joker | 44aa2372d01d2f5199a9149debab54dc1ac6105b613cd145933d09f305ffb941

Analysis

max time kernel
108s
max time network
154s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
18-08-2022 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f90bb86007a525c51606f541d23f17d.exe
Size

124KB
MD5

0f90bb86007a525c51606f541d23f17d
SHA1

61b24dc1fe848eab720bc4f5371dd963afb1c22c
SHA256

44aa2372d01d2f5199a9149debab54dc1ac6105b613cd145933d09f305ffb941
SHA512

4c3e641db45fc829f9729ff20ccd3967cbc59f072638932fd712eae80243941ded9e2fc921b711a1a70d066a9997aec214cea3fb2e22216738b32a177343bdf9

Score

10^/10

joker infostealer persistence trojan

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}\StubPath = "C:\\system.exe"	0f90bb86007a525c51606f541d23f17d.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}	0f90bb86007a525c51606f541d23f17d.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\ie.bat	0f90bb86007a525c51606f541d23f17d.exe
File created	C:\WINDOWS\SysWOW64\qx.bat	0f90bb86007a525c51606f541d23f17d.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\windows.exe	0f90bb86007a525c51606f541d23f17d.exe
File opened for modification	C:\WINDOWS\windows.exe	0f90bb86007a525c51606f541d23f17d.exe
File opened for modification	C:\WINDOWS\windows.exe	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{48BB7981-1F3F-11ED-AEA9-42FEA5F7B9B2} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 400cca234cb3d801	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\DOMStorage\154.203.154.173\Total = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\Main	0f90bb86007a525c51606f541d23f17d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4882B641-1F3F-11ED-AEA9-42FEA5F7B9B2} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\DOMStorage\154.203.154.173\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000418f79a32b896b4fb5b03d2c02db780b0000000002000000000010660000000100002000000040213e7de955ad32e2298b838bebd2edaefd6d84ed5911a6610ecd946c963902000000000e80000000020000200000006b995584b6bc16b855c79518be8ec7715beb416a106e070f94901882279204fc200000002b2231aef58ae9aecad4863640e7c7ba832998e55e4bb2625aba3b596f54cc79400000003503f9b35ecd780456bde2ae1ab92d01324b0bf88bfac85cc6a61f45f51659ff447d552f615ec72cf05b869c5b044376183b860c93be57af74f75c35a0847549	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "126"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000418f79a32b896b4fb5b03d2c02db780b000000000200000000001066000000010000200000002d37732237a7797d30141d5e9f72e53ced89bd24da888945896d49f374d1f696000000000e80000000020000200000001b96a295865af06de95d0192ca51c43e7dd0c5e975b9ec9c40888958feab844b90000000a962f7f4d4e326bb10329544fe9b78cc7d81039d92f6bc0c8edc2cdce8befc4025d4033882de912478de1b2c9e6c788159c07a97d431ab1b55ef8f507cc7965e0884db265f5381fd7c6a3d68236725093c1c3c1b9887f90504788cad0c169f2185c69051ff54f0f51a7b988ffd636f03bd1db89b455924106e93dd46fde421a6d97e6c89d392793168a5cbef8157701240000000cb88e9cd8e4b8d3050b67b0da53131ee7e7f58f5320d9eb6a8d530cae477535241eb16b7de0be6c990336b449121711d9a24c31898aab301639e24caa0a25e55	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "367624192"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\DOMStorage\ymtuku.com\Total = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\DOMStorage\154.203.154.173\ = "63"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.ymtuku.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\DOMStorage\154.203.154.173	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://dhku.com"	0f90bb86007a525c51606f541d23f17d.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1632	0f90bb86007a525c51606f541d23f17d.exe
1632	0f90bb86007a525c51606f541d23f17d.exe
1632	0f90bb86007a525c51606f541d23f17d.exe
1632	0f90bb86007a525c51606f541d23f17d.exe
1632	0f90bb86007a525c51606f541d23f17d.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1520	IEXPLORE.EXE
896	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1632	0f90bb86007a525c51606f541d23f17d.exe
1520	IEXPLORE.EXE
1520	IEXPLORE.EXE
992	IEXPLORE.EXE
992	IEXPLORE.EXE
896	iexplore.exe
896	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 1520	1632	0f90bb86007a525c51606f541d23f17d.exe	27
