joker | 58c20fd4e759e5a84d47b228e5cf79294353f85e57c04dcd084094aa652031cc

Analysis

max time kernel
146s
max time network
149s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
08-09-2022 19:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3d66f17b4a16e1f4f25eed726cd924f.exe
Size

129KB
MD5

a3d66f17b4a16e1f4f25eed726cd924f
SHA1

73ad93e787449188ad86abca391fbafcdbdd0f13
SHA256

58c20fd4e759e5a84d47b228e5cf79294353f85e57c04dcd084094aa652031cc
SHA512

59ef26dbe07d2891a99619ca557aace9a4527b3d52bc15f34a305e870b6bbfffdfb1514249321f54cb5d4373aa211cce9fad10f5586296cac3b8d8f9e3c67219
SSDEEP

3072:X1i/NU8bOMYcYYcmy51VRgiFCpCIXUWOLTsEsigcL3P6xxc1gs5YmMOMYcYY51i/:li/NjO5xbg/CSUFLTwMjs6y3Oai/NDt

Score

10^/10

joker infostealer persistence trojan

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}\StubPath = "C:\\system.exe"	a3d66f17b4a16e1f4f25eed726cd924f.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}	a3d66f17b4a16e1f4f25eed726cd924f.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\ie.bat	a3d66f17b4a16e1f4f25eed726cd924f.exe
File created	C:\WINDOWS\SysWOW64\qx.bat	a3d66f17b4a16e1f4f25eed726cd924f.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\windows.exe	a3d66f17b4a16e1f4f25eed726cd924f.exe
File opened for modification	C:\WINDOWS\windows.exe	a3d66f17b4a16e1f4f25eed726cd924f.exe
File opened for modification	C:\WINDOWS\windows.exe	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 55 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\ymtuku.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\154.203.154.173\Total = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	a3d66f17b4a16e1f4f25eed726cd924f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "126"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a300000000020000000000106600000001000020000000d64ef90e4fe2df407ee80a8ddc461df66207c27ec5ca3056201e1267ef52d4e1000000000e800000000200002000000086194babfe11898a3e82c5adfe4c5c048e1d0b0c78baa8f257ff4bf49a4d667790000000d5e8345fa35c5e2934625c582fda8602d8f38685d69a694123a258aa15eda84d39a3fd855f41a560cf153c988f8b4a555333e29a8f3573d4b4e1287f3058b0fcaf6d382b9d0d483721d90d9352b2f4b5d9df1addd81fc0da923430e8a877f4a13df73ac0eea97dc9ed555e8cc779c7620a1fac098819b175de56417c0e0b7e738089835f87a9aa954186546836d9a0f3400000006c5278ef23902968851d958cb9b3eb4b83346faa65c8f9ba662b058186603a11b8c9bf024a3c2946b49ffb247365aecb0996c8156195ea2642c09391e6c444f7	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\154.203.154.173\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40a1c721cec3d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\ymtuku.com\Total = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3BD96551-2FC1-11ED-A6E1-52E8C5FCC7C7} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\154.203.154.173\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.ymtuku.com\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\154.203.154.173	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a3000000000200000000001066000000010000200000004da5506500428a256e366fc9905c4fd36129bd7e2bcf5cfa08a3d02187326c19000000000e8000000002000020000000dce92fd328c26380fe454c19aac3b77247bc92df667dd09637e5d2ad64240d5920000000c9bd03915102ec7763155a354ca1c0975072d5042c73bcad0b2ccff70e3c81694000000014cfdf308d2057bd42998452523c884d423125a9d197b836f213809f7d4e1688e3403fdd7bdff308b6c7dbb6a4623dc3076da0ae2b99825384fa2998fec68b3f	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\ymtuku.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.ymtuku.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "369439225"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://dhku.com"	a3d66f17b4a16e1f4f25eed726cd924f.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1208	a3d66f17b4a16e1f4f25eed726cd924f.exe
1208	a3d66f17b4a16e1f4f25eed726cd924f.exe
1208	a3d66f17b4a16e1f4f25eed726cd924f.exe
1208	a3d66f17b4a16e1f4f25eed726cd924f.exe
1208	a3d66f17b4a16e1f4f25eed726cd924f.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
896	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1208	a3d66f17b4a16e1f4f25eed726cd924f.exe
896	iexplore.exe
896	iexplore.exe
