joker | 8463e6aa7209ff76d4d5d4fca1909bca0645321cd4663b2d335c820bde2c64f7

Analysis

max time kernel
152s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2022 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8463e6aa7209ff76d4d5d4fca1909bca0645321cd4663b2d335c820bde2c64f7.exe
Size

54KB
MD5

4d734606f4dbada669170fcb6d263f4f
SHA1

14e715a9efa0e9bcbcbaa7a06d35dc87ffa3c82b
SHA256

8463e6aa7209ff76d4d5d4fca1909bca0645321cd4663b2d335c820bde2c64f7
SHA512

4b44a91717334d49bd244d360cadbee064ebff08772bc96b1b76d2b782e66ee935e7c9ed8801b1ee2dd3ecebdcf6f268cc3710e50a3043d85738a37698ab11ea
SSDEEP

1536:ubC0VUv2FU9hP51w5YgUZM4gf8fLllccIL:u4R9Z51w5YgSM48eocIL

Score

10^/10

joker evasion infostealer persistence trojan

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Executes dropped EXE 1 IoCs

pid	Process
2376	inl339.tmp

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
3724	attrib.exe
4880	attrib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	8463e6aa7209ff76d4d5d4fca1909bca0645321cd4663b2d335c820bde2c64f7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	inl339.tmp

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hsdfasd = "\"C:\\Users\\Admin\\AppData\\Roaming\\redload\\tmp.\\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}\" hh.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~1\INTERN~1\ieframe.dll	cmd.exe
File opened for modification	C:\PROGRA~1\INTERN~1\ieframe.dll	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies Internet Explorer settings 1 TTPs 50 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30985166"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2700787657"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\henniu428.site\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.henniu428.site\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2700787657"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DOMStorage\cnkankan.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\Total = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2780006449"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\Total = "126"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DOMStorage\henniu428.site	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30985166"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "126"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com\ = "126"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{CB220C8C-37C1-11ED-AECB-5EAE84113378} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\henniu428.site\Total = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30985166"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "189"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.henniu428.site	IEXPLORE.EXE

