joker | 02040d590778e19253de36b5569b4c9e2cc76cba7e266e475d93d49aa0962e9e

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2022 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02040d590778e19253de36b5569b4c9e2cc76cba7e266e475d93d49aa0962e9e.exe
Size

54KB
MD5

4fdfc29228338e44a3e943594a9e12de
SHA1

0ca5bcfaceb764fc2d374fafcfa03767e083070d
SHA256

02040d590778e19253de36b5569b4c9e2cc76cba7e266e475d93d49aa0962e9e
SHA512

bf6986810c376750092de678e5da4f0ebcaf5ec7cb96f904ccb706d6c0de256ce615390d9a52bf9fdb21b55efa20dd053b5c79174a720ac4054e7fd8656fb82a
SSDEEP

768:t1kXBrEiDu4jxAfSIYTdL3HZlhnfu21/O/0SOEeXCAiWhBz1tmnGfyHarOfObf:EW4WYTdLLA21GDAC1YptmGf+qOfqf

Score

10^/10

joker evasion infostealer persistence trojan

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Executes dropped EXE 1 IoCs

pid	Process
3980	inlC9F9.tmp

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
1848	attrib.exe
4504	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	02040d590778e19253de36b5569b4c9e2cc76cba7e266e475d93d49aa0962e9e.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hsdfasd = "\"C:\\Users\\Admin\\AppData\\Roaming\\PPLive\\tmp.\\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}\" hh.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	rundll32.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~1\INTERN~1\ieframe.dll	cmd.exe
File opened for modification	C:\PROGRA~1\INTERN~1\ieframe.dll	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies Internet Explorer settings 1 TTPs 54 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "126"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40c178a7cecbd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\henniu425.site	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20a884a7cecbd801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b1421600000000020000000000106600000001000020000000c857510c739f01498078accb0b32d8f7970098a79cd5b2cfabbf2c4265501b94000000000e800000000200002000000067f4c9cd0facd24878a56d36df3815a3cfdb0b1ab6142945a36d8b504949a31320000000451b53fd8c22340e2077ab1907c8e93e38352a74299c0398e83a37c7ee65deb740000000449db7bd37f98dc3e342b7fc730282c2021ee2497399291b2205637563a687afdcf8072e09a10968e2aeb6ba7b9440c960c3d137ccd01bc32043d693c3e27c66	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.henniu425.site	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30985166"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b142160000000002000000000010660000000100002000000087e98ac8a8be0fe6813ec6f48dcd3cf0d4ea0f17bd660a5f1fdd0574e721faed000000000e8000000002000020000000d26beecf1b18825a7050f872d8b68e9506f7d1c6166e2390bf3b397cfcddd1eb200000004fc214481b11b91c907715a8e5b67920174e676bce2ac3bbd17b53402ef71edc40000000d0adcbb471ceb40ce4afcce25f5df3222b57868bcbeec0c1180f185a72d681ac58a8e01734fb75ec2eea8fc713929e50fcbd086a8e73563b40fe01a2d63318e3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "189"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.henniu425.site\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\henniu425.site\Total = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com\ = "126"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30985166"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2521744338"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\Total = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\Total = "126"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2521744338"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\cnkankan.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C147DC82-37C1-11ED-B696-C2DBB15B3A76} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\henniu425.site\NumberOfSubdomains = "1"	IEXPLORE.EXE

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?o"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?o"	reg.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command\ = "wscript -e:vbs \"C:\\Users\\Admin\\AppData\\Roaming\\PPLive\\3.bat\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\IsShortCut	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}	reg.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2752	02040d590778e19253de36b5569b4c9e2cc76cba7e266e475d93d49aa0962e9e.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1936	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1936	iexplore.exe
1936	iexplore.exe
816	IEXPLORE.EXE
816	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 4668	2752	02040d590778e19253de36b5569b4c9e2cc76cba7e266e475d93d49aa0962e9e.exe	82
PID 2752 wrote to memory of 4668	2752	02040d590778e19253de36b5569b4c9e2cc76cba7e266e475d93d49aa0962e9e.exe	82
PID 2752 wrote to memory of 4668	2752	02040d590778e19253de36b5569b4c9e2cc76cba7e266e475d93d49aa0962e9e.exe	82
PID 4668 wrote to memory of 1672	4668	cmd.exe	85
PID 4668 wrote to memory of 1672	4668	cmd.exe	85
PID 4668 wrote to memory of 1672	4668	cmd.exe	85
PID 1672 wrote to memory of 1936	1672	cmd.exe	86
PID 1672 wrote to memory of 1936	1672	cmd.exe	86
PID 1672 wrote to memory of 4372	1672	cmd.exe	87
PID 1672 wrote to memory of 4372	1672	cmd.exe	87
PID 1672 wrote to memory of 4372	1672	cmd.exe	87
PID 1672 wrote to memory of 1660	1672	cmd.exe	88
PID 1672 wrote to memory of 1660	1672	cmd.exe	88
PID 1672 wrote to memory of 1660	1672	cmd.exe	88
PID 1660 wrote to memory of 5088	1660	cmd.exe	90
PID 1660 wrote to memory of 5088	1660	cmd.exe	90
PID 1660 wrote to memory of 5088	1660	cmd.exe	90
PID 1660 wrote to memory of 3532	1660	cmd.exe	91
PID 1660 wrote to memory of 3532	1660	cmd.exe	91
PID 1660 wrote to memory of 3532	1660	cmd.exe	91
PID 1660 wrote to memory of 520	1660	cmd.exe	92
PID 1660 wrote to memory of 520	1660	cmd.exe	92
PID 1660 wrote to memory of 520	1660	cmd.exe	92
PID 1660 wrote to memory of 204	1660	cmd.exe	93
PID 1660 wrote to memory of 204	1660	cmd.exe	93
PID 1660 wrote to memory of 204	1660	cmd.exe	93
PID 2752 wrote to memory of 3980	2752	02040d590778e19253de36b5569b4c9e2cc76cba7e266e475d93d49aa0962e9e.exe	94
PID 2752 wrote to memory of 3980	2752	02040d590778e19253de36b5569b4c9e2cc76cba7e266e475d93d49aa0962e9e.exe	94
PID 2752 wrote to memory of 3980	2752	02040d590778e19253de36b5569b4c9e2cc76cba7e266e475d93d49aa0962e9e.exe	94
PID 1660 wrote to memory of 3756	1660	cmd.exe	95
PID 1660 wrote to memory of 3756	1660	cmd.exe	95
PID 1660 wrote to memory of 3756	1660	cmd.exe	95
PID 1660 wrote to memory of 1848	1660	cmd.exe	96
PID 1660 wrote to memory of 1848	1660	cmd.exe	96
PID 1660 wrote to memory of 1848	1660	cmd.exe	96
PID 2752 wrote to memory of 3464	2752	02040d590778e19253de36b5569b4c9e2cc76cba7e266e475d93d49aa0962e9e.exe	97
PID 2752 wrote to memory of 3464	2752	02040d590778e19253de36b5569b4c9e2cc76cba7e266e475d93d49aa0962e9e.exe	97
PID 2752 wrote to memory of 3464	2752	02040d590778e19253de36b5569b4c9e2cc76cba7e266e475d93d49aa0962e9e.exe	97
PID 1660 wrote to memory of 4504	1660	cmd.exe	98
PID 1660 wrote to memory of 4504	1660	cmd.exe	98
PID 1660 wrote to memory of 4504	1660	cmd.exe	98
PID 1936 wrote to memory of 816	1936	iexplore.exe	99
PID 1936 wrote to memory of 816	1936	iexplore.exe	99
PID 1936 wrote to memory of 816	1936	iexplore.exe	99
PID 1660 wrote to memory of 3060	1660	cmd.exe	103
PID 1660 wrote to memory of 3060	1660	cmd.exe	103
PID 1660 wrote to memory of 3060	1660	cmd.exe	103
PID 1660 wrote to memory of 1328	1660	cmd.exe	100
PID 1660 wrote to memory of 1328	1660	cmd.exe	100
PID 1660 wrote to memory of 1328	1660	cmd.exe	100
PID 3060 wrote to memory of 1880	3060	rundll32.exe	101
PID 3060 wrote to memory of 1880	3060	rundll32.exe	101
PID 3060 wrote to memory of 1880	3060	rundll32.exe	101
PID 1880 wrote to memory of 1288	1880	runonce.exe	104
PID 1880 wrote to memory of 1288	1880	runonce.exe	104
PID 1880 wrote to memory of 1288	1880	runonce.exe	104

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1848	attrib.exe
4504	attrib.exe

C:\Users\Admin\AppData\Local\Temp\02040d590778e19253de36b5569b4c9e2cc76cba7e266e475d93d49aa0962e9e.exe
"C:\Users\Admin\AppData\Local\Temp\02040d590778e19253de36b5569b4c9e2cc76cba7e266e475d93d49aa0962e9e.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\appflag1394_20start.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\1.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1672
  - - C:\PROGRA~1\INTERN~1\iexplore.exe
      C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://wWW.cnkankan.com/?82133
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1936
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1936 CREDAT:17410 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:816
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\1.inf
      4⤵
      PID:4372
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\2.bat
      4⤵
      Drops file in Program Files directory
      Suspicious use of WriteProcessMemory
      PID:1660
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f
        5⤵
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        
        PID:5088
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f
        5⤵
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        
        PID:3532
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?o"" /f
        5⤵
        
        PID:520
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f
        5⤵
        Modifies registry class
        
        PID:204
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\PPLive\3.bat""" /f
        5⤵
        Modifies registry class
        
        PID:3756
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1848
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4504
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 D:\VolumeDH\inj.dat,MainLoad
        5⤵
        
        PID:1328
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\2.inf
        5⤵
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3060
- C:\Users\Admin\AppData\Local\Temp\inlC9F9.tmp
  C:\Users\Admin\AppData\Local\Temp\inlC9F9.tmp
  2⤵
  - Executes dropped EXE
  PID:3980
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\02040D~1.EXE > nul
  2⤵
  PID:3464

C:\Windows\SysWOW64\runonce.exe
"C:\Windows\system32\runonce.exe" -r
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Windows\SysWOW64\grpconv.exe
  "C:\Windows\System32\grpconv.exe" -o
  2⤵
  PID:1288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\dqptnfu\imagestore.dat

Filesize
1KB

MD5
15598f7445a432593c7c1bd51b5b817a

SHA1
ce3247e5db1530e6112c2560ea7d3fb261d88384

SHA256
4f04f575c3d6f613b9fbed3adee0d7ac123b47afec5732c82a4faed76b2827f5

SHA512
581fedf8cb1a543e08d7e9996631efd86b4abd181e8afbe34ee29b5589672d79fb75acc8ab4fc46dea3949841bbf62fe1848c435d3cb95019697aad8c2df7e96

Download Submit
C:\Users\Admin\AppData\Local\Temp\appflag1394_20start.bat

Filesize
53B

MD5
23962a245f75fe25510051582203aff1

SHA1
20832a3a1179bb2730194d2f7738d41d5d669a43

SHA256
1abcea214b9b2bd76cc04be07ae2d4d70371e6ca443d99f4f1327afe7a5fc647

SHA512
dc36b64f2dbb710652900a31295c148760b0c44eae13515aa29613916c9dffe3d8e55ba61568f7c27b43bf0c341f7dcd4b9c721f81627fc6bb915b15c358fe80

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp

Filesize
645B

MD5
4cafe2ab2ae87e0e3a16f6bd99e92437

SHA1
45757e5b258e3190ea4d4b092375bded4d5ea4fd

SHA256
90896bc5f40509bc3ed86e17cae17da22b4f4ab0e424dc4557b24eccc53429ce

SHA512
123a945a361a07a356361e796159406bff31dbfbe68afaa1f22e144dc2b4025d23112844db70e651b9ee41f674d8efb4cd10b23ee4992d9538de7ada6534f2ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\inlC9F9.tmp

Filesize
57.2MB

MD5
ac1130de4232ef38542ec86978e008f3

SHA1
99829a2a038c1867fe985cb1c099884b549de9bc

SHA256
33b50abdab188501012c3529bb5f628ce2c41ba54a0bf39570a81e194a85a623

SHA512
86e3c560c7e814bf2b4760a3b7eb24b89653c12b8f54820a0332519fca50ed3e38482d81d967e0bdd450dc0c81b3410fbae8eee777770cdb53d321c568380c7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\inlC9F9.tmp

Filesize
57.2MB

MD5
ac1130de4232ef38542ec86978e008f3

SHA1
99829a2a038c1867fe985cb1c099884b549de9bc

SHA256
33b50abdab188501012c3529bb5f628ce2c41ba54a0bf39570a81e194a85a623

SHA512
86e3c560c7e814bf2b4760a3b7eb24b89653c12b8f54820a0332519fca50ed3e38482d81d967e0bdd450dc0c81b3410fbae8eee777770cdb53d321c568380c7a

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\1.bat

Filesize
3KB

MD5
b21e4f653320b34a01a860b1cf00c861

SHA1
3de8c41f014512ec793c3452b3c96f832644b0f0

SHA256
29a23c064b35e49d619825b67bf8b01ad6ba4c65e50e167bd69416cdca92d4bf

SHA512
6f791ca6c1929779e8c72b4c5c3ec79c8bd134845679e17915a4758a03b847efe5454fefe3af8be1eb17277ba73612d1534d09734c171f82b7ac351893cd8d9c

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\1.inf

Filesize
410B

MD5
66a1f0147fed7ddd19e9bb7ff93705c5

SHA1
9d803c81ea2195617379b880b227892ba30b0bf6

SHA256
4f45ce85e221352f7fe26e04968c7f7267dc24b55cf2b72b929b4c90e48cb764

SHA512
cfe51756ddec75d240249980a4d27870d15983add25058e4d0da4d8a3ea11384d4d228d6cbc95091f91e516e1ab4dfb1e315941dbd95bf717d4b31936311d597

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\2.bat

Filesize
3KB

MD5
6b78cb8ced798ca5df5612dd62ce0965

SHA1
5a9c299393b96b0bf8f6770e3c7b0318a9e2e0cf

SHA256
81f64f42edfac2863a55db8fabd528c4eefc67f7e658cad6a57eeec862e444e3

SHA512
b387ba10021f3284d1406d520a2c8b3ba0c87922d67c79394c1aa50c631194519ac6bb5b898956533f040d48e1c7b202734e0075f8fc8c8bfab82c8ef359b28e

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\2.inf

Filesize
247B

MD5
ca436f6f187bc049f9271ecdcbf348fa

SHA1
bf8a548071cfc150f7affb802538edf03d281106

SHA256
6cdfa9b7f0e1e4ee16bc8ce5d7448d47ea8866c1f55f3e56be5c2a4d183ca534

SHA512
d19e20aabddad6b0284f8c1d473e9180f30b49d4d8b54f26e7c8630228e16b1f6ba04023c5e8b1993d8a10d97adcfff683b216f79b9981bf16181641aebdd591

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\4.bat

Filesize
5.8MB

MD5
d5abd3185fb37e55058371c1d4928532

SHA1
dda481d7f7f64c81cf7e4b741fed3777b55d9924

SHA256
380c353017b20b5f2c3660945ec824f500ccabb18f92eac50291de568e9f310f

SHA512
97cbad2807e5afa72677958ac1d28c6a5948c9ea38b3c0e15cc9f68f398fa1541d7901be4f5d2609cd881bee0b3eebf03cb5c9dc0a9a5c2cebcafdcbf30d2876

Download Submit
memory/1936-153-0x00007FF866F70000-0x00007FF866FDE000-memory.dmp

Filesize
440KB

Download
memory/1936-185-0x00007FF866F70000-0x00007FF866FDE000-memory.dmp

Filesize
440KB

Download
memory/1936-151-0x00007FF866F70000-0x00007FF866FDE000-memory.dmp

Filesize
440KB

Download
memory/1936-154-0x00007FF866F70000-0x00007FF866FDE000-memory.dmp

Filesize
440KB

Download
memory/1936-155-0x00007FF866F70000-0x00007FF866FDE000-memory.dmp

Filesize
440KB

Download
memory/1936-224-0x00007FF866F70000-0x00007FF866FDE000-memory.dmp

Filesize
440KB

Download
memory/1936-223-0x00007FF866F70000-0x00007FF866FDE000-memory.dmp

Filesize
440KB

Download
memory/1936-157-0x00007FF866F70000-0x00007FF866FDE000-memory.dmp

Filesize
440KB

Download
memory/1936-149-0x00007FF866F70000-0x00007FF866FDE000-memory.dmp

Filesize
440KB

Download
memory/1936-160-0x00007FF866F70000-0x00007FF866FDE000-memory.dmp

Filesize
440KB

Download
memory/1936-150-0x00007FF866F70000-0x00007FF866FDE000-memory.dmp

Filesize
440KB

Download
memory/1936-163-0x00007FF866F70000-0x00007FF866FDE000-memory.dmp

Filesize
440KB

Download
memory/1936-165-0x00007FF866F70000-0x00007FF866FDE000-memory.dmp

Filesize
440KB

Download
memory/1936-168-0x00007FF866F70000-0x00007FF866FDE000-memory.dmp

Filesize
440KB

Download
memory/1936-167-0x00007FF866F70000-0x00007FF866FDE000-memory.dmp

Filesize
440KB

Download
memory/1936-218-0x00007FF866F70000-0x00007FF866FDE000-memory.dmp

Filesize
440KB

Download
memory/1936-171-0x00007FF866F70000-0x00007FF866FDE000-memory.dmp

Filesize
440KB

Download
memory/1936-148-0x00007FF866F70000-0x00007FF866FDE000-memory.dmp

Filesize
440KB

Download
memory/1936-147-0x00007FF866F70000-0x00007FF866FDE000-memory.dmp

Filesize
440KB

Download
memory/1936-217-0x00007FF866F70000-0x00007FF866FDE000-memory.dmp

Filesize
440KB

Download
memory/1936-144-0x00007FF866F70000-0x00007FF866FDE000-memory.dmp

Filesize
440KB

Download
memory/1936-143-0x00007FF866F70000-0x00007FF866FDE000-memory.dmp

Filesize
440KB

Download
memory/1936-170-0x00007FF866F70000-0x00007FF866FDE000-memory.dmp

Filesize
440KB

Download
memory/1936-177-0x00007FF866F70000-0x00007FF866FDE000-memory.dmp

Filesize
440KB

Download
memory/1936-215-0x00007FF866F70000-0x00007FF866FDE000-memory.dmp

Filesize
440KB

Download
memory/1936-180-0x00007FF866F70000-0x00007FF866FDE000-memory.dmp

Filesize
440KB

Download
memory/1936-213-0x00007FF866F70000-0x00007FF866FDE000-memory.dmp

Filesize
440KB

Download
memory/1936-214-0x00007FF866F70000-0x00007FF866FDE000-memory.dmp

Filesize
440KB

Download
memory/1936-186-0x00007FF866F70000-0x00007FF866FDE000-memory.dmp

Filesize
440KB

Download
memory/1936-212-0x00007FF866F70000-0x00007FF866FDE000-memory.dmp

Filesize
440KB

Download
memory/1936-187-0x00007FF866F70000-0x00007FF866FDE000-memory.dmp

Filesize
440KB

Download
memory/1936-211-0x00007FF866F70000-0x00007FF866FDE000-memory.dmp

Filesize
440KB

Download
memory/1936-210-0x00007FF866F70000-0x00007FF866FDE000-memory.dmp

Filesize
440KB

Download
memory/1936-205-0x00007FF866F70000-0x00007FF866FDE000-memory.dmp

Filesize
440KB

Download
memory/1936-192-0x00007FF866F70000-0x00007FF866FDE000-memory.dmp

Filesize
440KB

Download
memory/1936-193-0x00007FF866F70000-0x00007FF866FDE000-memory.dmp

Filesize
440KB

Download
memory/1936-195-0x00007FF866F70000-0x00007FF866FDE000-memory.dmp

Filesize
440KB

Download
memory/1936-194-0x00007FF866F70000-0x00007FF866FDE000-memory.dmp

Filesize
440KB

Download
memory/1936-196-0x00007FF866F70000-0x00007FF866FDE000-memory.dmp

Filesize
440KB

Download
memory/1936-200-0x00007FF866F70000-0x00007FF866FDE000-memory.dmp

Filesize
440KB

Download
memory/1936-201-0x00007FF866F70000-0x00007FF866FDE000-memory.dmp

Filesize
440KB

Download
memory/1936-203-0x00007FF866F70000-0x00007FF866FDE000-memory.dmp

Filesize
440KB

Download
memory/1936-204-0x00007FF866F70000-0x00007FF866FDE000-memory.dmp

Filesize
440KB

Download
memory/2752-183-0x00000000005F0000-0x0000000000615000-memory.dmp

Filesize
148KB

Download
memory/2752-133-0x0000000001200000-0x0000000001203000-memory.dmp

Filesize
12KB

Download
memory/2752-132-0x00000000005F0000-0x0000000000615000-memory.dmp

Filesize
148KB

Download
memory/2752-134-0x00000000005F0000-0x0000000000615000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads