fc7b4b765745e21f842761ff51
-
C:\Users\Admin\AppData\Roaming\MicrosoftTe569148.exeFilesize
892KB
MD590803dcaf894fc823203e0c2de6b9973
SHA18dcaac8b782b0b6430e28cf38b5687fa01f5d798
SHA2566aba460394207b0a9182163bfeb818070ab42b9d4f85f3f061e95d63f20f9352
SHA51201da48c040036a8d28d034d4e08d946af61ca1fe641e7de581604562dc1f0a85c07e4f39a4777472be5c7f1dcf61102b3caf02fc7b4b765745e21f842761ff51
-
C:\Users\Admin\AppData\Roaming\Microsoft\WindowsUpdate.exeFilesize
743KB
MD58f3497f4c9474b330c69513fc253ea86
SHA186fedc8abdc2ab7e4c476df2d412f5127dd25ed7
SHA2569250d9a336372cdd7771ebe5c52581befc8c5f73a4760c23879d389f1e1945b2
SHA51217beffb9bdae1658657d4a30f78aecc5f68c779a034fb1c361f59a7c885150a34b7abff00a18d54983a2aff2544f9f7caf3ef5332c6833de241240330a696512
-
C:\Users\Admin\AppData\Roaming\Microsoft\WindowsUpdate.exeFilesize
743KB
MD58f3497f4c9474b330c69513fc253ea86
SHA186fedc8abdc2ab7e4c476df2d412f5127dd25ed7
SHA2569250d9a336372cdd7771ebe5c52581befc8c5f73a4760c23879d389f1e1945b2
SHA51217beffb9bdae1658657d4a30f78aecc5f68c779a034fb1c361f59a7c885150a34b7abff00a18d54983a2aff2544f9f7caf3ef5332c6833de241240330a696512
-
C:\Windows\Hacker.com.cn.exeFilesize
743KB
MD58f3497f4c9474b330c69513fc253ea86
SHA186fedc8abdc2ab7e4c476df2d412f5127dd25ed7
SHA2569250d9a336372cdd7771ebe5c52581befc8c5f73a4760c23879d389f1e1945b2
SHA51217beffb9bdae1658657d4a30f78aecc5f68c779a034fb1c361f59a7c885150a34b7abff00a18d54983a2aff2544f9f7caf3ef5332c6833de241240330a696512
-
C:\Windows\Hacker.com.cn.exeFilesize
743KB
MD58f3497f4c9474b330c69513fc253ea86
SHA186fedc8abdc2ab7e4c476df2d412f5127dd25ed7
SHA2569250d9a336372cdd7771ebe5c52581befc8c5f73a4760c23879d389f1e1945b2
SHA51217beffb9bdae1658657d4a30f78aecc5f68c779a034fb1c361f59a7c885150a34b7abff00a18d54983a2aff2544f9f7caf3ef5332c6833de241240330a696512
-
C:\Windows\uninstal.batFilesize
166B
MD5fd330ecb3cd2db88d610ebc99c8fab16
SHA121cd421e82b3e9a50fa78d9487c159eb5e8e63c7
SHA256ac1a53e6387ca397d0544c71ed12171a12c33748678d016434fc34055b217d1c
SHA5120c6e080f016ecae3715f077b178a50d62f7241138c131ed0624593afcb63883a41eb251b0885bf49a826c4ec1902263489f0ee2623d5791c5428273487c4d0ca
-
memory/3416-135-0x0000000000000000-mapping.dmp
-
memory/3956-132-0x0000000000000000-mapping.dmp
-
memory/3984-137-0x0000000000000000-mapping.dmp
-
memory/4976-142-0x0000000000000000-mapping.dmp