joker | fbc97e576d8894f6fc7249dd5f6b3a553a57e14d659b731a9d5011aa81758344

Analysis

max time kernel
146s
max time network
128s
platform
windows7_x64
resource
win7-20220715-en
resource tags

arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
submitted
04-08-2022 13:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbc97e576d8894f6fc7249dd5f6b3a553a57e14d659b731a9d5011aa81758344.exe
Size

1.3MB
MD5

505395fed6f0d92efd4584f5b9327ac8
SHA1

82e2d416ce0dc5f7bbf858751c710df9aa686940
SHA256

fbc97e576d8894f6fc7249dd5f6b3a553a57e14d659b731a9d5011aa81758344
SHA512

ffc656e967a0d56d8663275f31e7538b95b00e22d14e84a6b819ce3f4e7f2d30b82c293cd6046c046bf0a76dd7b05be28e93f6f77ab8bb7cc03b6a8e27bcc2ad

Score

10^/10

joker infostealer trojan

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker
Downloads MZ/PE file

Executes dropped EXE 8 IoCs

pid	Process
1100	WXWork.exe
1060	aliyun_assist_service.exe
832	aliyun_assist_service.exe
1828	coremailclient.exe
1492	aliyun_assist_service.exe
1056	aliyun_assist_service.exe
460	Process not Found
1120	aliyun_assist_service.exe

Deletes itself 1 IoCs

pid	Process
1540	fbc97e576d8894f6fc7249dd5f6b3a553a57e14d659b731a9d5011aa81758344.exe

Loads dropped DLL 14 IoCs

pid	Process
1540	fbc97e576d8894f6fc7249dd5f6b3a553a57e14d659b731a9d5011aa81758344.exe
1540	fbc97e576d8894f6fc7249dd5f6b3a553a57e14d659b731a9d5011aa81758344.exe
1060	aliyun_assist_service.exe
1060	aliyun_assist_service.exe
1060	aliyun_assist_service.exe
1100	WXWork.exe
1100	WXWork.exe
832	aliyun_assist_service.exe
1060	aliyun_assist_service.exe
2004	cmd.exe
1492	aliyun_assist_service.exe
2004	cmd.exe
1056	aliyun_assist_service.exe
1120	aliyun_assist_service.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1556	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-302 = "Romance Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-841 = "Argentina Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-581 = "North Asia East Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-362 = "GTB Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-162 = "Central Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-471 = "Ekaterinburg Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-492 = "India Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-132 = "US Eastern Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-432 = "Iran Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-521 = "N. Central Asia Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-392 = "Arab Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-22 = "Cape Verde Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-161 = "Central Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time"	aliyun_assist_service.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE

Runs net.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1904	WINWORD.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1060	aliyun_assist_service.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
1540	fbc97e576d8894f6fc7249dd5f6b3a553a57e14d659b731a9d5011aa81758344.exe
1100	WXWork.exe
1100	WXWork.exe
832	aliyun_assist_service.exe
832	aliyun_assist_service.exe
1828	coremailclient.exe
1828	coremailclient.exe
1100	WXWork.exe
1492	aliyun_assist_service.exe
1492	aliyun_assist_service.exe
1056	aliyun_assist_service.exe
1056	aliyun_assist_service.exe
1120	aliyun_assist_service.exe
1120	aliyun_assist_service.exe
1100	WXWork.exe
1100	WXWork.exe
1100	WXWork.exe
1100	WXWork.exe
1100	WXWork.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1540	fbc97e576d8894f6fc7249dd5f6b3a553a57e14d659b731a9d5011aa81758344.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	832	aliyun_assist_service.exe
Token: SeDebugPrivilege	1828	coremailclient.exe
Token: SeDebugPrivilege	1492	aliyun_assist_service.exe
Token: SeDebugPrivilege	1056	aliyun_assist_service.exe
Token: SeDebugPrivilege	1120	aliyun_assist_service.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1904	WINWORD.EXE
1904	WINWORD.EXE
1828	coremailclient.exe
1828	coremailclient.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 1904	1540	fbc97e576d8894f6fc7249dd5f6b3a553a57e14d659b731a9d5011aa81758344.exe	27
PID 1540 wrote to memory of 1904	1540	fbc97e576d8894f6fc7249dd5f6b3a553a57e14d659b731a9d5011aa81758344.exe	27
PID 1540 wrote to memory of 1904	1540	fbc97e576d8894f6fc7249dd5f6b3a553a57e14d659b731a9d5011aa81758344.exe	27
PID 1540 wrote to memory of 1904	1540	fbc97e576d8894f6fc7249dd5f6b3a553a57e14d659b731a9d5011aa81758344.exe	27
PID 1540 wrote to memory of 1100	1540	fbc97e576d8894f6fc7249dd5f6b3a553a57e14d659b731a9d5011aa81758344.exe	28
PID 1540 wrote to memory of 1100	1540	fbc97e576d8894f6fc7249dd5f6b3a553a57e14d659b731a9d5011aa81758344.exe	28
PID 1540 wrote to memory of 1100	1540	fbc97e576d8894f6fc7249dd5f6b3a553a57e14d659b731a9d5011aa81758344.exe	28
PID 1904 wrote to memory of 944	1904	WINWORD.EXE	29
PID 1904 wrote to memory of 944	1904	WINWORD.EXE	29
PID 1904 wrote to memory of 944	1904	WINWORD.EXE	29
PID 1904 wrote to memory of 944	1904	WINWORD.EXE	29
PID 1100 wrote to memory of 1924	1100	WXWork.exe	32
PID 1100 wrote to memory of 1924	1100	WXWork.exe	32
PID 1100 wrote to memory of 1924	1100	WXWork.exe	32
PID 1924 wrote to memory of 1060	1924	cmd.exe	34
PID 1924 wrote to memory of 1060	1924	cmd.exe	34
PID 1924 wrote to memory of 1060	1924	cmd.exe	34
PID 1924 wrote to memory of 1060	1924	cmd.exe	34
PID 1060 wrote to memory of 832	1060	aliyun_assist_service.exe	35
PID 1060 wrote to memory of 832	1060	aliyun_assist_service.exe	35
PID 1060 wrote to memory of 832	1060	aliyun_assist_service.exe	35
PID 1060 wrote to memory of 832	1060	aliyun_assist_service.exe	35
PID 1100 wrote to memory of 1828	1100	WXWork.exe	37
PID 1100 wrote to memory of 1828	1100	WXWork.exe	37
PID 1100 wrote to memory of 1828	1100	WXWork.exe	37
PID 832 wrote to memory of 1016	832	aliyun_assist_service.exe	38
PID 832 wrote to memory of 1016	832	aliyun_assist_service.exe	38
PID 832 wrote to memory of 1016	832	aliyun_assist_service.exe	38
PID 1016 wrote to memory of 1012	1016	net.exe	39
PID 1016 wrote to memory of 1012	1016	net.exe	39
PID 1016 wrote to memory of 1012	1016	net.exe	39
PID 832 wrote to memory of 1612	832	aliyun_assist_service.exe	40
PID 832 wrote to memory of 1612	832	aliyun_assist_service.exe	40
PID 832 wrote to memory of 1612	832	aliyun_assist_service.exe	40
PID 1612 wrote to memory of 1720	1612	net.exe	41
PID 1612 wrote to memory of 1720	1612	net.exe	41
PID 1612 wrote to memory of 1720	1612	net.exe	41
PID 1060 wrote to memory of 2004	1060	aliyun_assist_service.exe	43
PID 1060 wrote to memory of 2004	1060	aliyun_assist_service.exe	43
PID 1060 wrote to memory of 2004	1060	aliyun_assist_service.exe	43
PID 1060 wrote to memory of 2004	1060	aliyun_assist_service.exe	43
PID 1060 wrote to memory of 2004	1060	aliyun_assist_service.exe	43
PID 1060 wrote to memory of 2004	1060	aliyun_assist_service.exe	43
PID 1060 wrote to memory of 2004	1060	aliyun_assist_service.exe	43
PID 2004 wrote to memory of 1556	2004	cmd.exe	45
PID 2004 wrote to memory of 1556	2004	cmd.exe	45
PID 2004 wrote to memory of 1556	2004	cmd.exe	45
PID 2004 wrote to memory of 1556	2004	cmd.exe	45
PID 2004 wrote to memory of 1492	2004	cmd.exe	46
PID 2004 wrote to memory of 1492	2004	cmd.exe	46
PID 2004 wrote to memory of 1492	2004	cmd.exe	46
PID 2004 wrote to memory of 1492	2004	cmd.exe	46
PID 2004 wrote to memory of 1056	2004	cmd.exe	47
PID 2004 wrote to memory of 1056	2004	cmd.exe	47
PID 2004 wrote to memory of 1056	2004	cmd.exe	47
PID 2004 wrote to memory of 1056	2004	cmd.exe	47

C:\Users\Admin\AppData\Local\Temp\fbc97e576d8894f6fc7249dd5f6b3a553a57e14d659b731a9d5011aa81758344.exe
"C:\Users\Admin\AppData\Local\Temp\fbc97e576d8894f6fc7249dd5f6b3a553a57e14d659b731a9d5011aa81758344.exe"
1⤵
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\fbc97e576d8894f6fc7249dd5f6b3a553a57e14d659b731a9d5011aa81758344.docx"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:944
- C:\Windows\Temp\WXWork.exe
  1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Windows\System32\cmd.exe
    /c C:/Windows/Temp/aliyun_assist_service.exe /S --register --RegionId="cn-hangzhou" --ActivationCode="a-hz0s16tOXybErvJPtEvuRyXRmzVJw" --ActivationId="D7018412-298B-514A-BAB1-C6DCDF68ED83"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1924
  - - C:\Windows\Temp\aliyun_assist_service.exe
      C:/Windows/Temp/aliyun_assist_service.exe /S --register --RegionId="cn-hangzhou" --ActivationCode="a-hz0s16tOXybErvJPtEvuRyXRmzVJw" --ActivationId="D7018412-298B-514A-BAB1-C6DCDF68ED83"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious use of WriteProcessMemory
      PID:1060
    - - C:\ProgramData\aliyun\assist\2.1.3.289\aliyun_assist_service.exe
        
        "C:\ProgramData\aliyun\assist\2.1.3.289\aliyun_assist_service.exe" --register --RegionId=cn-hangzhou --ActivationCode=a-hz0s16tOXybErvJPtEvuRyXRmzVJw --ActivationId=D7018412-298B-514A-BAB1-C6DCDF68ED83 --InstanceName=
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:832
      - C:\Windows\system32\net.exe
        
        net stop AliyunService
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop AliyunService
        7⤵
        
        PID:1012
      - C:\Windows\system32\net.exe
        
        net start AliyunService
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start AliyunService
        7⤵
        
        PID:1720
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\ProgramData\aliyun\assist\2.1.3.289\install.bat
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2004
      - C:\Windows\SysWOW64\sc.exe
        
        SC QUERY "AliyunService"
        6⤵
        Launches sc.exe
        
        PID:1556
      - C:\ProgramData\aliyun\assist\2.1.3.289\aliyun_assist_service.exe
        
        C:\ProgramData\aliyun\assist\2.1.3.289\aliyun_assist_service.exe --install
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1492
      - C:\ProgramData\aliyun\assist\2.1.3.289\aliyun_assist_service.exe
        
        C:\ProgramData\aliyun\assist\2.1.3.289\aliyun_assist_service.exe --start
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
- - C:\Windows\Temp\coremailclient.exe
    1
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1828

C:\ProgramData\aliyun\assist\2.1.3.289\aliyun_assist_service.exe
C:\ProgramData\aliyun\assist\2.1.3.289\aliyun_assist_service.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\aliyun\assist\2.1.3.289\PatchGo.dll

Filesize
105KB

MD5
1aa87fd62fd3737c60ebf04bf7e7f4e7

SHA1
dc7246b055cd3486d556034b5aeb07aee4dca37e

SHA256
b528834f041c68d362d4f7a63ad12fdecb3c985c3f424b5a414e05d037f163cb

SHA512
dd6d20ab3f6d3ab2e486922e86ad8c28b4932684b8a514ae3696a8a047e87c25247232f7edb4afd8e52638a2dce7e2423b5e02564f888a34107c3f16d60dd161