1984	IEXPLORE.EXE
1984	IEXPLORE.EXE
1984	IEXPLORE.EXE
1984	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 896	1208	a3d66f17b4a16e1f4f25eed726cd924f.exe	27
PID 1208 wrote to memory of 896	1208	a3d66f17b4a16e1f4f25eed726cd924f.exe	27
PID 1208 wrote to memory of 896	1208	a3d66f17b4a16e1f4f25eed726cd924f.exe	27
PID 1208 wrote to memory of 896	1208	a3d66f17b4a16e1f4f25eed726cd924f.exe	27
PID 896 wrote to memory of 1984	896	iexplore.exe	29
PID 896 wrote to memory of 1984	896	iexplore.exe	29
PID 896 wrote to memory of 1984	896	iexplore.exe	29
PID 896 wrote to memory of 1984	896	iexplore.exe	29
PID 1208 wrote to memory of 472	1208	a3d66f17b4a16e1f4f25eed726cd924f.exe	30
PID 1208 wrote to memory of 472	1208	a3d66f17b4a16e1f4f25eed726cd924f.exe	30
PID 1208 wrote to memory of 472	1208	a3d66f17b4a16e1f4f25eed726cd924f.exe	30
PID 1208 wrote to memory of 472	1208	a3d66f17b4a16e1f4f25eed726cd924f.exe	30
PID 472 wrote to memory of 1120	472	cmd.exe	32
PID 472 wrote to memory of 1120	472	cmd.exe	32
PID 472 wrote to memory of 1120	472	cmd.exe	32
PID 472 wrote to memory of 1120	472	cmd.exe	32
PID 1208 wrote to memory of 1712	1208	a3d66f17b4a16e1f4f25eed726cd924f.exe	33
PID 1208 wrote to memory of 1712	1208	a3d66f17b4a16e1f4f25eed726cd924f.exe	33
PID 1208 wrote to memory of 1712	1208	a3d66f17b4a16e1f4f25eed726cd924f.exe	33
PID 1208 wrote to memory of 1712	1208	a3d66f17b4a16e1f4f25eed726cd924f.exe	33
PID 1712 wrote to memory of 1816	1712	cmd.exe	35
PID 1712 wrote to memory of 1816	1712	cmd.exe	35
PID 1712 wrote to memory of 1816	1712	cmd.exe	35
PID 1712 wrote to memory of 1816	1712	cmd.exe	35
PID 1208 wrote to memory of 324	1208	a3d66f17b4a16e1f4f25eed726cd924f.exe	36
PID 1208 wrote to memory of 324	1208	a3d66f17b4a16e1f4f25eed726cd924f.exe	36
PID 1208 wrote to memory of 324	1208	a3d66f17b4a16e1f4f25eed726cd924f.exe	36
PID 1208 wrote to memory of 324	1208	a3d66f17b4a16e1f4f25eed726cd924f.exe	36
PID 324 wrote to memory of 340	324	cmd.exe	38
PID 324 wrote to memory of 340	324	cmd.exe	38
PID 324 wrote to memory of 340	324	cmd.exe	38
PID 324 wrote to memory of 340	324	cmd.exe	38
PID 1208 wrote to memory of 1540	1208	a3d66f17b4a16e1f4f25eed726cd924f.exe	39
PID 1208 wrote to memory of 1540	1208	a3d66f17b4a16e1f4f25eed726cd924f.exe	39
PID 1208 wrote to memory of 1540	1208	a3d66f17b4a16e1f4f25eed726cd924f.exe	39
PID 1208 wrote to memory of 1540	1208	a3d66f17b4a16e1f4f25eed726cd924f.exe	39
PID 1540 wrote to memory of 1724	1540	cmd.exe	41
PID 1540 wrote to memory of 1724	1540	cmd.exe	41
PID 1540 wrote to memory of 1724	1540	cmd.exe	41
PID 1540 wrote to memory of 1724	1540	cmd.exe	41
PID 1208 wrote to memory of 784	1208	a3d66f17b4a16e1f4f25eed726cd924f.exe	42
PID 1208 wrote to memory of 784	1208	a3d66f17b4a16e1f4f25eed726cd924f.exe	42
PID 1208 wrote to memory of 784	1208	a3d66f17b4a16e1f4f25eed726cd924f.exe	42
PID 1208 wrote to memory of 784	1208	a3d66f17b4a16e1f4f25eed726cd924f.exe	42
PID 784 wrote to memory of 616	784	cmd.exe	44
PID 784 wrote to memory of 616	784	cmd.exe	44
PID 784 wrote to memory of 616	784	cmd.exe	44
PID 784 wrote to memory of 616	784	cmd.exe	44
PID 1208 wrote to memory of 436	1208	a3d66f17b4a16e1f4f25eed726cd924f.exe	45
PID 1208 wrote to memory of 436	1208	a3d66f17b4a16e1f4f25eed726cd924f.exe	45
PID 1208 wrote to memory of 436	1208	a3d66f17b4a16e1f4f25eed726cd924f.exe	45
PID 1208 wrote to memory of 436	1208	a3d66f17b4a16e1f4f25eed726cd924f.exe	45
PID 436 wrote to memory of 1308	436	cmd.exe	47
PID 436 wrote to memory of 1308	436	cmd.exe	47
PID 436 wrote to memory of 1308	436	cmd.exe	47
PID 436 wrote to memory of 1308	436	cmd.exe	47
PID 1208 wrote to memory of 1564	1208	a3d66f17b4a16e1f4f25eed726cd924f.exe	48
PID 1208 wrote to memory of 1564	1208	a3d66f17b4a16e1f4f25eed726cd924f.exe	48
PID 1208 wrote to memory of 1564	1208	a3d66f17b4a16e1f4f25eed726cd924f.exe	48
PID 1208 wrote to memory of 1564	1208	a3d66f17b4a16e1f4f25eed726cd924f.exe	48
PID 1564 wrote to memory of 1960	1564	cmd.exe	50
PID 1564 wrote to memory of 1960	1564	cmd.exe	50
PID 1564 wrote to memory of 1960	1564	cmd.exe	50
PID 1564 wrote to memory of 1960	1564	cmd.exe	50

Views/modifies file attributes 1 TTPs 7 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1120	attrib.exe
1816	attrib.exe
340	attrib.exe
1724	attrib.exe
616	attrib.exe
1308	attrib.exe
1960	attrib.exe

C:\Users\Admin\AppData\Local\Temp\a3d66f17b4a16e1f4f25eed726cd924f.exe
"C:\Users\Admin\AppData\Local\Temp\a3d66f17b4a16e1f4f25eed726cd924f.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:896
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:896 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1984
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:472
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
    3⤵
    - Views/modifies file attributes
    PID:1120
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
    3⤵
    - Views/modifies file attributes
    PID:1816
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:324
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
    3⤵
    - Views/modifies file attributes
    PID:340
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
    3⤵
    - Views/modifies file attributes
    PID:1724
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:784
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
    3⤵
    - Views/modifies file attributes
    PID:616
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\WINDOWS\windows.exe"
    3⤵
    - Drops file in Windows directory
    - Views/modifies file attributes
    PID:1308
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "c:\system.exe"
    3⤵
    - Views/modifies file attributes
    PID:1960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
6c6a24456559f305308cb1fb6c5486b3

SHA1
3273ac27d78572f16c3316732b9756ebc22cb6ed

SHA256
efc3c579bd619ceab040c4b8c1b821b2d82c64fddd9e80a00ec0d7f6577ed973

SHA512
587d4a9175a6aa82cd8bb1c11ca6508f95cd218f76ac322ddbd1bc7146a0e25f8937ee426a6fb0fb0bb045cedb24d8c8a9edfe9f654112f293d8701220f726b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
72ee7f012d7e154a3e0d086ca9936095

SHA1
fc3773c8739acddef50ab754ca0370c6c6ce47d0

SHA256
b78eaeeaec717d3809ad9262ff8e19955cae041fb8c87a2d44d85a239cdb661b

SHA512
fd330d0eba25b2aca6d5803c248091f3c1136ab5afd581fedd6c560dad5abd89a81b9097cd4ab2e4d3b8c330c6644230ecc1dc249cafbf06279e3419ddd78ac2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\tcz8fqz\imagestore.dat

Filesize
5KB

MD5
1fbc7eabd64a0a0d63018ddadf0355a8

SHA1
2b86b90cc14fc9e2de430e5b12e9e811d8c262b0

SHA256
92b57c7ade78f89b7c49e191c18b24099132b276c5a8f689a073f6f17591bb5a

SHA512
fc36794ff9175128851991eb56346807cbb6c70bcac3ac5bfe787718d916516daa6520bc4f33c2ee6dacdcabb68d1aa6330ab2d47f3d5793596f02e448e96c95

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\1R6W9LTM.txt

Filesize
603B

MD5
01b218cb7daddfc62b8dc417759dc93f

SHA1
8e726846944ba51505fd558509e9813ec7a5ccad

SHA256
2db87cfd655a17f65d461d2a3fc1aaaffd8f843a51a282a880460ba55bf99df7

SHA512
08df97d821815f5aa6dec840f434b0615367eee50d0c94ed70ffe24e267b221db1f1467c14bf602f5660ef1a90a8bd91ed4c64fc150019ef9fa16ed780d22628

Download Submit
C:\WINDOWS\windows.exe

Filesize
129KB

MD5
2b5f605b08f3ee50688ce70e4720cddf

SHA1
3d07303ac236e6d923b0e6af619131e30c96a26e

SHA256
8642b712cf0836b35fac16a118296e55a822d475be156146b8270374fae7e983

SHA512
06b5a3d35fb1e148a4e21dd61c34aa62377f4db4a311600458df8e620ec1a661e6cdd373f7502ff555b20e1c556e6022002093c49a2398d8b517a4bfd54a08a4

Download Submit
C:\system.exe

Filesize
129KB

MD5
28fa77efd29d6afd9ca0cd757fbb60e9

SHA1
72cda01231b05212428662228f9059714ec86a33

SHA256
04cf854c99662dd91f25da14d7f8efe1a1c6135974bda1c62482d03c84f91c0e

SHA512
8ab8e002d233d91e54eeca432d4652bdf872d79362d1db749457de60defd48a3a0b792a70af6eaa5b0bf571ddd6f6ea9f47c05a938dc8fef13f197e998ccb47b

Download Submit
memory/1208-56-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download