PID 1632 wrote to memory of 1520	1632	0f90bb86007a525c51606f541d23f17d.exe	27
PID 1632 wrote to memory of 1520	1632	0f90bb86007a525c51606f541d23f17d.exe	27
PID 1632 wrote to memory of 1520	1632	0f90bb86007a525c51606f541d23f17d.exe	27
PID 1520 wrote to memory of 992	1520	IEXPLORE.EXE	29
PID 1520 wrote to memory of 992	1520	IEXPLORE.EXE	29
PID 1520 wrote to memory of 992	1520	IEXPLORE.EXE	29
PID 1520 wrote to memory of 992	1520	IEXPLORE.EXE	29
PID 1632 wrote to memory of 896	1632	0f90bb86007a525c51606f541d23f17d.exe	30
PID 1632 wrote to memory of 896	1632	0f90bb86007a525c51606f541d23f17d.exe	30
PID 1632 wrote to memory of 896	1632	0f90bb86007a525c51606f541d23f17d.exe	30
PID 1632 wrote to memory of 896	1632	0f90bb86007a525c51606f541d23f17d.exe	30
PID 1632 wrote to memory of 1908	1632	0f90bb86007a525c51606f541d23f17d.exe	31
PID 1632 wrote to memory of 1908	1632	0f90bb86007a525c51606f541d23f17d.exe	31
PID 1632 wrote to memory of 1908	1632	0f90bb86007a525c51606f541d23f17d.exe	31
PID 1632 wrote to memory of 1908	1632	0f90bb86007a525c51606f541d23f17d.exe	31
PID 1908 wrote to memory of 1420	1908	cmd.exe	33
PID 1908 wrote to memory of 1420	1908	cmd.exe	33
PID 1908 wrote to memory of 1420	1908	cmd.exe	33
PID 1908 wrote to memory of 1420	1908	cmd.exe	33
PID 1632 wrote to memory of 1900	1632	0f90bb86007a525c51606f541d23f17d.exe	34
PID 1632 wrote to memory of 1900	1632	0f90bb86007a525c51606f541d23f17d.exe	34
PID 1632 wrote to memory of 1900	1632	0f90bb86007a525c51606f541d23f17d.exe	34
PID 1632 wrote to memory of 1900	1632	0f90bb86007a525c51606f541d23f17d.exe	34
PID 1900 wrote to memory of 308	1900	cmd.exe	36
PID 1900 wrote to memory of 308	1900	cmd.exe	36
PID 1900 wrote to memory of 308	1900	cmd.exe	36
PID 1900 wrote to memory of 308	1900	cmd.exe	36
PID 1632 wrote to memory of 1516	1632	0f90bb86007a525c51606f541d23f17d.exe	37
PID 1632 wrote to memory of 1516	1632	0f90bb86007a525c51606f541d23f17d.exe	37
PID 1632 wrote to memory of 1516	1632	0f90bb86007a525c51606f541d23f17d.exe	37
PID 1632 wrote to memory of 1516	1632	0f90bb86007a525c51606f541d23f17d.exe	37
PID 1516 wrote to memory of 984	1516	cmd.exe	39
PID 1516 wrote to memory of 984	1516	cmd.exe	39
PID 1516 wrote to memory of 984	1516	cmd.exe	39
PID 1516 wrote to memory of 984	1516	cmd.exe	39
PID 1632 wrote to memory of 1928	1632	0f90bb86007a525c51606f541d23f17d.exe	40
PID 1632 wrote to memory of 1928	1632	0f90bb86007a525c51606f541d23f17d.exe	40
PID 1632 wrote to memory of 1928	1632	0f90bb86007a525c51606f541d23f17d.exe	40
PID 1632 wrote to memory of 1928	1632	0f90bb86007a525c51606f541d23f17d.exe	40
PID 1928 wrote to memory of 1740	1928	cmd.exe	42
PID 1928 wrote to memory of 1740	1928	cmd.exe	42
PID 1928 wrote to memory of 1740	1928	cmd.exe	42
PID 1928 wrote to memory of 1740	1928	cmd.exe	42
PID 1632 wrote to memory of 780	1632	0f90bb86007a525c51606f541d23f17d.exe	43
PID 1632 wrote to memory of 780	1632	0f90bb86007a525c51606f541d23f17d.exe	43
PID 1632 wrote to memory of 780	1632	0f90bb86007a525c51606f541d23f17d.exe	43
PID 1632 wrote to memory of 780	1632	0f90bb86007a525c51606f541d23f17d.exe	43
PID 780 wrote to memory of 980	780	cmd.exe	45
PID 780 wrote to memory of 980	780	cmd.exe	45
PID 780 wrote to memory of 980	780	cmd.exe	45
PID 780 wrote to memory of 980	780	cmd.exe	45
PID 1632 wrote to memory of 1108	1632	0f90bb86007a525c51606f541d23f17d.exe	46
PID 1632 wrote to memory of 1108	1632	0f90bb86007a525c51606f541d23f17d.exe	46
PID 1632 wrote to memory of 1108	1632	0f90bb86007a525c51606f541d23f17d.exe	46
PID 1632 wrote to memory of 1108	1632	0f90bb86007a525c51606f541d23f17d.exe	46
PID 1108 wrote to memory of 1984	1108	cmd.exe	48
PID 1108 wrote to memory of 1984	1108	cmd.exe	48
PID 1108 wrote to memory of 1984	1108	cmd.exe	48
PID 1108 wrote to memory of 1984	1108	cmd.exe	48
PID 1632 wrote to memory of 928	1632	0f90bb86007a525c51606f541d23f17d.exe	49
PID 1632 wrote to memory of 928	1632	0f90bb86007a525c51606f541d23f17d.exe	49
PID 1632 wrote to memory of 928	1632	0f90bb86007a525c51606f541d23f17d.exe	49
PID 1632 wrote to memory of 928	1632	0f90bb86007a525c51606f541d23f17d.exe	49

Views/modifies file attributes 1 TTPs 7 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1740	attrib.exe
980	attrib.exe
1984	attrib.exe
556	attrib.exe
1420	attrib.exe
308	attrib.exe
984	attrib.exe

C:\Users\Admin\AppData\Local\Temp\0f90bb86007a525c51606f541d23f17d.exe
"C:\Users\Admin\AppData\Local\Temp\0f90bb86007a525c51606f541d23f17d.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.212ok.com/Gbook.asp?qita
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1520 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:992
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:896
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:896 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    PID:1640
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
    3⤵
    - Views/modifies file attributes
    PID:1420
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
    3⤵
    - Views/modifies file attributes
    PID:308
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
    3⤵
    - Views/modifies file attributes
    PID:984
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
    3⤵
    - Views/modifies file attributes
    PID:1740
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:780
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
    3⤵
    - Views/modifies file attributes
    PID:980
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1108
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\WINDOWS\windows.exe"
    3⤵
    - Drops file in Windows directory
    - Views/modifies file attributes
    PID:1984
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"
  2⤵
  PID:928
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "c:\system.exe"
    3⤵
    - Views/modifies file attributes
    PID:556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4882B641-1F3F-11ED-AEA9-42FEA5F7B9B2}.dat

Filesize
5KB

MD5
a9cd30560b17cb1a32c181802a9b9c78

SHA1
80b200d285b72405b7451d91891e7bc3ca434363

SHA256
a0e17fe449337f261f67d05677db1d81e37b0790c0e70fd9c3c22c7d9c936884

SHA512
ad4272bd255391a4e18956e9334668c162969652fa721e4e0b0facbcbca78b23b69cc8440763f0121a919a5b3f6c2685d2862896a2c99a0ed0a340e1aca75aca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\P44W3GZ1.txt

Filesize
601B

MD5
7638f3db255bddfbb3f44803c8abbd5f

SHA1
563ce95daf4044e49df5b3b45dd4c16f4900e5cd

SHA256
4d9bdc6c68eba2c94910a84c8ffff87a8ad106cdb6a3f0db16d93b266203c5b3

SHA512
f1f7b35742a8a1cf493747590cf83f8af6b95e73ac9ce775fa47a7246dafc9643a73e16e3268b6a87ea2d64b32bce39881d35f57439c6e63aa41d3d9a8d21392

Download Submit
C:\WINDOWS\windows.exe

Filesize
124KB

MD5
950711eeba44407c6492f34bad416ebc

SHA1
d08fd3210cb599cbd91dbd737a61c7040dfc4358

SHA256
4f688c259da881dd1e39c95b3e0e63194d04b9369dc84eb05aab9b1015fc5259

SHA512
bd1e4dad451f558ab3b9528764136bad36053614d7577fa311852162b496175588ab466a3228a79c830da9dc46fa374978f06a7e3ea8dd4ba5512aec724a341b

Download Submit
C:\system.exe

Filesize
124KB

MD5
08cc0bbc85178666876594a1e9a44959

SHA1
cdf8c6f694872515d3e3c59f2e5ec836e3d290af

SHA256
887660222854ce3b2ad9559e5bd583726a80304559387fadfa6ff04e071d9386

SHA512
2b7663dfbb28db0e985bebf2a68f8f8a3260d563f42f9fd601e77c95e9a1d654f71a8d4d8a03cd3c8edbff0ab3d481d74a9b4a34ea4d54ddc0edeca98bdcf87d

Download Submit
memory/1632-56-0x00000000751B1000-0x00000000751B3000-memory.dmp

Filesize
8KB

Download