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?S"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?S"	reg.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\IsShortCut	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command\ = "wscript -e:vbs \"C:\\Users\\Admin\\AppData\\Roaming\\redload\\3.bat\""	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)	reg.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2732	8463e6aa7209ff76d4d5d4fca1909bca0645321cd4663b2d335c820bde2c64f7.exe
Token: SeIncBasePriorityPrivilege	2376	inl339.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4452	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4452	iexplore.exe
4452	iexplore.exe
648	IEXPLORE.EXE
648	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 3568	2732	8463e6aa7209ff76d4d5d4fca1909bca0645321cd4663b2d335c820bde2c64f7.exe	76
PID 2732 wrote to memory of 3568	2732	8463e6aa7209ff76d4d5d4fca1909bca0645321cd4663b2d335c820bde2c64f7.exe	76
PID 2732 wrote to memory of 3568	2732	8463e6aa7209ff76d4d5d4fca1909bca0645321cd4663b2d335c820bde2c64f7.exe	76
PID 3568 wrote to memory of 1864	3568	cmd.exe	78
PID 3568 wrote to memory of 1864	3568	cmd.exe	78
PID 3568 wrote to memory of 1864	3568	cmd.exe	78
PID 1864 wrote to memory of 4452	1864	cmd.exe	80
PID 1864 wrote to memory of 4452	1864	cmd.exe	80
PID 1864 wrote to memory of 8	1864	cmd.exe	81
PID 1864 wrote to memory of 8	1864	cmd.exe	81
PID 1864 wrote to memory of 8	1864	cmd.exe	81
PID 1864 wrote to memory of 2288	1864	cmd.exe	82
PID 1864 wrote to memory of 2288	1864	cmd.exe	82
PID 1864 wrote to memory of 2288	1864	cmd.exe	82
PID 2288 wrote to memory of 4172	2288	cmd.exe	84
PID 2288 wrote to memory of 4172	2288	cmd.exe	84
PID 2288 wrote to memory of 4172	2288	cmd.exe	84
PID 2288 wrote to memory of 1500	2288	cmd.exe	85
PID 2288 wrote to memory of 1500	2288	cmd.exe	85
PID 2288 wrote to memory of 1500	2288	cmd.exe	85
PID 2288 wrote to memory of 408	2288	cmd.exe	86
PID 2288 wrote to memory of 408	2288	cmd.exe	86
PID 2288 wrote to memory of 408	2288	cmd.exe	86
PID 2288 wrote to memory of 3588	2288	cmd.exe	87
PID 2288 wrote to memory of 3588	2288	cmd.exe	87
PID 2288 wrote to memory of 3588	2288	cmd.exe	87
PID 2288 wrote to memory of 2236	2288	cmd.exe	88
PID 2288 wrote to memory of 2236	2288	cmd.exe	88
PID 2288 wrote to memory of 2236	2288	cmd.exe	88
PID 2288 wrote to memory of 3724	2288	cmd.exe	89
PID 2288 wrote to memory of 3724	2288	cmd.exe	89
PID 2288 wrote to memory of 3724	2288	cmd.exe	89
PID 2732 wrote to memory of 2376	2732	8463e6aa7209ff76d4d5d4fca1909bca0645321cd4663b2d335c820bde2c64f7.exe	90
PID 2732 wrote to memory of 2376	2732	8463e6aa7209ff76d4d5d4fca1909bca0645321cd4663b2d335c820bde2c64f7.exe	90
PID 2732 wrote to memory of 2376	2732	8463e6aa7209ff76d4d5d4fca1909bca0645321cd4663b2d335c820bde2c64f7.exe	90
PID 2288 wrote to memory of 4880	2288	cmd.exe	91
PID 2288 wrote to memory of 4880	2288	cmd.exe	91
PID 2288 wrote to memory of 4880	2288	cmd.exe	91
PID 2288 wrote to memory of 4788	2288	cmd.exe	92
PID 2288 wrote to memory of 4788	2288	cmd.exe	92
PID 2288 wrote to memory of 4788	2288	cmd.exe	92
PID 2288 wrote to memory of 4828	2288	cmd.exe	93
PID 2288 wrote to memory of 4828	2288	cmd.exe	93
PID 2288 wrote to memory of 4828	2288	cmd.exe	93
PID 4788 wrote to memory of 4728	4788	rundll32.exe	94
PID 4788 wrote to memory of 4728	4788	rundll32.exe	94
PID 4788 wrote to memory of 4728	4788	rundll32.exe	94
PID 2732 wrote to memory of 2144	2732	8463e6aa7209ff76d4d5d4fca1909bca0645321cd4663b2d335c820bde2c64f7.exe	95
PID 2732 wrote to memory of 2144	2732	8463e6aa7209ff76d4d5d4fca1909bca0645321cd4663b2d335c820bde2c64f7.exe	95
PID 2732 wrote to memory of 2144	2732	8463e6aa7209ff76d4d5d4fca1909bca0645321cd4663b2d335c820bde2c64f7.exe	95
PID 4728 wrote to memory of 644	4728	runonce.exe	97
PID 4728 wrote to memory of 644	4728	runonce.exe	97
PID 4728 wrote to memory of 644	4728	runonce.exe	97
PID 4452 wrote to memory of 648	4452	iexplore.exe	99
PID 4452 wrote to memory of 648	4452	iexplore.exe	99
PID 4452 wrote to memory of 648	4452	iexplore.exe	99
PID 2376 wrote to memory of 3404	2376	inl339.tmp	114
PID 2376 wrote to memory of 3404	2376	inl339.tmp	114
PID 2376 wrote to memory of 3404	2376	inl339.tmp	114

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
3724	attrib.exe
4880	attrib.exe

C:\Users\Admin\AppData\Local\Temp\8463e6aa7209ff76d4d5d4fca1909bca0645321cd4663b2d335c820bde2c64f7.exe
"C:\Users\Admin\AppData\Local\Temp\8463e6aa7209ff76d4d5d4fca1909bca0645321cd4663b2d335c820bde2c64f7.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s_min_run.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\redload\1.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1864
  - - C:\PROGRA~1\INTERN~1\iexplore.exe
      C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://www.cnkankan.com/?82133
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4452
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4452 CREDAT:17410 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:648
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\redload\1.inf
      4⤵
      PID:8
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\redload\2.bat
      4⤵
      Drops file in Program Files directory
      Suspicious use of WriteProcessMemory
      PID:2288
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?S"" /f
        5⤵
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        
        PID:4172
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?S"" /f
        5⤵
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        
        PID:1500
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?S"" /f
        5⤵
        