Download Submit
C:\ProgramData\aliyun\assist\2.1.3.289\aliyun_assist_service.exe

Filesize
12.3MB

MD5
f4fccbe7c50e54e88422a7b9ee4e4dcf

SHA1
f838a7034c3591da08af92770b34788fb3df68be

SHA256
914772b64f544a0f512aa37a0eddf887db0f781f2f198e0251d2affe6176d3b8

SHA512
51bf24df1a3fb93de21d7ce827d6d0811ae79ff9187931f817ca316dadc09ada8bc5bd8354dc3183025d750a73ad266e7dc0202f6191147d6ff4bee0001d8c9b

Download Submit
C:\ProgramData\aliyun\assist\2.1.3.289\aliyun_assist_service.exe

Filesize
12.3MB

MD5
f4fccbe7c50e54e88422a7b9ee4e4dcf

SHA1
f838a7034c3591da08af92770b34788fb3df68be

SHA256
914772b64f544a0f512aa37a0eddf887db0f781f2f198e0251d2affe6176d3b8

SHA512
51bf24df1a3fb93de21d7ce827d6d0811ae79ff9187931f817ca316dadc09ada8bc5bd8354dc3183025d750a73ad266e7dc0202f6191147d6ff4bee0001d8c9b

Download Submit
C:\ProgramData\aliyun\assist\2.1.3.289\aliyun_assist_service.exe

Filesize
12.3MB

MD5
f4fccbe7c50e54e88422a7b9ee4e4dcf

SHA1
f838a7034c3591da08af92770b34788fb3df68be

SHA256
914772b64f544a0f512aa37a0eddf887db0f781f2f198e0251d2affe6176d3b8

SHA512
51bf24df1a3fb93de21d7ce827d6d0811ae79ff9187931f817ca316dadc09ada8bc5bd8354dc3183025d750a73ad266e7dc0202f6191147d6ff4bee0001d8c9b

Download Submit
C:\ProgramData\aliyun\assist\2.1.3.289\aliyun_assist_service.exe

Filesize
12.3MB

MD5
f4fccbe7c50e54e88422a7b9ee4e4dcf

SHA1
f838a7034c3591da08af92770b34788fb3df68be

SHA256
914772b64f544a0f512aa37a0eddf887db0f781f2f198e0251d2affe6176d3b8

SHA512
51bf24df1a3fb93de21d7ce827d6d0811ae79ff9187931f817ca316dadc09ada8bc5bd8354dc3183025d750a73ad266e7dc0202f6191147d6ff4bee0001d8c9b

Download Submit
C:\ProgramData\aliyun\assist\2.1.3.289\aliyun_assist_service.exe

Filesize
12.3MB

MD5
f4fccbe7c50e54e88422a7b9ee4e4dcf

SHA1
f838a7034c3591da08af92770b34788fb3df68be

SHA256
914772b64f544a0f512aa37a0eddf887db0f781f2f198e0251d2affe6176d3b8

SHA512
51bf24df1a3fb93de21d7ce827d6d0811ae79ff9187931f817ca316dadc09ada8bc5bd8354dc3183025d750a73ad266e7dc0202f6191147d6ff4bee0001d8c9b

Download Submit
C:\ProgramData\aliyun\assist\2.1.3.289\config\GlobalSignRootCA.crt

Filesize
1KB

MD5
bca50c998aa2752c790d56540a17d98e

SHA1
b2073e04c872068182a527b22002637377cc485f

SHA256
bbd918ad1794858802480b54fac0def586caa90f0a43afdb37d4f4ee263595ab

SHA512
63f4b3a78587d8f3a73d412d4fb2235abfce50cbff117473b40671f0b0b0c449ead0628207eecf87d6295ebf9681c520b87dc3936df65ee929b0786cb4d9f0f9

Download Submit
C:\ProgramData\aliyun\assist\2.1.3.289\install.bat

Filesize
752B

MD5
99e7d946c7ede5609d55f43a15ca867d

SHA1
2ef3702b0490323ce1cc3d1f781de79a00760388

SHA256
fd266b23239df16ddf34813767b8e59959aff871257e88b67e9c06f748477df8

SHA512
da978dae8e8830b3b24d03b341b7d17b93cb95e2d060e994aa20c473268061e5cac072e75b64969c352f7c4410700c1fbca43900279cd36e93525353e2332523

Download Submit
C:\ProgramData\aliyun\assist\2.1.3.289\log\aliyun_assist_main.log.20220804

Filesize
2KB

MD5
d618defefd45531dd5d744850ed191a3

SHA1
c1743724753db6b9d646388d5caa068b642d2945

SHA256
f82642526d3fd7e333a3b3d769a6f801438b5b8e546cd8f7973e057b9e6f06e9

SHA512
c2dfc6a72eb414e6c12c5e178619b66fc1102c9832462b9f634f09f8545d37e947e2584ac7aa3d76c9e862a665c86a4fc0845c1c2a9eae067e7a87fc32af1e87

Download Submit
C:\ProgramData\aliyun\assist\2.1.3.289\version.ini

Filesize
33B

MD5
1d626f584e26c96813e4ee692cd4a26a

SHA1
e018a2974d5ae185ba40a729622afda14abba8bf

SHA256
7465331cdae45bf48b23ea25c3df4a51508292de84fe757aeb9bcac269c0b904

SHA512
f6a98a192959a12fb7d6a7fb5bf2fe7e5aeb87a5025d81149a73b33d6b51e44b927ccaf711ec6bc67d67afa5e523c7753f6b35b9ed882c26ab591392e592e1d0

Download Submit
C:\ProgramData\aliyun\assist\hybrid\instance-id

Filesize
18B

MD5
4fae16932a029e5dc19398bb7921ead2

SHA1
3726a23ea020c0f8d22df063b5cc7d6c747bd91a

SHA256
f5bdf16673da35f6764eacc17062ffde17e8d6efdff13239937d38aef779eb2c

SHA512
90058dda4ed01f2ff46703fad77951a64e6a418139be5d9e5f2a263cade7f8e4b8a755c5d77bec922366da1897e66a84e019b31d5d03d663877e0b1e5accad7e

Download Submit
C:\ProgramData\aliyun\assist\hybrid\machine-id

Filesize
36B

MD5
0d8658bd660f82e5a32cda46b2c10ee8

SHA1
2ffb7fef402bcc8f226d150437fb6874f98d3a71

SHA256
1ba9fb5fc423ad11bd3ac9e1a33ea7ec773c7af3e4593cf6841ce09f3f9a89b8

SHA512
5fee9f646a503000729fc025a987943c6b3f9adcbd3211824b700962be8c1173577a356d1d0e59c37cc61388f732d228790d310dd7d5799c252fc6d09c639a48

Download Submit
C:\ProgramData\aliyun\assist\hybrid\pri-key

Filesize
1KB

MD5
b1a58fea8c496e78f94020f0e36c2918

SHA1
7460dcc4496f41b99c34a12ad157b2fdfa8b1cad

SHA256
082080ca8d9618e394b956be4cf4a031304f8966345312cdbe806294159dbc4b

SHA512
66acfcaa0c92feca4f4a1bd8e43d500350b669aa971df7ba83a696a6e763e2da6a43566abf012ebb5236b1da04601fee812c3ca22ce214e9e48d283da9b803a6

Download Submit
C:\ProgramData\aliyun\assist\hybrid\region-id

Filesize
11B

MD5
c581bec1f0d8ac4eb3ce548a80d62643

SHA1
ffded51468e21be2c66d44210973cf62b64c3c8a

SHA256
db9626998cd84f890af6af0b568f9e57647682987a7cebc7070fb102d8cc5df6

SHA512
c98a5160594809e214d5701a7e397663aabf385f413baa00b7bef08fb4cc6cfd2619d5109ebb497b9d69c6eeda80585775d938808918773fdbedbd12524fc875

Download Submit
C:\Users\Admin\AppData\Local\Temp\fbc97e576d8894f6fc7249dd5f6b3a553a57e14d659b731a9d5011aa81758344.docx

Filesize
12KB

MD5
c93391982491522aec144e99ec855db6

SHA1
3c5f9ce17e89a86828ee4285d9bcaa42f4d189ab

SHA256
e792ee27c1ed4df769be3fe83abf8a4d55b97bbb8e99d0ebfe7c2eb9c1690bfd

SHA512
657181eee159679b807562b218cd2dc79bc26391272da2a796e74cc0bde9aaec54d4dceebb5d82cd064d95dfe7f66ac5d85b39217179e7130a246237ced6b4e6

Download Submit
C:\Windows\Temp\WXWork.exe

Filesize
645KB

MD5
803f923f0664d5ac22fd6668b1a0d7e7

SHA1
9bab2c71e86db6cdf1cab2420dbd28d037c26f7a

SHA256
048f34f8853b8c49b0e5074a2b85b0151c2ea3a74c8cc60bcfbc003d51c6aeca

SHA512
50dd1d4779b57f3c4a0ef12dd12abf27db77962e32552b0e39b4a13eaef3d5b57d817d2a997cd18f9258466cf5990afde07d8f1e452d6978f8b1289d7256567e

Download Submit
C:\Windows\Temp\aliyun_assist_service.exe

Filesize
13.5MB

MD5
dda4c8f26fd3856aea2ffa6fe0f428ee

SHA1
8f6c3b77fc79ee4220f360622887657817bf4ef7

SHA256
c35e77b88b99bb7530dfdf80d0f3a9727104a177b1fe533607731fdba5c52d96

SHA512
d86f3f248c32ad42c9654ff984f85a88f6dac7f0c5d3dd729434d8da510c05bbe932ef0b6b0d7a6cd73b28f0eaf1c209137d7561a99986f7df44d3991564e39c

Download Submit
C:\Windows\Temp\aliyun_assist_service.exe

Filesize
13.5MB

MD5
dda4c8f26fd3856aea2ffa6fe0f428ee

SHA1
8f6c3b77fc79ee4220f360622887657817bf4ef7

SHA256
c35e77b88b99bb7530dfdf80d0f3a9727104a177b1fe533607731fdba5c52d96

SHA512
d86f3f248c32ad42c9654ff984f85a88f6dac7f0c5d3dd729434d8da510c05bbe932ef0b6b0d7a6cd73b28f0eaf1c209137d7561a99986f7df44d3991564e39c

Download Submit
C:\Windows\Temp\coremailclient.exe

Filesize
12.8MB

MD5
07e3040a2ea22959873e00b10054ae0d

SHA1
0e7049417815ef9c35d0868f085dc490bdf3fc34

SHA256
96b8e0dff7bff7f6662a7e3958b01adc761f82136327c7aef176fb96a34e9dc0

SHA512
3e083e2fb7d5a1be6c0324a8c2af716441a8fd952588bd5ac953118d8c07634b31f8d201eb069d3614912b0401d74f7b5945cc89fc6fb2da94494d304b9d7919

Download Submit
\ProgramData\aliyun\assist\2.1.3.289\PatchGo.dll

Filesize
105KB

MD5
1aa87fd62fd3737c60ebf04bf7e7f4e7

SHA1
dc7246b055cd3486d556034b5aeb07aee4dca37e

SHA256
b528834f041c68d362d4f7a63ad12fdecb3c985c3f424b5a414e05d037f163cb

SHA512
dd6d20ab3f6d3ab2e486922e86ad8c28b4932684b8a514ae3696a8a047e87c25247232f7edb4afd8e52638a2dce7e2423b5e02564f888a34107c3f16d60dd161

Download Submit
\ProgramData\aliyun\assist\2.1.3.289\PatchGo.dll

Filesize
105KB

MD5
1aa87fd62fd3737c60ebf04bf7e7f4e7

SHA1
dc7246b055cd3486d556034b5aeb07aee4dca37e

SHA256
b528834f041c68d362d4f7a63ad12fdecb3c985c3f424b5a414e05d037f163cb

SHA512
dd6d20ab3f6d3ab2e486922e86ad8c28b4932684b8a514ae3696a8a047e87c25247232f7edb4afd8e52638a2dce7e2423b5e02564f888a34107c3f16d60dd161

Download Submit
\ProgramData\aliyun\assist\2.1.3.289\PatchGo.dll

Filesize
105KB

MD5
1aa87fd62fd3737c60ebf04bf7e7f4e7

SHA1
dc7246b055cd3486d556034b5aeb07aee4dca37e

SHA256
b528834f041c68d362d4f7a63ad12fdecb3c985c3f424b5a414e05d037f163cb

SHA512
dd6d20ab3f6d3ab2e486922e86ad8c28b4932684b8a514ae3696a8a047e87c25247232f7edb4afd8e52638a2dce7e2423b5e02564f888a34107c3f16d60dd161

Download Submit
\ProgramData\aliyun\assist\2.1.3.289\PatchGo.dll

Filesize
105KB

MD5
1aa87fd62fd3737c60ebf04bf7e7f4e7

SHA1
dc7246b055cd3486d556034b5aeb07aee4dca37e

SHA256
b528834f041c68d362d4f7a63ad12fdecb3c985c3f424b5a414e05d037f163cb

SHA512
dd6d20ab3f6d3ab2e486922e86ad8c28b4932684b8a514ae3696a8a047e87c25247232f7edb4afd8e52638a2dce7e2423b5e02564f888a34107c3f16d60dd161

Download Submit
\ProgramData\aliyun\assist\2.1.3.289\aliyun_assist_service.exe

Filesize
12.3MB

MD5
f4fccbe7c50e54e88422a7b9ee4e4dcf

SHA1
f838a7034c3591da08af92770b34788fb3df68be

SHA256
914772b64f544a0f512aa37a0eddf887db0f781f2f198e0251d2affe6176d3b8

SHA512
51bf24df1a3fb93de21d7ce827d6d0811ae79ff9187931f817ca316dadc09ada8bc5bd8354dc3183025d750a73ad266e7dc0202f6191147d6ff4bee0001d8c9b

Download Submit
\ProgramData\aliyun\assist\2.1.3.289\aliyun_assist_service.exe

Filesize
12.3MB

MD5
f4fccbe7c50e54e88422a7b9ee4e4dcf

SHA1
f838a7034c3591da08af92770b34788fb3df68be

SHA256
914772b64f544a0f512aa37a0eddf887db0f781f2f198e0251d2affe6176d3b8

SHA512
51bf24df1a3fb93de21d7ce827d6d0811ae79ff9187931f817ca316dadc09ada8bc5bd8354dc3183025d750a73ad266e7dc0202f6191147d6ff4bee0001d8c9b

Download Submit
\ProgramData\aliyun\assist\2.1.3.289\aliyun_assist_service.exe

Filesize
12.3MB

MD5
f4fccbe7c50e54e88422a7b9ee4e4dcf

SHA1
f838a7034c3591da08af92770b34788fb3df68be

SHA256
914772b64f544a0f512aa37a0eddf887db0f781f2f198e0251d2affe6176d3b8

SHA512
51bf24df1a3fb93de21d7ce827d6d0811ae79ff9187931f817ca316dadc09ada8bc5bd8354dc3183025d750a73ad266e7dc0202f6191147d6ff4bee0001d8c9b

Download Submit
\ProgramData\aliyun\assist\2.1.3.289\aliyun_assist_service.exe

Filesize
12.3MB

MD5
f4fccbe7c50e54e88422a7b9ee4e4dcf

SHA1
f838a7034c3591da08af92770b34788fb3df68be

SHA256
914772b64f544a0f512aa37a0eddf887db0f781f2f198e0251d2affe6176d3b8

SHA512
51bf24df1a3fb93de21d7ce827d6d0811ae79ff9187931f817ca316dadc09ada8bc5bd8354dc3183025d750a73ad266e7dc0202f6191147d6ff4bee0001d8c9b

Download Submit
\ProgramData\aliyun\assist\2.1.3.289\aliyun_assist_service.exe

Filesize
12.3MB

MD5
f4fccbe7c50e54e88422a7b9ee4e4dcf

SHA1
f838a7034c3591da08af92770b34788fb3df68be

SHA256
914772b64f544a0f512aa37a0eddf887db0f781f2f198e0251d2affe6176d3b8

SHA512
51bf24df1a3fb93de21d7ce827d6d0811ae79ff9187931f817ca316dadc09ada8bc5bd8354dc3183025d750a73ad266e7dc0202f6191147d6ff4bee0001d8c9b

Download Submit
\Users\Admin\AppData\Local\Temp\nsoF8F1.tmp\nsExec.dll

Filesize
7KB

MD5
f27689c513e7d12c7c974d5f8ef710d6

SHA1
e305f2a2898d765a64c82c449dfb528665b4a892

SHA256
1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47

SHA512
734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

Download Submit
\Users\Admin\AppData\Local\Temp\nsoF8F1.tmp\nsExec.dll

Filesize
7KB

MD5
f27689c513e7d12c7c974d5f8ef710d6

SHA1
e305f2a2898d765a64c82c449dfb528665b4a892

SHA256
1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47

SHA512
734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

Download Submit
\Windows\Temp\WXWork.exe

Filesize
645KB

MD5
803f923f0664d5ac22fd6668b1a0d7e7

SHA1
9bab2c71e86db6cdf1cab2420dbd28d037c26f7a

SHA256
048f34f8853b8c49b0e5074a2b85b0151c2ea3a74c8cc60bcfbc003d51c6aeca

SHA512
50dd1d4779b57f3c4a0ef12dd12abf27db77962e32552b0e39b4a13eaef3d5b57d817d2a997cd18f9258466cf5990afde07d8f1e452d6978f8b1289d7256567e

Download Submit
\Windows\Temp\WXWork.exe

Filesize
645KB

MD5
803f923f0664d5ac22fd6668b1a0d7e7

SHA1
9bab2c71e86db6cdf1cab2420dbd28d037c26f7a

SHA256
048f34f8853b8c49b0e5074a2b85b0151c2ea3a74c8cc60bcfbc003d51c6aeca

SHA512
50dd1d4779b57f3c4a0ef12dd12abf27db77962e32552b0e39b4a13eaef3d5b57d817d2a997cd18f9258466cf5990afde07d8f1e452d6978f8b1289d7256567e

Download Submit
\Windows\Temp\coremailclient.exe

Filesize
12.8MB

MD5
07e3040a2ea22959873e00b10054ae0d

SHA1
0e7049417815ef9c35d0868f085dc490bdf3fc34

SHA256
96b8e0dff7bff7f6662a7e3958b01adc761f82136327c7aef176fb96a34e9dc0

SHA512
3e083e2fb7d5a1be6c0324a8c2af716441a8fd952588bd5ac953118d8c07634b31f8d201eb069d3614912b0401d74f7b5945cc89fc6fb2da94494d304b9d7919

Download Submit
\Windows\Temp\coremailclient.exe

Filesize
12.8MB

MD5
07e3040a2ea22959873e00b10054ae0d

SHA1
0e7049417815ef9c35d0868f085dc490bdf3fc34

SHA256
96b8e0dff7bff7f6662a7e3958b01adc761f82136327c7aef176fb96a34e9dc0

SHA512
3e083e2fb7d5a1be6c0324a8c2af716441a8fd952588bd5ac953118d8c07634b31f8d201eb069d3614912b0401d74f7b5945cc89fc6fb2da94494d304b9d7919

Download Submit
memory/1540-54-0x000007FEFB9B1000-0x000007FEFB9B3000-memory.dmp

Filesize
8KB

Download
memory/1828-116-0x0000000003430000-0x0000000003A9A000-memory.dmp

Filesize
6.4MB

Download
memory/1828-88-0x0000000003430000-0x0000000003A9A000-memory.dmp

Filesize
6.4MB

Download
memory/1828-87-0x00000000022F0000-0x0000000002B58000-memory.dmp

Filesize
8.4MB

Download
memory/1904-68-0x0000000070FBD000-0x0000000070FC8000-memory.dmp

Filesize
44KB

Download
memory/1904-64-0x0000000075661000-0x0000000075663000-memory.dmp

Filesize
8KB

Download
memory/1904-63-0x0000000070FBD000-0x0000000070FC8000-memory.dmp

Filesize
44KB

Download
memory/1904-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1904-61-0x000000006FFD1000-0x000000006FFD3000-memory.dmp

Filesize
8KB

Download
memory/1904-60-0x0000000072551000-0x0000000072554000-memory.dmp

Filesize
12KB

Download
memory/1904-115-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1904-117-0x0000000070FBD000-0x0000000070FC8000-memory.dmp

Filesize
44KB

Download