joker | 01f95e3eacbfef97fd73836f0cc2702dff49fc1da1283afb02231586064e6967

Analysis

max time kernel
145s
max time network
150s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
08/09/2022, 19:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ece507d87a5b2732818a270942864957.exe
Size

124KB
MD5

ece507d87a5b2732818a270942864957
SHA1

4fc0c57622b928125b55dcaaba92d966f9703789
SHA256

01f95e3eacbfef97fd73836f0cc2702dff49fc1da1283afb02231586064e6967
SHA512

e28d3aa2dc16624d0b8f2572eddcb6283b9d48bd0e8f3fc68711ede45226721029891bdbf6006cfb69bb5826a300a6691691b094db54fc25f2dd9bfec4a6b26f
SSDEEP

3072:g1i/NU8bOMYcYYcmy5cU+gTn6HOjDhWrzvvQwlgOks5YmMOMYcYY51i/NU8F:Oi/NjO5YBgegD0PHzSv3Oai/NN

Score

10^/10

joker infostealer persistence trojan

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}	ece507d87a5b2732818a270942864957.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}\StubPath = "C:\\system.exe"	ece507d87a5b2732818a270942864957.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\ie.bat	ece507d87a5b2732818a270942864957.exe
File created	C:\WINDOWS\SysWOW64\qx.bat	ece507d87a5b2732818a270942864957.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\windows.exe	ece507d87a5b2732818a270942864957.exe
File opened for modification	C:\WINDOWS\windows.exe	ece507d87a5b2732818a270942864957.exe
File opened for modification	C:\WINDOWS\windows.exe	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\154.203.154.173\Total = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\ymtuku.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "369438895"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf000000000200000000001066000000010000200000005ed458c977be0f3f9e91a37a0a1fe08adc97855386560e61d8fc43483ae333b6000000000e8000000002000020000000adfbd71821ec9bd2296d8554727bfcb615c379b70c2357f18b4a56a85cc9ba5690000000bf46e0882821c77fd747108120f159fb585a73cca7689db1f56b8f9abe84172b1ada431a4e3097bcbbfb1f580b05b3007f36e4b3ed686fd252fa5d1075c36b96c47fe732ae9499f85c852bfcd4bdc9d176dafedfb78c1def7fc8a09bc914d22d513a0838d28ef4db2aa154fce9e49d193d751278acd5d093ec31e6c6767c2543b7d6a61ca2ea0035ec40baf53e4ce63e40000000a2320b6a14a7ac65170f87853283c6d1638502d2e3d536bfff7c951a8936b29e38efce104478d7fbcac4686ff43e5fd2693662a6b221a338e3d332ab267c7a5e	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{769D25B1-2FC0-11ED-9AD4-7A3897842414} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\ymtuku.com\Total = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\154.203.154.173\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\154.203.154.173	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\ymtuku.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\154.203.154.173\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "126"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	ece507d87a5b2732818a270942864957.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.ymtuku.com	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0180e51cdc3d801	IEXPLORE.EXE

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://dhku.com"	ece507d87a5b2732818a270942864957.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1788	ece507d87a5b2732818a270942864957.exe
1788	ece507d87a5b2732818a270942864957.exe
1788	ece507d87a5b2732818a270942864957.exe
1788	ece507d87a5b2732818a270942864957.exe
1788	ece507d87a5b2732818a270942864957.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1780	IEXPLORE.EXE
1996	iexplore.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1788	ece507d87a5b2732818a270942864957.exe
1780	IEXPLORE.EXE
1780	IEXPLORE.EXE
2020	IEXPLORE.EXE
2020	IEXPLORE.EXE
1996	iexplore.exe
1996	iexplore.exe
2004	IEXPLORE.EXE
2004	IEXPLORE.EXE
2004	IEXPLORE.EXE
2004	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 1780	1788	ece507d87a5b2732818a270942864957.exe	28
PID 1788 wrote to memory of 1780	1788	ece507d87a5b2732818a270942864957.exe	28
PID 1788 wrote to memory of 1780	1788	ece507d87a5b2732818a270942864957.exe	28
PID 1788 wrote to memory of 1780	1788	ece507d87a5b2732818a270942864957.exe	28
PID 1780 wrote to memory of 2020	1780	IEXPLORE.EXE	30
PID 1780 wrote to memory of 2020	1780	IEXPLORE.EXE	30
PID 1780 wrote to memory of 2020	1780	IEXPLORE.EXE	30
PID 1780 wrote to memory of 2020	1780	IEXPLORE.EXE	30
PID 1788 wrote to memory of 1996	1788	ece507d87a5b2732818a270942864957.exe	31
PID 1788 wrote to memory of 1996	1788	ece507d87a5b2732818a270942864957.exe	31
PID 1788 wrote to memory of 1996	1788	ece507d87a5b2732818a270942864957.exe	31
PID 1788 wrote to memory of 1996	1788	ece507d87a5b2732818a270942864957.exe	31
PID 1788 wrote to memory of 776	1788	ece507d87a5b2732818a270942864957.exe	32
PID 1788 wrote to memory of 776	1788	ece507d87a5b2732818a270942864957.exe	32
PID 1788 wrote to memory of 776	1788	ece507d87a5b2732818a270942864957.exe	32
PID 1788 wrote to memory of 776	1788	ece507d87a5b2732818a270942864957.exe	32
PID 776 wrote to memory of 876	776	cmd.exe	34
PID 776 wrote to memory of 876	776	cmd.exe	34
PID 776 wrote to memory of 876	776	cmd.exe	34
PID 776 wrote to memory of 876	776	cmd.exe	34
PID 1788 wrote to memory of 1348	1788	ece507d87a5b2732818a270942864957.exe	35
PID 1788 wrote to memory of 1348	1788	ece507d87a5b2732818a270942864957.exe	35
PID 1788 wrote to memory of 1348	1788	ece507d87a5b2732818a270942864957.exe	35
PID 1788 wrote to memory of 1348	1788	ece507d87a5b2732818a270942864957.exe	35
PID 1348 wrote to memory of 1320	1348	cmd.exe	37
PID 1348 wrote to memory of 1320	1348	cmd.exe	37
PID 1348 wrote to memory of 1320	1348	cmd.exe	37
PID 1348 wrote to memory of 1320	1348	cmd.exe	37
PID 1788 wrote to memory of 824	1788	ece507d87a5b2732818a270942864957.exe	38
PID 1788 wrote to memory of 824	1788	ece507d87a5b2732818a270942864957.exe	38
PID 1788 wrote to memory of 824	1788	ece507d87a5b2732818a270942864957.exe	38
PID 1788 wrote to memory of 824	1788	ece507d87a5b2732818a270942864957.exe	38
PID 824 wrote to memory of 1796	824	cmd.exe	40
PID 824 wrote to memory of 1796	824	cmd.exe	40
PID 824 wrote to memory of 1796	824	cmd.exe	40
PID 824 wrote to memory of 1796	824	cmd.exe	40
PID 1788 wrote to memory of 1488	1788	ece507d87a5b2732818a270942864957.exe	41
PID 1788 wrote to memory of 1488	1788	ece507d87a5b2732818a270942864957.exe	41
PID 1788 wrote to memory of 1488	1788	ece507d87a5b2732818a270942864957.exe	41
PID 1788 wrote to memory of 1488	1788	ece507d87a5b2732818a270942864957.exe	41
PID 1488 wrote to memory of 1872	1488	cmd.exe	43
PID 1488 wrote to memory of 1872	1488	cmd.exe	43
PID 1488 wrote to memory of 1872	1488	cmd.exe	43
PID 1488 wrote to memory of 1872	1488	cmd.exe	43
PID 1788 wrote to memory of 1496	1788	ece507d87a5b2732818a270942864957.exe	44
PID 1788 wrote to memory of 1496	1788	ece507d87a5b2732818a270942864957.exe	44
PID 1788 wrote to memory of 1496	1788	ece507d87a5b2732818a270942864957.exe	44
PID 1788 wrote to memory of 1496	1788	ece507d87a5b2732818a270942864957.exe	44
PID 1496 wrote to memory of 1100	1496	cmd.exe	46
PID 1496 wrote to memory of 1100	1496	cmd.exe	46
PID 1496 wrote to memory of 1100	1496	cmd.exe	46
PID 1496 wrote to memory of 1100	1496	cmd.exe	46
PID 1788 wrote to memory of 2000	1788	ece507d87a5b2732818a270942864957.exe	47
PID 1788 wrote to memory of 2000	1788	ece507d87a5b2732818a270942864957.exe	47
PID 1788 wrote to memory of 2000	1788	ece507d87a5b2732818a270942864957.exe	47
PID 1788 wrote to memory of 2000	1788	ece507d87a5b2732818a270942864957.exe	47
PID 2000 wrote to memory of 1120	2000	cmd.exe	49
PID 2000 wrote to memory of 1120	2000	cmd.exe	49
PID 2000 wrote to memory of 1120	2000	cmd.exe	49
PID 2000 wrote to memory of 1120	2000	cmd.exe	49
PID 1788 wrote to memory of 632	1788	ece507d87a5b2732818a270942864957.exe	50
PID 1788 wrote to memory of 632	1788	ece507d87a5b2732818a270942864957.exe	50
PID 1788 wrote to memory of 632	1788	ece507d87a5b2732818a270942864957.exe	50
PID 1788 wrote to memory of 632	1788	ece507d87a5b2732818a270942864957.exe	50

Views/modifies file attributes 1 TTPs 7 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
876	attrib.exe
1320	attrib.exe
1796	attrib.exe
1872	attrib.exe
1100	attrib.exe
1120	attrib.exe
1484	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ece507d87a5b2732818a270942864957.exe
"C:\Users\Admin\AppData\Local\Temp\ece507d87a5b2732818a270942864957.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.212ok.com/Gbook.asp?qita
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1780 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2020
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1996
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1996 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2004
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:776
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
    3⤵
    - Views/modifies file attributes
    PID:876
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
    3⤵
    - Views/modifies file attributes
    PID:1320
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:824
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
    3⤵
    - Views/modifies file attributes
    PID:1796
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
    3⤵
    - Views/modifies file attributes
    PID:1872
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
    3⤵
    - Views/modifies file attributes
    PID:1100
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\WINDOWS\windows.exe"
    3⤵
    - Drops file in Windows directory
    - Views/modifies file attributes
    PID:1120
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"
  2⤵
  PID:632
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "c:\system.exe"
    3⤵
    - Views/modifies file attributes
    PID:1484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
6c6a24456559f305308cb1fb6c5486b3

SHA1
3273ac27d78572f16c3316732b9756ebc22cb6ed

SHA256
efc3c579bd619ceab040c4b8c1b821b2d82c64fddd9e80a00ec0d7f6577ed973

SHA512
587d4a9175a6aa82cd8bb1c11ca6508f95cd218f76ac322ddbd1bc7146a0e25f8937ee426a6fb0fb0bb045cedb24d8c8a9edfe9f654112f293d8701220f726b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
93fa2bcfb16847b478289ffab7813417

SHA1
2873647a323fbc64019f2ba43d56fb113583e494

SHA256
fa0180d279d491435f3d76e5098ed857a2a28501cdf4e11009ffccda7a0b4c49

SHA512
7c8f83e4037067c008c61270e12c4e01bc082dc627c33c3dd37eb65baf7ad626bc418c7e1c340432e28ce15105c536c09632893ac87fdb35b7c1812db31bf613

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{769D25B1-2FC0-11ED-9AD4-7A3897842414}.dat

Filesize
5KB

MD5
bcb5ba7c6e1f6d9d1c9d56ae8edcc825

SHA1
2cb0afdc98344eb2161ab3cdd47f9adc641bc301

SHA256
b568dadf673621209e5350e89cd863a8a60f1d29b924f63f9d19102ad0099d87

SHA512
eda8550f792d8d400b39e7e061b9ca503d3cc6f1af346794ea68adebde63ae8d109399e3a39aa6167aa955c5f8b6f30007126cdc6df9b0782d82ca275ab0d79f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\lwrmjt1\imagestore.dat

Filesize
5KB

MD5
e2e612a75a7c47ab342cc89518f1f896

SHA1
edcef0c5bb6c7ae3523fdf2209e96abda3c65341

SHA256
b0fd022b0cc26404b689c7f64428d7f07adbe7faca850aedcfcda5828b351183

SHA512
5f99670caa87a5ca091ab1ea0b695ad36fb515ba5051c8a3608f9cd5656031ed097182700210f2ae5e7db82bb2cc1d148d8c9175bac0e477de84d53595d8fd1d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\HE7CZEND.txt

Filesize
603B

MD5
c5a1ddb9a2a6265e0d68f9c0535ca8d0

SHA1
9d007b260c691498672482531ad92382f1ec95f6

SHA256
18e3c8e8c3ea9ada0fbd79ba059c35d73e40ff2ef51bc80ae45d19653a8b4068

SHA512
dc9a6fed82afcb0e3a1429ae648ba83f3e4c56cf0b888bc04ab73ae4c6ebdd1ba6f10d13b0cb29e1393b6a0f8f44078b8bc01653737d45733ac3069a276e4aa0

Download Submit
C:\WINDOWS\windows.exe

Filesize
124KB

MD5
b1a57492cf58ff703d03956d38e7c4ce

SHA1
fc8d40cd3bd8e7ddb939c08bdfe9b2c0fbbd2f18

SHA256
e7d6089f835684b2d0a2e040732733a5ac0e19934dde5fd6a0951a6edacf2a1e

SHA512
7c418922b5d7dc2a1ea9e034733c3fb32070c65b745b313c12f27c5ed671ecc8ea145cdfe261fa08ac57e1a68d0eda4e4b3321f83b2a596e93dec2d822409d5e

Download Submit
C:\system.exe

Filesize
124KB

MD5
80f7ce8031b146b0725cd92fc4cf3314

SHA1
35e345f28c9f1417e63f5fff2b5083b33bfe55ad

SHA256
81c79e5e2d5f63259303af71407990c8b65129e5f21ea93cd315f43311356437

SHA512
4a0d9b080377ecdff7f637b472efa8ad1e12ae740fbc38c26c01412e33ab25743fd7486781aa7cf95f1c49392b86042b295b7ad7129c9466ba0eb49348a925f5

Download Submit
memory/1788-56-0x0000000076321000-0x0000000076323000-memory.dmp

Filesize
8KB

Download