joker | fbc97e576d8894f6fc7249dd5f6b3a553a57e14d659b731a9d5011aa81758344

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
04-08-2022 13:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbc97e576d8894f6fc7249dd5f6b3a553a57e14d659b731a9d5011aa81758344.exe
Size

1.3MB
MD5

505395fed6f0d92efd4584f5b9327ac8
SHA1

82e2d416ce0dc5f7bbf858751c710df9aa686940
SHA256

fbc97e576d8894f6fc7249dd5f6b3a553a57e14d659b731a9d5011aa81758344
SHA512

ffc656e967a0d56d8663275f31e7538b95b00e22d14e84a6b819ce3f4e7f2d30b82c293cd6046c046bf0a76dd7b05be28e93f6f77ab8bb7cc03b6a8e27bcc2ad

Score

10^/10

joker infostealer trojan

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker
Downloads MZ/PE file

Executes dropped EXE 8 IoCs

pid	Process
4648	WXWork.exe
3296	aliyun_assist_service.exe
1928	aliyun_assist_service.exe
4316	coremailclient.exe
4644	aliyun_assist_service.exe
756	aliyun_assist_service.exe
3480	aliyun_assist_service.exe
5000	coremailclient.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	fbc97e576d8894f6fc7249dd5f6b3a553a57e14d659b731a9d5011aa81758344.exe

Deletes itself 1 IoCs

pid	Process
3720	fbc97e576d8894f6fc7249dd5f6b3a553a57e14d659b731a9d5011aa81758344.exe

Loads dropped DLL 2 IoCs

pid	Process
3296	aliyun_assist_service.exe
3296	aliyun_assist_service.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3764	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4836	4316	WerFault.exe	109
2700	5000	WerFault.exe	120

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2411 = "Marquesas Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2372 = "Easter Island Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2431 = "Cuba Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2942 = "Sao Tome Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-152 = "Central America Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2432 = "Cuba Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2182 = "Astrakhan Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2631 = "Norfolk Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2002 = "Cabo Verde Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2752 = "Tomsk Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-491 = "India Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2872 = "Magallanes Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2062 = "North Korea Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-12 = "Azores Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2342 = "Haiti Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time"	aliyun_assist_service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time"	aliyun_assist_service.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings	fbc97e576d8894f6fc7249dd5f6b3a553a57e14d659b731a9d5011aa81758344.exe

Runs net.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1128	WINWORD.EXE
1128	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3720	fbc97e576d8894f6fc7249dd5f6b3a553a57e14d659b731a9d5011aa81758344.exe
3720	fbc97e576d8894f6fc7249dd5f6b3a553a57e14d659b731a9d5011aa81758344.exe
4648	WXWork.exe
4648	WXWork.exe
4648	WXWork.exe
4648	WXWork.exe
4648	WXWork.exe
4648	WXWork.exe
4648	WXWork.exe
4648	WXWork.exe
4648	WXWork.exe
4648	WXWork.exe
4648	WXWork.exe
4648	WXWork.exe
4648	WXWork.exe
4648	WXWork.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3720	fbc97e576d8894f6fc7249dd5f6b3a553a57e14d659b731a9d5011aa81758344.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1928	aliyun_assist_service.exe
Token: SeDebugPrivilege	4644	aliyun_assist_service.exe
Token: SeDebugPrivilege	756	aliyun_assist_service.exe
Token: SeDebugPrivilege	3480	aliyun_assist_service.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1128	WINWORD.EXE
1128	WINWORD.EXE
1128	WINWORD.EXE
1128	WINWORD.EXE
1128	WINWORD.EXE
1128	WINWORD.EXE
1128	WINWORD.EXE
4316	coremailclient.exe
4316	coremailclient.exe
5000	coremailclient.exe
5000	coremailclient.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 3720 wrote to memory of 1128	3720	fbc97e576d8894f6fc7249dd5f6b3a553a57e14d659b731a9d5011aa81758344.exe	80
PID 3720 wrote to memory of 1128	3720	fbc97e576d8894f6fc7249dd5f6b3a553a57e14d659b731a9d5011aa81758344.exe	80
PID 3720 wrote to memory of 4648	3720	fbc97e576d8894f6fc7249dd5f6b3a553a57e14d659b731a9d5011aa81758344.exe	81
PID 3720 wrote to memory of 4648	3720	fbc97e576d8894f6fc7249dd5f6b3a553a57e14d659b731a9d5011aa81758344.exe	81
PID 4648 wrote to memory of 2308	4648	WXWork.exe	92
PID 4648 wrote to memory of 2308	4648	WXWork.exe	92
PID 2308 wrote to memory of 3296	2308	cmd.exe	94
PID 2308 wrote to memory of 3296	2308	cmd.exe	94
PID 2308 wrote to memory of 3296	2308	cmd.exe	94
PID 3296 wrote to memory of 1928	3296	aliyun_assist_service.exe	97
PID 3296 wrote to memory of 1928	3296	aliyun_assist_service.exe	97
PID 1928 wrote to memory of 4028	1928	aliyun_assist_service.exe	100
PID 1928 wrote to memory of 4028	1928	aliyun_assist_service.exe	100
PID 4028 wrote to memory of 1784	4028	net.exe	101
PID 4028 wrote to memory of 1784	4028	net.exe	101
PID 1928 wrote to memory of 4736	1928	aliyun_assist_service.exe	102
PID 1928 wrote to memory of 4736	1928	aliyun_assist_service.exe	102
PID 4736 wrote to memory of 3256	4736	net.exe	103
PID 4736 wrote to memory of 3256	4736	net.exe	103
PID 3296 wrote to memory of 3640	3296	aliyun_assist_service.exe	107
PID 3296 wrote to memory of 3640	3296	aliyun_assist_service.exe	107
PID 3296 wrote to memory of 3640	3296	aliyun_assist_service.exe	107
PID 4648 wrote to memory of 4316	4648	WXWork.exe	109
PID 4648 wrote to memory of 4316	4648	WXWork.exe	109
PID 3640 wrote to memory of 3764	3640	cmd.exe	111
PID 3640 wrote to memory of 3764	3640	cmd.exe	111
PID 3640 wrote to memory of 3764	3640	cmd.exe	111
PID 3640 wrote to memory of 4644	3640	cmd.exe	112
PID 3640 wrote to memory of 4644	3640	cmd.exe	112
PID 3640 wrote to memory of 756	3640	cmd.exe	113
PID 3640 wrote to memory of 756	3640	cmd.exe	113
PID 4648 wrote to memory of 5000	4648	WXWork.exe	120
PID 4648 wrote to memory of 5000	4648	WXWork.exe	120

C:\Users\Admin\AppData\Local\Temp\fbc97e576d8894f6fc7249dd5f6b3a553a57e14d659b731a9d5011aa81758344.exe
"C:\Users\Admin\AppData\Local\Temp\fbc97e576d8894f6fc7249dd5f6b3a553a57e14d659b731a9d5011aa81758344.exe"
1⤵
- Checks computer location settings
- Deletes itself
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\fbc97e576d8894f6fc7249dd5f6b3a553a57e14d659b731a9d5011aa81758344.docx" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:1128
- C:\Windows\Temp\WXWork.exe
  1
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4648
- - C:\Windows\System32\cmd.exe
    /c C:/Windows/Temp/aliyun_assist_service.exe /S --register --RegionId="cn-hangzhou" --ActivationCode="a-hz0s16tOXybErvJPtEvuRyXRmzVJw" --ActivationId="D7018412-298B-514A-BAB1-C6DCDF68ED83"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2308
  - - C:\Windows\Temp\aliyun_assist_service.exe
      C:/Windows/Temp/aliyun_assist_service.exe /S --register --RegionId="cn-hangzhou" --ActivationCode="a-hz0s16tOXybErvJPtEvuRyXRmzVJw" --ActivationId="D7018412-298B-514A-BAB1-C6DCDF68ED83"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:3296
    - - C:\ProgramData\aliyun\assist\2.1.3.289\aliyun_assist_service.exe
        
        "C:\ProgramData\aliyun\assist\2.1.3.289\aliyun_assist_service.exe" --register --RegionId=cn-hangzhou --ActivationCode=a-hz0s16tOXybErvJPtEvuRyXRmzVJw --ActivationId=D7018412-298B-514A-BAB1-C6DCDF68ED83 --InstanceName=
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1928
      - C:\Windows\system32\net.exe
        
        net stop AliyunService
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop AliyunService
        7⤵
        
        PID:1784
      - C:\Windows\system32\net.exe
        
        net start AliyunService
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start AliyunService
        7⤵
        
        PID:3256
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\ProgramData\aliyun\assist\2.1.3.289\install.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3640
      - C:\Windows\SysWOW64\sc.exe
        
        SC QUERY "AliyunService"
        6⤵
        Launches sc.exe
        
        PID:3764
      - C:\ProgramData\aliyun\assist\2.1.3.289\aliyun_assist_service.exe
        
        C:\ProgramData\aliyun\assist\2.1.3.289\aliyun_assist_service.exe --install
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4644
      - C:\ProgramData\aliyun\assist\2.1.3.289\aliyun_assist_service.exe
        
        C:\ProgramData\aliyun\assist\2.1.3.289\aliyun_assist_service.exe --start
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:756
- - C:\Windows\Temp\coremailclient.exe
    1
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4316
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 4316 -s 520
      4⤵
      Program crash
      PID:4836
- - C:\Windows\Temp\coremailclient.exe
    1
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5000
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 5000 -s 484
      4⤵
      Program crash
      PID:2700

C:\ProgramData\aliyun\assist\2.1.3.289\aliyun_assist_service.exe
C:\ProgramData\aliyun\assist\2.1.3.289\aliyun_assist_service.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3480

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 184 -p 4316 -ip 4316
1⤵
PID:2844

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 520 -p 5000 -ip 5000
1⤵
PID:4708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\aliyun\assist\2.1.3.289\aliyun_assist_service.exe

Filesize
12.3MB

MD5
f4fccbe7c50e54e88422a7b9ee4e4dcf

SHA1
f838a7034c3591da08af92770b34788fb3df68be

SHA256
914772b64f544a0f512aa37a0eddf887db0f781f2f198e0251d2affe6176d3b8

SHA512
51bf24df1a3fb93de21d7ce827d6d0811ae79ff9187931f817ca316dadc09ada8bc5bd8354dc3183025d750a73ad266e7dc0202f6191147d6ff4bee0001d8c9b

Download Submit
C:\ProgramData\aliyun\assist\2.1.3.289\aliyun_assist_service.exe

Filesize
12.3MB

MD5
f4fccbe7c50e54e88422a7b9ee4e4dcf

SHA1
f838a7034c3591da08af92770b34788fb3df68be

SHA256
914772b64f544a0f512aa37a0eddf887db0f781f2f198e0251d2affe6176d3b8

SHA512
51bf24df1a3fb93de21d7ce827d6d0811ae79ff9187931f817ca316dadc09ada8bc5bd8354dc3183025d750a73ad266e7dc0202f6191147d6ff4bee0001d8c9b

Download Submit
C:\ProgramData\aliyun\assist\2.1.3.289\aliyun_assist_service.exe

Filesize
12.3MB

MD5
f4fccbe7c50e54e88422a7b9ee4e4dcf

SHA1
f838a7034c3591da08af92770b34788fb3df68be

SHA256
914772b64f544a0f512aa37a0eddf887db0f781f2f198e0251d2affe6176d3b8

SHA512
51bf24df1a3fb93de21d7ce827d6d0811ae79ff9187931f817ca316dadc09ada8bc5bd8354dc3183025d750a73ad266e7dc0202f6191147d6ff4bee0001d8c9b

Download Submit
C:\ProgramData\aliyun\assist\2.1.3.289\aliyun_assist_service.exe

Filesize
12.3MB

MD5
f4fccbe7c50e54e88422a7b9ee4e4dcf

SHA1
f838a7034c3591da08af92770b34788fb3df68be

SHA256
914772b64f544a0f512aa37a0eddf887db0f781f2f198e0251d2affe6176d3b8

SHA512
51bf24df1a3fb93de21d7ce827d6d0811ae79ff9187931f817ca316dadc09ada8bc5bd8354dc3183025d750a73ad266e7dc0202f6191147d6ff4bee0001d8c9b

Download Submit
C:\ProgramData\aliyun\assist\2.1.3.289\aliyun_assist_service.exe

Filesize
12.3MB

MD5
f4fccbe7c50e54e88422a7b9ee4e4dcf

SHA1
f838a7034c3591da08af92770b34788fb3df68be

SHA256
914772b64f544a0f512aa37a0eddf887db0f781f2f198e0251d2affe6176d3b8

SHA512
51bf24df1a3fb93de21d7ce827d6d0811ae79ff9187931f817ca316dadc09ada8bc5bd8354dc3183025d750a73ad266e7dc0202f6191147d6ff4bee0001d8c9b

Download Submit
C:\ProgramData\aliyun\assist\2.1.3.289\config\GlobalSignRootCA.crt

Filesize
1KB

MD5
bca50c998aa2752c790d56540a17d98e

SHA1
b2073e04c872068182a527b22002637377cc485f

SHA256
bbd918ad1794858802480b54fac0def586caa90f0a43afdb37d4f4ee263595ab

SHA512
63f4b3a78587d8f3a73d412d4fb2235abfce50cbff117473b40671f0b0b0c449ead0628207eecf87d6295ebf9681c520b87dc3936df65ee929b0786cb4d9f0f9

Download Submit
C:\ProgramData\aliyun\assist\2.1.3.289\install.bat

Filesize
752B

MD5
99e7d946c7ede5609d55f43a15ca867d

SHA1
2ef3702b0490323ce1cc3d1f781de79a00760388

SHA256
fd266b23239df16ddf34813767b8e59959aff871257e88b67e9c06f748477df8

SHA512
da978dae8e8830b3b24d03b341b7d17b93cb95e2d060e994aa20c473268061e5cac072e75b64969c352f7c4410700c1fbca43900279cd36e93525353e2332523

Download Submit
C:\ProgramData\aliyun\assist\2.1.3.289\log\aliyun_assist_main.log.20220804

Filesize
1KB

MD5
5397d48e2b68b7c07ed5cfafb246d75c

SHA1
3f586cf77a450f351fe7dac3c7a4abcd9c2a44a5

SHA256
7636969df8baae32e71686fa1b3a94696764d3445c2f1f5e2267753b1aa17baf

SHA512
3cee045382951cb298ea250ef6bb37832719fdce5f1e457d10815637e76575e7332571f261f6e19ba16ed37dab94c2dc9f9e5900c03a0cc7159dfd5c86e701a6

Download Submit
C:\ProgramData\aliyun\assist\2.1.3.289\version.ini

Filesize
33B

MD5
1d626f584e26c96813e4ee692cd4a26a

SHA1
e018a2974d5ae185ba40a729622afda14abba8bf

SHA256
7465331cdae45bf48b23ea25c3df4a51508292de84fe757aeb9bcac269c0b904

SHA512
f6a98a192959a12fb7d6a7fb5bf2fe7e5aeb87a5025d81149a73b33d6b51e44b927ccaf711ec6bc67d67afa5e523c7753f6b35b9ed882c26ab591392e592e1d0

Download Submit
C:\ProgramData\aliyun\assist\hybrid\instance-id

Filesize
18B

MD5
e029d614d770bbd3bd8bf3dd7653eb08

SHA1
cb26a94c65ab83e96dc9f02ed69fbb559387022a

SHA256
6c093d62ca79a9eb25a3d577ca2fe2faadf0381d746ab37bba506e19dc392d8f

SHA512
37cf238963d429740edb58a6a0b8c0333b6b599e00cb4ee7df75b5978f65c87738c57091aa9d4571c4856176a7f222b4a6d401d5e90d9db2a6ae32430eb35e70

Download Submit
C:\ProgramData\aliyun\assist\hybrid\machine-id

Filesize
36B

MD5
08528562496d3d5a065d47c10e0c9cbf

SHA1
af1715ca0ee6b32e65a0eafb1aa53221295569e9

SHA256
bf17beb4e7fceecbe46e47562bd4ded00438e87112fe46196b55f0237447dde8

SHA512
4447ca6d2055da3f3e43dc88ebcd4a86f4862d51f54deedeff1ff64883c161efa9e30be5715dc5e6efa6dc0008c847f9abee1920ab84a758334566c94292c0d8

Download Submit
C:\ProgramData\aliyun\assist\hybrid\pri-key

Filesize
1KB

MD5
c53adb5fe4d3ca96f880099de35b1306

SHA1
7e242261c8dcc8e0979bf1344e1acd50f1c24a2b

SHA256
705a97e7a229684ca53891f6cbe2ff22bed21a04114332adc3760ecb1d600de7

SHA512
66b1422a6062d52961b4bbcae37a6903cea39fd4553997cb81a4b0f7500d80b56912df4265b17a8331471a27fe114d327f9aa7e47461da4f312fa63c28dcf5d4

Download Submit
C:\ProgramData\aliyun\assist\hybrid\region-id

Filesize
11B

MD5
c581bec1f0d8ac4eb3ce548a80d62643

SHA1
ffded51468e21be2c66d44210973cf62b64c3c8a

SHA256
db9626998cd84f890af6af0b568f9e57647682987a7cebc7070fb102d8cc5df6

SHA512
c98a5160594809e214d5701a7e397663aabf385f413baa00b7bef08fb4cc6cfd2619d5109ebb497b9d69c6eeda80585775d938808918773fdbedbd12524fc875

Download Submit
C:\Users\Admin\AppData\Local\Temp\fbc97e576d8894f6fc7249dd5f6b3a553a57e14d659b731a9d5011aa81758344.docx

Filesize
12KB

MD5
c93391982491522aec144e99ec855db6

SHA1
3c5f9ce17e89a86828ee4285d9bcaa42f4d189ab

SHA256
e792ee27c1ed4df769be3fe83abf8a4d55b97bbb8e99d0ebfe7c2eb9c1690bfd

SHA512
657181eee159679b807562b218cd2dc79bc26391272da2a796e74cc0bde9aaec54d4dceebb5d82cd064d95dfe7f66ac5d85b39217179e7130a246237ced6b4e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf22FA.tmp\nsExec.dll

Filesize
7KB

MD5
f27689c513e7d12c7c974d5f8ef710d6

SHA1
e305f2a2898d765a64c82c449dfb528665b4a892

SHA256
1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47

SHA512
734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf22FA.tmp\nsExec.dll

Filesize
7KB

MD5
f27689c513e7d12c7c974d5f8ef710d6

SHA1
e305f2a2898d765a64c82c449dfb528665b4a892

SHA256
1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47

SHA512
734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

Download Submit
C:\Windows\Temp\WXWork.exe

Filesize
645KB

MD5
803f923f0664d5ac22fd6668b1a0d7e7

SHA1
9bab2c71e86db6cdf1cab2420dbd28d037c26f7a

SHA256
048f34f8853b8c49b0e5074a2b85b0151c2ea3a74c8cc60bcfbc003d51c6aeca

SHA512
50dd1d4779b57f3c4a0ef12dd12abf27db77962e32552b0e39b4a13eaef3d5b57d817d2a997cd18f9258466cf5990afde07d8f1e452d6978f8b1289d7256567e

Download Submit
C:\Windows\Temp\WXWork.exe

Filesize
645KB

MD5
803f923f0664d5ac22fd6668b1a0d7e7

SHA1
9bab2c71e86db6cdf1cab2420dbd28d037c26f7a

SHA256
048f34f8853b8c49b0e5074a2b85b0151c2ea3a74c8cc60bcfbc003d51c6aeca

SHA512
50dd1d4779b57f3c4a0ef12dd12abf27db77962e32552b0e39b4a13eaef3d5b57d817d2a997cd18f9258466cf5990afde07d8f1e452d6978f8b1289d7256567e

Download Submit
C:\Windows\Temp\aliyun_assist_service.exe

Filesize
13.5MB

MD5
dda4c8f26fd3856aea2ffa6fe0f428ee

SHA1
8f6c3b77fc79ee4220f360622887657817bf4ef7

SHA256
c35e77b88b99bb7530dfdf80d0f3a9727104a177b1fe533607731fdba5c52d96

SHA512
d86f3f248c32ad42c9654ff984f85a88f6dac7f0c5d3dd729434d8da510c05bbe932ef0b6b0d7a6cd73b28f0eaf1c209137d7561a99986f7df44d3991564e39c

Download Submit
C:\Windows\Temp\aliyun_assist_service.exe

Filesize
13.5MB

MD5
dda4c8f26fd3856aea2ffa6fe0f428ee

SHA1
8f6c3b77fc79ee4220f360622887657817bf4ef7

SHA256
c35e77b88b99bb7530dfdf80d0f3a9727104a177b1fe533607731fdba5c52d96

SHA512
d86f3f248c32ad42c9654ff984f85a88f6dac7f0c5d3dd729434d8da510c05bbe932ef0b6b0d7a6cd73b28f0eaf1c209137d7561a99986f7df44d3991564e39c

Download Submit
C:\Windows\Temp\coremailclient.exe

Filesize
12.8MB

MD5
07e3040a2ea22959873e00b10054ae0d

SHA1
0e7049417815ef9c35d0868f085dc490bdf3fc34

SHA256
96b8e0dff7bff7f6662a7e3958b01adc761f82136327c7aef176fb96a34e9dc0

SHA512
3e083e2fb7d5a1be6c0324a8c2af716441a8fd952588bd5ac953118d8c07634b31f8d201eb069d3614912b0401d74f7b5945cc89fc6fb2da94494d304b9d7919

Download Submit
C:\Windows\Temp\coremailclient.exe

Filesize
12.8MB

MD5
07e3040a2ea22959873e00b10054ae0d

SHA1
0e7049417815ef9c35d0868f085dc490bdf3fc34

SHA256
96b8e0dff7bff7f6662a7e3958b01adc761f82136327c7aef176fb96a34e9dc0

SHA512
3e083e2fb7d5a1be6c0324a8c2af716441a8fd952588bd5ac953118d8c07634b31f8d201eb069d3614912b0401d74f7b5945cc89fc6fb2da94494d304b9d7919

Download Submit
C:\Windows\Temp\coremailclient.exe

Filesize
12.8MB

MD5
07e3040a2ea22959873e00b10054ae0d

SHA1
0e7049417815ef9c35d0868f085dc490bdf3fc34

SHA256
96b8e0dff7bff7f6662a7e3958b01adc761f82136327c7aef176fb96a34e9dc0

SHA512
3e083e2fb7d5a1be6c0324a8c2af716441a8fd952588bd5ac953118d8c07634b31f8d201eb069d3614912b0401d74f7b5945cc89fc6fb2da94494d304b9d7919

Download Submit
memory/1128-139-0x00007FFC846D0000-0x00007FFC846E0000-memory.dmp

Filesize
64KB

Download
memory/1128-138-0x00007FFC86730000-0x00007FFC86740000-memory.dmp

Filesize
64KB

Download
memory/1128-156-0x00007FFC86730000-0x00007FFC86740000-memory.dmp

Filesize
64KB

Download
memory/1128-158-0x00007FFC86730000-0x00007FFC86740000-memory.dmp

Filesize
64KB

Download
memory/1128-159-0x00007FFC86730000-0x00007FFC86740000-memory.dmp

Filesize
64KB

Download
memory/1128-134-0x00007FFC86730000-0x00007FFC86740000-memory.dmp

Filesize
64KB

Download
memory/1128-135-0x00007FFC86730000-0x00007FFC86740000-memory.dmp

Filesize
64KB

Download
memory/1128-136-0x00007FFC86730000-0x00007FFC86740000-memory.dmp

Filesize
64KB

Download
memory/1128-140-0x00007FFC846D0000-0x00007FFC846E0000-memory.dmp

Filesize
64KB

Download
memory/1128-157-0x00007FFC86730000-0x00007FFC86740000-memory.dmp

Filesize
64KB

Download
memory/1128-137-0x00007FFC86730000-0x00007FFC86740000-memory.dmp

Filesize
64KB

Download