        PID:408
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f
        5⤵
        Modifies registry class
        
        PID:3588
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\redload\3.bat""" /f
        5⤵
        Modifies registry class
        
        PID:2236
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\Users\Admin\AppData\Roaming\redload\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3724
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\Users\Admin\AppData\Roaming\redload\tmp
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4880
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\redload\2.inf
        5⤵
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4788
      - C:\Windows\SysWOW64\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        6⤵
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        7⤵
        
        PID:644
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 D:\VolumeDH\inj.dat,MainLoad
        5⤵
        
        PID:4828
- C:\Users\Admin\AppData\Local\Temp\inl339.tmp
  C:\Users\Admin\AppData\Local\Temp\inl339.tmp
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inl339.tmp > nul
    3⤵
    PID:3404
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\8463E6~1.EXE > nul
  2⤵
  PID:2144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\z2evvp3\imagestore.dat

Filesize
1KB

MD5
7315a30ea4b2a0e7e8cf29907d29ee90

SHA1
a657881273d12d3d1cb7c04343fd1d00a1179aa1

SHA256
177361b184113e71de4323a722fa168f3760357817f8e852150a195e541a52b0

SHA512
2eced6faaf3586d23e6bffa1d922a9dd7d62a4a424dfa45a0b1f9338f65252ba6f4a12e6d8176d731dd368b43840c56f3b302b854da98229f47f9fd235d4982a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp

Filesize
791B

MD5
1706b41fd446b5718a8419c0fcb35d55

SHA1
d9bb8df22acdc60c754ac14982cf795df3b1b815

SHA256
5c6d11ac3f220f8286455764ab2581dcb6554692d3b9974b097364d77edb3943

SHA512
68c9f6170ecdfcc79fc63cb646901d2ac52a915620b159047b2c93761c261897eb5ecc15065635105637a61a840d393104c15ea8268897fb8bb2fbc1a56c626e

Download Submit
C:\Users\Admin\AppData\Local\Temp\inl339.tmp

Filesize
57.2MB

MD5
c7d7f52555e67bf504e15064a9dd9c2e

SHA1
3df1641471ab5c95f934952c285d763174a85df1

SHA256
c1218c7b0bbdfdfb2638bd73ed82386327d068922f9fe91f51878f30927bbdf0

SHA512
ffd9cb484efecfcb48b1785b2158cbbd88ae75f74cce981d494dc58d7709b68265e3af8d64c361cbac464ebaad4656127dffca3aa5058dfbac1779bf54e9a39d

Download Submit
C:\Users\Admin\AppData\Local\Temp\inl339.tmp

Filesize
57.2MB

MD5
c7d7f52555e67bf504e15064a9dd9c2e

SHA1
3df1641471ab5c95f934952c285d763174a85df1

SHA256
c1218c7b0bbdfdfb2638bd73ed82386327d068922f9fe91f51878f30927bbdf0

SHA512
ffd9cb484efecfcb48b1785b2158cbbd88ae75f74cce981d494dc58d7709b68265e3af8d64c361cbac464ebaad4656127dffca3aa5058dfbac1779bf54e9a39d

Download Submit
C:\Users\Admin\AppData\Local\Temp\s_min_run.bat

Filesize
54B

MD5
504490369970f1c0eb580afbcdf91618

SHA1
b52f65cd538e6c998b2c7e3167f9c8e8fa6c7971

SHA256
a13a0579286521f0d7cb55fc7d28c6d33f14c0573e9e69f7584fa4008a8e7d43

SHA512
5495ce79abf0fc4ffbfaf9aefa484145f4e0d3e8457be0e2e4dfb1284fb5413016f2d9867e2386db5c4f7b51863bfffeae8ea6bd879053fdf6a928ab2a0857ad

Download Submit
C:\Users\Admin\AppData\Roaming\redload\1.bat

Filesize
3KB

MD5
168976102055ae6902b5d251d4b39401

SHA1
37c28d5b4d19bf3ef0be7be04ac4b54c71866773

SHA256
aabf9954046b451c6287c18b37448dbce289b0a76bb0bcbe72b7e97b6ebfc9fc

SHA512
95474e88ce99544ab19d25c3f96b348b99733858b8382baeedce62748444b529e55c0c4df84c20ff05eb7b3172baaa22ade7604c7288b536e1895cd95dbc42a6

Download Submit
C:\Users\Admin\AppData\Roaming\redload\1.inf

Filesize
410B

MD5
66a1f0147fed7ddd19e9bb7ff93705c5

SHA1
9d803c81ea2195617379b880b227892ba30b0bf6

SHA256
4f45ce85e221352f7fe26e04968c7f7267dc24b55cf2b72b929b4c90e48cb764

SHA512
cfe51756ddec75d240249980a4d27870d15983add25058e4d0da4d8a3ea11384d4d228d6cbc95091f91e516e1ab4dfb1e315941dbd95bf717d4b31936311d597

Download Submit
C:\Users\Admin\AppData\Roaming\redload\2.bat

Filesize
3KB

MD5
428b15afd0f31b5f77d86f84a2e0bf36

SHA1
e76c640936f9ea1a4cf0f26e5417d4cbbde08ea2

SHA256
390a9eb07646fea162115045ea2b76a3a248d8823e7dc4a54851c39463ddfdb5

SHA512
3272917c8a65641eb39c280ba2f23c359145d8951ec78d803143fdbfa87cf6233a4d3a03607bcae7703f718dc592297aefc69726086a206e5d0bffd5655d8ca4

Download Submit
C:\Users\Admin\AppData\Roaming\redload\2.inf

Filesize
248B

MD5
2197ffb407fb3b2250045c084f73b70a

SHA1
3d0efbacba73ac5e8d77f0d25d63fc424511bcf6

SHA256
a1a42f5a41ce65135b1ad525eabc04cce89ee07d2f51d06e5e1dea6047081591

SHA512
b35a99e144da3f02de71158f58a6b937435d1bce941126a554783c667654b880527b11ba8a5c0fcf093ce28863ea4f5e60f73f8f973a727f177d584d2e9c80fe

Download Submit
C:\Users\Admin\AppData\Roaming\redload\4.bat

Filesize
5.8MB

MD5
b9ad5af5a451f99d001a448cc347cc99

SHA1
508bd20eab2f4809de2f0955de910070a1ba1530

SHA256
e1f28f6fcf5fad1224218d5375dde29d3e98dba79f3ee9bb969b651872feaa3c

SHA512
b2c2ded755d7053c63334d8c690385c7dcd5f1c450fa0b2bd3548d40cdcdeff8968bc4753d6096c32c1adf1f22e40f2e9c8425847caa4df6d459266be9ec0053

Download Submit
memory/2732-135-0x0000000000490000-0x00000000004B5000-memory.dmp

Filesize
148KB

Download
memory/2732-134-0x0000000000CA0000-0x0000000000CA3000-memory.dmp

Filesize
12KB

Download
memory/2732-133-0x0000000000CA0000-0x0000000000CA3000-memory.dmp

Filesize
12KB

Download
memory/2732-175-0x0000000000490000-0x00000000004B5000-memory.dmp

Filesize
148KB

Download
memory/2732-132-0x0000000000490000-0x00000000004B5000-memory.dmp

Filesize
148KB

Download
memory/4452-171-0x00007FFF485E0000-0x00007FFF4864E000-memory.dmp

Filesize
440KB

Download
memory/4452-191-0x00007FFF485E0000-0x00007FFF4864E000-memory.dmp

Filesize
440KB

Download
memory/4452-164-0x00007FFF485E0000-0x00007FFF4864E000-memory.dmp

Filesize
440KB

Download
memory/4452-165-0x00007FFF485E0000-0x00007FFF4864E000-memory.dmp

Filesize
440KB

Download
memory/4452-166-0x00007FFF485E0000-0x00007FFF4864E000-memory.dmp

Filesize
440KB

Download
memory/4452-167-0x00007FFF485E0000-0x00007FFF4864E000-memory.dmp

Filesize
440KB

Download
memory/4452-168-0x00007FFF485E0000-0x00007FFF4864E000-memory.dmp

Filesize
440KB

Download
memory/4452-169-0x00007FFF485E0000-0x00007FFF4864E000-memory.dmp

Filesize
440KB

Download
memory/4452-170-0x00007FFF485E0000-0x00007FFF4864E000-memory.dmp

Filesize
440KB

Download
memory/4452-172-0x00007FFF485E0000-0x00007FFF4864E000-memory.dmp

Filesize
440KB

Download
memory/4452-225-0x00007FFF485E0000-0x00007FFF4864E000-memory.dmp

Filesize
440KB

Download
memory/4452-174-0x00007FFF485E0000-0x00007FFF4864E000-memory.dmp

Filesize
440KB

Download
memory/4452-224-0x00007FFF485E0000-0x00007FFF4864E000-memory.dmp

Filesize
440KB

Download
memory/4452-177-0x00007FFF485E0000-0x00007FFF4864E000-memory.dmp

Filesize
440KB

Download
memory/4452-179-0x00007FFF485E0000-0x00007FFF4864E000-memory.dmp

Filesize
440KB

Download
memory/4452-181-0x00007FFF485E0000-0x00007FFF4864E000-memory.dmp

Filesize
440KB

Download
memory/4452-157-0x00007FFF485E0000-0x00007FFF4864E000-memory.dmp

Filesize
440KB

Download
memory/4452-183-0x00007FFF485E0000-0x00007FFF4864E000-memory.dmp

Filesize
440KB

Download
memory/4452-184-0x00007FFF485E0000-0x00007FFF4864E000-memory.dmp

Filesize
440KB

Download
memory/4452-185-0x00007FFF485E0000-0x00007FFF4864E000-memory.dmp

Filesize
440KB

Download
memory/4452-186-0x00007FFF485E0000-0x00007FFF4864E000-memory.dmp

Filesize
440KB

Download
memory/4452-188-0x00007FFF485E0000-0x00007FFF4864E000-memory.dmp

Filesize
440KB

Download
memory/4452-161-0x00007FFF485E0000-0x00007FFF4864E000-memory.dmp

Filesize
440KB

Download
memory/4452-192-0x00007FFF485E0000-0x00007FFF4864E000-memory.dmp

Filesize
440KB

Download
memory/4452-193-0x00007FFF485E0000-0x00007FFF4864E000-memory.dmp

Filesize
440KB

Download
memory/4452-194-0x00007FFF485E0000-0x00007FFF4864E000-memory.dmp

Filesize
440KB

Download
memory/4452-195-0x00007FFF485E0000-0x00007FFF4864E000-memory.dmp

Filesize
440KB

Download
memory/4452-196-0x00007FFF485E0000-0x00007FFF4864E000-memory.dmp

Filesize
440KB

Download
memory/4452-197-0x00007FFF485E0000-0x00007FFF4864E000-memory.dmp

Filesize
440KB

Download
memory/4452-198-0x00007FFF485E0000-0x00007FFF4864E000-memory.dmp

Filesize
440KB

Download
memory/4452-202-0x00007FFF485E0000-0x00007FFF4864E000-memory.dmp

Filesize
440KB

Download
memory/4452-203-0x00007FFF485E0000-0x00007FFF4864E000-memory.dmp

Filesize
440KB

Download
memory/4452-204-0x00007FFF485E0000-0x00007FFF4864E000-memory.dmp

Filesize
440KB

Download
memory/4452-205-0x00007FFF485E0000-0x00007FFF4864E000-memory.dmp

Filesize
440KB

Download
memory/4452-206-0x00007FFF485E0000-0x00007FFF4864E000-memory.dmp

Filesize
440KB

Download
memory/4452-211-0x00007FFF485E0000-0x00007FFF4864E000-memory.dmp

Filesize
440KB

Download
memory/4452-212-0x00007FFF485E0000-0x00007FFF4864E000-memory.dmp

Filesize
440KB

Download
memory/4452-213-0x00007FFF485E0000-0x00007FFF4864E000-memory.dmp

Filesize
440KB

Download
memory/4452-214-0x00007FFF485E0000-0x00007FFF4864E000-memory.dmp

Filesize
440KB

Download
memory/4452-215-0x00007FFF485E0000-0x00007FFF4864E000-memory.dmp

Filesize
440KB

Download
memory/4452-216-0x00007FFF485E0000-0x00007FFF4864E000-memory.dmp

Filesize
440KB

Download
memory/4452-218-0x00007FFF485E0000-0x00007FFF4864E000-memory.dmp

Filesize
440KB

Download
memory/4452-219-0x00007FFF485E0000-0x00007FFF4864E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads