joker | 4b8bc86b3ba5dd3fb7ad3ca3f3f3e62af0e13679c3eb8cd630d36b03eabf7f6b

Analysis

max time kernel
152s
max time network
159s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 04:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b8bc86b3ba5dd3fb7ad3ca3f3f3e62af0e13679c3eb8cd630d36b03eabf7f6b.exe
Size

1.8MB
MD5

5017e4642ffb6fed42235d37fab16273
SHA1

91a00dfa17737092c79cce3002f6d428c4b47ed2
SHA256

4b8bc86b3ba5dd3fb7ad3ca3f3f3e62af0e13679c3eb8cd630d36b03eabf7f6b
SHA512

71dcb7efee14707a70e32c11d40b798b8a70f17b81548b52f67213bf2767d1d6deba570ef9b2668bc26c362964c9f5364af8ad88593e6d001627a0f83e28e058
SSDEEP

49152:GZp4kJNahggTdaVS8wzZrhyL7Y6Xl55PA8DXl5IkyjGY:GZ+gMhfdaVS8otyw6r5PpDV5Iky3

Score

10^/10

joker aspackv2 evasion infostealer persistence trojan

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ìÅÎèÖúÊÖ³é½±¹Ò3.0.9-BÃë³é°æ.exe

ASPack v2.12-2.42 7 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000b0000000126a6-65.dat	aspack_v212_v242
behavioral1/files/0x000b0000000126a6-61.dat	aspack_v212_v242
behavioral1/files/0x000b0000000126a6-84.dat	aspack_v212_v242
behavioral1/files/0x000b0000000126a6-87.dat	aspack_v212_v242
behavioral1/files/0x000b0000000126a6-92.dat	aspack_v212_v242
behavioral1/files/0x000b0000000126a6-93.dat	aspack_v212_v242
behavioral1/files/0x000b0000000126a6-95.dat	aspack_v212_v242

Executes dropped EXE 5 IoCs

pid	Process
2032	p.exe
1720	p.exe
1892	2071.exe
1072	svchost.exe
580	ìÅÎèÖúÊÖ³é½±¹Ò3.0.9-BÃë³é°æ.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Modifies Installed Components in the registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AENGFU3AA-Z568-11d2-9CBD-0000F87A369E}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AENGFU3AA-Z568-11d2-9CBD-0000F87A369E}\ = "Zou568"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AENGFU3AA-Z568-11d2-9CBD-0000F87A369E}\stubpath = "C:\\WINDOWS\\zoues\\svchost.exe"	svchost.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Wine	ìÅÎèÖúÊÖ³é½±¹Ò3.0.9-BÃë³é°æ.exe

Loads dropped DLL 12 IoCs

pid	Process
1224	4b8bc86b3ba5dd3fb7ad3ca3f3f3e62af0e13679c3eb8cd630d36b03eabf7f6b.exe
2032	p.exe
1224	4b8bc86b3ba5dd3fb7ad3ca3f3f3e62af0e13679c3eb8cd630d36b03eabf7f6b.exe
1720	p.exe
1224	4b8bc86b3ba5dd3fb7ad3ca3f3f3e62af0e13679c3eb8cd630d36b03eabf7f6b.exe
1224	4b8bc86b3ba5dd3fb7ad3ca3f3f3e62af0e13679c3eb8cd630d36b03eabf7f6b.exe
1892	2071.exe
1892	2071.exe
2308	WerFault.exe
2308	WerFault.exe
2308	WerFault.exe
2308	WerFault.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\intel.dll	2071.exe
File opened for modification	C:\Windows\SysWOW64\history.log	2071.exe
File created	C:\Windows\SysWOW64\sys.sys	2071.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
580	ìÅÎèÖúÊÖ³é½±¹Ò3.0.9-BÃë³é°æ.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\iexplore.exe	2071.exe
File opened for modification	C:\Program Files\iexplore.exe	2071.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\zoues\svchost.exe	p.exe
File created	\??\c:\WINDOWS\Help\windowsz32.txt	p.exe
File created	C:\WINDOWS\zoues\svchost.exe	p.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2308	1892	WerFault.exe	29

Modifies Internet Explorer settings 1 TTPs 44 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000a49d49763ea970a24923cb0996f16258d107d5a16f4909202612fd09ff39c166000000000e8000000002000020000000157c82599be8829717ed5b184f1a4a4c04e30e28cfb4d98645cf267e4a2976162000000022ac6ab76ef137d7e009154ccde2002f4fbccadd17eeaa4b584701d86da4b18b400000000feed805cc230cdb54c5b7fb56f2f5f9aa71e2c465be5052c50e3d202eb07a275ed6dff4bcfe1316c8d8b0d21b5353a7827dbab0c0276a62cd1f01d1de6b911b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\1wly.com\Total = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F0DC6B31-37DE-11ED-B2F2-7E6ADD856DC1} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70195fcbebcbd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.1wly.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\1wly.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\1wly.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.1wly.com\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000542c5897d2ad9666d5bd501f6ebf1f28421b3194f46afd6683ada25e67696469000000000e8000000002000020000000ff79f86c381e8ed2dffe246d9e63206827c4a1c58643e05844c8777f95073e9890000000bd32c027a881b1b194a423f3918253b064c150dab93afb7eb21a3f88ce5f4de9dd3970be4b8b5cc073ffd711fb55fda091b92817fc25ff2ddebe1f6c395e84d965480b84b6c654591469d76f8c103c2d00fdaa60a4e369e04825cfd7692b445990e475f8524f8d6ed7e39d26ccdf71f8595d2300a013d74f0904194a0ccfd82b97a666fb9fd1003470b5786c334a119a400000002e1517761cf881590ff039858fa358b2312d36157409a638f75b47644d5254035c686303b72fe5873cbb8a9904a92f700f65314a30809bea6e0b6d407414faf7	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "370331593"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
580	ìÅÎèÖúÊÖ³é½±¹Ò3.0.9-BÃë³é°æ.exe
1072	svchost.exe
1892	2071.exe
1892	2071.exe
1892	2071.exe
1892	2071.exe
1892	2071.exe
1892	2071.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1168	iexplore.exe
1168	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
580	ìÅÎèÖúÊÖ³é½±¹Ò3.0.9-BÃë³é°æ.exe
580	ìÅÎèÖúÊÖ³é½±¹Ò3.0.9-BÃë³é°æ.exe
580	ìÅÎèÖúÊÖ³é½±¹Ò3.0.9-BÃë³é°æ.exe
580	ìÅÎèÖúÊÖ³é½±¹Ò3.0.9-BÃë³é°æ.exe
1168	iexplore.exe
1168	iexplore.exe
1316	IEXPLORE.EXE
1316	IEXPLORE.EXE
1168	iexplore.exe
1168	iexplore.exe
2720	IEXPLORE.EXE
2720	IEXPLORE.EXE
2720	IEXPLORE.EXE
2720	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 2032	1224	4b8bc86b3ba5dd3fb7ad3ca3f3f3e62af0e13679c3eb8cd630d36b03eabf7f6b.exe	27
PID 1224 wrote to memory of 2032	1224	4b8bc86b3ba5dd3fb7ad3ca3f3f3e62af0e13679c3eb8cd630d36b03eabf7f6b.exe	27
PID 1224 wrote to memory of 2032	1224	4b8bc86b3ba5dd3fb7ad3ca3f3f3e62af0e13679c3eb8cd630d36b03eabf7f6b.exe	27
PID 1224 wrote to memory of 2032	1224	4b8bc86b3ba5dd3fb7ad3ca3f3f3e62af0e13679c3eb8cd630d36b03eabf7f6b.exe	27
PID 1224 wrote to memory of 1892	1224	4b8bc86b3ba5dd3fb7ad3ca3f3f3e62af0e13679c3eb8cd630d36b03eabf7f6b.exe	29
PID 1224 wrote to memory of 1892	1224	4b8bc86b3ba5dd3fb7ad3ca3f3f3e62af0e13679c3eb8cd630d36b03eabf7f6b.exe	29
PID 1224 wrote to memory of 1892	1224	4b8bc86b3ba5dd3fb7ad3ca3f3f3e62af0e13679c3eb8cd630d36b03eabf7f6b.exe	29
PID 1224 wrote to memory of 1892	1224	4b8bc86b3ba5dd3fb7ad3ca3f3f3e62af0e13679c3eb8cd630d36b03eabf7f6b.exe	29
PID 2032 wrote to memory of 1720	2032	p.exe	28
PID 2032 wrote to memory of 1720	2032	p.exe	28
PID 2032 wrote to memory of 1720	2032	p.exe	28
PID 2032 wrote to memory of 1720	2032	p.exe	28
PID 1720 wrote to memory of 1072	1720	p.exe	30
PID 1720 wrote to memory of 1072	1720	p.exe	30
PID 1720 wrote to memory of 1072	1720	p.exe	30
PID 1720 wrote to memory of 1072	1720	p.exe	30
PID 1224 wrote to memory of 580	1224	4b8bc86b3ba5dd3fb7ad3ca3f3f3e62af0e13679c3eb8cd630d36b03eabf7f6b.exe	31
PID 1224 wrote to memory of 580	1224	4b8bc86b3ba5dd3fb7ad3ca3f3f3e62af0e13679c3eb8cd630d36b03eabf7f6b.exe	31
PID 1224 wrote to memory of 580	1224	4b8bc86b3ba5dd3fb7ad3ca3f3f3e62af0e13679c3eb8cd630d36b03eabf7f6b.exe	31
PID 1224 wrote to memory of 580	1224	4b8bc86b3ba5dd3fb7ad3ca3f3f3e62af0e13679c3eb8cd630d36b03eabf7f6b.exe	31
PID 580 wrote to memory of 1168	580	ìÅÎèÖúÊÖ³é½±¹Ò3.0.9-BÃë³é°æ.exe	34
PID 580 wrote to memory of 1168	580	ìÅÎèÖúÊÖ³é½±¹Ò3.0.9-BÃë³é°æ.exe	34
PID 580 wrote to memory of 1168	580	ìÅÎèÖúÊÖ³é½±¹Ò3.0.9-BÃë³é°æ.exe	34
PID 580 wrote to memory of 1168	580	ìÅÎèÖúÊÖ³é½±¹Ò3.0.9-BÃë³é°æ.exe	34
PID 1168 wrote to memory of 1316	1168	iexplore.exe	35
PID 1168 wrote to memory of 1316	1168	iexplore.exe	35
PID 1168 wrote to memory of 1316	1168	iexplore.exe	35
PID 1168 wrote to memory of 1316	1168	iexplore.exe	35
PID 1892 wrote to memory of 3064	1892	2071.exe	36
PID 1892 wrote to memory of 3064	1892	2071.exe	36
PID 1892 wrote to memory of 3064	1892	2071.exe	36
PID 1892 wrote to memory of 3064	1892	2071.exe	36
PID 1168 wrote to memory of 2720	1168	iexplore.exe	37
PID 1168 wrote to memory of 2720	1168	iexplore.exe	37
PID 1168 wrote to memory of 2720	1168	iexplore.exe	37
PID 1168 wrote to memory of 2720	1168	iexplore.exe	37
PID 1892 wrote to memory of 2308	1892	2071.exe	40
PID 1892 wrote to memory of 2308	1892	2071.exe	40
PID 1892 wrote to memory of 2308	1892	2071.exe	40
PID 1892 wrote to memory of 2308	1892	2071.exe	40

C:\Users\Admin\AppData\Local\Temp\4b8bc86b3ba5dd3fb7ad3ca3f3f3e62af0e13679c3eb8cd630d36b03eabf7f6b.exe
"C:\Users\Admin\AppData\Local\Temp\4b8bc86b3ba5dd3fb7ad3ca3f3f3e62af0e13679c3eb8cd630d36b03eabf7f6b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Users\Admin\AppData\Local\Temp\p.exe
  "C:\Users\Admin\AppData\Local\Temp\p.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Users\Admin\AppData\Local\Temp\p.exe
    C:\Users\Admin\AppData\Local\Temp\p.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:1720
  - - C:\WINDOWS\zoues\svchost.exe
      C:\WINDOWS\zoues\svchost.exe
      4⤵
      Executes dropped EXE
      Modifies Installed Components in the registry
      Suspicious behavior: EnumeratesProcesses
      PID:1072
- C:\Users\Admin\AppData\Local\Temp\2071.exe
  "C:\Users\Admin\AppData\Local\Temp\2071.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://ad.tjchajian.com:82/ip.html?id=2071
    3⤵
    PID:3064
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 1012
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2308
- C:\Users\Admin\AppData\Local\Temp\ìÅÎèÖúÊÖ³é½±¹Ò3.0.9-BÃë³é°æ.exe
  "C:\Users\Admin\AppData\Local\Temp\ìÅÎèÖúÊÖ³é½±¹Ò3.0.9-BÃë³é°æ.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:580
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.1wly.com/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1168
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1168 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1316
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1168 CREDAT:1061896 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
245d0a948b1456ba4c31a2955110d0f5

SHA1
3e96e5dc0a6d78d11c7961139c57d9aba44f48ff

SHA256
5810130c74de74ae51e09c0f9e03e50694a5aedacd34e786e858e075282d6a6f

SHA512
092abbdf2e919db6d365289a93b68103e0a52dc61ed96f21ed1db367d41de0353a35db520aea5e332572d30274652665a959c2e6e1eed041feee80b465c2e143

Download Submit
C:\Users\Admin\AppData\Local\Temp\2071.exe

Filesize
114KB

MD5
6a3403a72b8efaecf87009a0cdf709c7

SHA1
4db26c3d0ef07c6107278b7583365fe47da6c03f

SHA256
3f4b5cde4f217058f2914d18e52b5e744776079b161a6297518a87027076743d

SHA512
4c114d63fc10dbccff5811b545924dd07f1690ffa581e68faf5609955ad02791a1d83313cc52bb5e6ae7a0e2c784d257c7256c3b9c78c5927ed0709e32f02a51

Download Submit
C:\Users\Admin\AppData\Local\Temp\2071.exe

Filesize
114KB

MD5
6a3403a72b8efaecf87009a0cdf709c7

SHA1
4db26c3d0ef07c6107278b7583365fe47da6c03f

SHA256
3f4b5cde4f217058f2914d18e52b5e744776079b161a6297518a87027076743d

SHA512
4c114d63fc10dbccff5811b545924dd07f1690ffa581e68faf5609955ad02791a1d83313cc52bb5e6ae7a0e2c784d257c7256c3b9c78c5927ed0709e32f02a51

Download Submit
C:\Users\Admin\AppData\Local\Temp\p.exe

Filesize
33KB

MD5
a97b8231899c20daa06ca80a3962c6f4

SHA1
8b739b51d895b5134ec308d394067b7b44696be1

SHA256
04534e4a204a516e10353a7413cd1558a48968d2c6c1fa44eeb1486876556054

SHA512
45ae5b2742aa61eaa7d0526b1d6b60b620f36d93f4d95a122a531a247124e15f8fcc0151a6eacd9c4222849a7ffa629f2b37df15b10e936367d7092b267e5127

Download Submit
C:\Users\Admin\AppData\Local\Temp\p.exe

Filesize
33KB

MD5
a97b8231899c20daa06ca80a3962c6f4

SHA1
8b739b51d895b5134ec308d394067b7b44696be1

SHA256
04534e4a204a516e10353a7413cd1558a48968d2c6c1fa44eeb1486876556054

SHA512
45ae5b2742aa61eaa7d0526b1d6b60b620f36d93f4d95a122a531a247124e15f8fcc0151a6eacd9c4222849a7ffa629f2b37df15b10e936367d7092b267e5127

Download Submit
C:\Users\Admin\AppData\Local\Temp\p.exe

Filesize
33KB

MD5
a97b8231899c20daa06ca80a3962c6f4

SHA1
8b739b51d895b5134ec308d394067b7b44696be1

SHA256
04534e4a204a516e10353a7413cd1558a48968d2c6c1fa44eeb1486876556054

SHA512
45ae5b2742aa61eaa7d0526b1d6b60b620f36d93f4d95a122a531a247124e15f8fcc0151a6eacd9c4222849a7ffa629f2b37df15b10e936367d7092b267e5127

Download Submit
C:\Users\Admin\AppData\Local\Temp\ìÅÎèÖúÊÖ³é½±¹Ò3.0.9-BÃë³é°æ.exe

Filesize
1.6MB

MD5
1fbf2178409a4f816be8f766288e7439

SHA1
05800a7052e6196a704b71e252d3a639bd306724

SHA256
a02c27e0682c04806cc5055ea8dd942b5cb72f0f0954bfc87492abb8b019f2d8

SHA512
f113fe70c7aa67752f5567f67098642ab6753211f3cc6a65cadf1054e7c95d38510d6fc5b7600af7dcd4a256b53df70c5842212ba7fa01af2ec855ea49f294d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\ACQ2CKVP.txt

Filesize
111B

MD5
3fb7344518dcd56f49620899cc397edc

SHA1
7a5e580eec1799cacb4fab2a0ed2bae6b0a4cfe1

SHA256
be47a2fda5d51f6c7616a85c3a5ce20025637a43141862f7a87d7d59ccc72fff

SHA512
d9ae0f4fdcbcd1692c3a12e6543383abdbb08b6af90d5c60ec69f1582666e3e7b702cd958a776d19cfd9638ddf03d5fd5407f48be8b40e87c54e80b49f87ef69

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\BC0TONVX.txt

Filesize
608B

MD5
a2d907fc21973987204f090e7062002d

SHA1
a64b5ba942942c979e4aa28938ab4ed900f8564e

SHA256
ff58fb90afc62bde160cefe121f91ecac1f9a245ac04a2416a1ffc4279055b81

SHA512
5788fefa23c85b63e6179a8099b7ef50e9d858d64fd375268700ee901d81a359dd402f17de137955c90257eab65f99ad47ebffae47d9caf59e4f49cce063269a

Download Submit
C:\Windows\zoues\svchost.exe

Filesize
33KB

MD5
b8299a947177ce0dc668af3ff05c46fa

SHA1
e82e614cffffbfc2ff2b0f3130abd495cbf76b44

SHA256
ad46cf29d9a8568a66c2abc2561af34e2546d6c3009c7139b1a7761a0ce98ada

SHA512
f2b8d98592979073ba2ebd2de084485f1d1d1e8ff0d6b86a806ee2f105b7770836a0b3f77e569e8fecdb6c65c6aba08ed63b88c426dd873481eb6c792fccd939

Download Submit
\??\c:\WINDOWS\Help\windowsz32.txt

Filesize
39B

MD5
be563affdf84703821ba6e23d9ed6de7

SHA1
5d6d472ddcec06861872e9bf7d18589c4b37e982

SHA256
32d7619b9c9011c023d94e7c8d6fd234d85813d7ec7cf7cf3e74f45588c95ccc

SHA512
18e6016982f3b2a0a0b618a5e76b641303893a8d50f41a324c4e63254f7cb7e1c7fa6dd6a6f48753e34a633d268477638768bd3b8a897e8a8910d12457f4c685

Download Submit
\Users\Admin\AppData\Local\Temp\2071.exe

Filesize
114KB

MD5
6a3403a72b8efaecf87009a0cdf709c7

SHA1
4db26c3d0ef07c6107278b7583365fe47da6c03f

SHA256
3f4b5cde4f217058f2914d18e52b5e744776079b161a6297518a87027076743d

SHA512
4c114d63fc10dbccff5811b545924dd07f1690ffa581e68faf5609955ad02791a1d83313cc52bb5e6ae7a0e2c784d257c7256c3b9c78c5927ed0709e32f02a51

Download Submit
\Users\Admin\AppData\Local\Temp\2071.exe

Filesize
114KB

MD5
6a3403a72b8efaecf87009a0cdf709c7

SHA1
4db26c3d0ef07c6107278b7583365fe47da6c03f

SHA256
3f4b5cde4f217058f2914d18e52b5e744776079b161a6297518a87027076743d

SHA512
4c114d63fc10dbccff5811b545924dd07f1690ffa581e68faf5609955ad02791a1d83313cc52bb5e6ae7a0e2c784d257c7256c3b9c78c5927ed0709e32f02a51

Download Submit
\Users\Admin\AppData\Local\Temp\2071.exe

Filesize
114KB

MD5
6a3403a72b8efaecf87009a0cdf709c7

SHA1
4db26c3d0ef07c6107278b7583365fe47da6c03f

SHA256
3f4b5cde4f217058f2914d18e52b5e744776079b161a6297518a87027076743d

SHA512
4c114d63fc10dbccff5811b545924dd07f1690ffa581e68faf5609955ad02791a1d83313cc52bb5e6ae7a0e2c784d257c7256c3b9c78c5927ed0709e32f02a51

Download Submit
\Users\Admin\AppData\Local\Temp\2071.exe

Filesize
114KB

MD5
6a3403a72b8efaecf87009a0cdf709c7

SHA1
4db26c3d0ef07c6107278b7583365fe47da6c03f

SHA256
3f4b5cde4f217058f2914d18e52b5e744776079b161a6297518a87027076743d

SHA512
4c114d63fc10dbccff5811b545924dd07f1690ffa581e68faf5609955ad02791a1d83313cc52bb5e6ae7a0e2c784d257c7256c3b9c78c5927ed0709e32f02a51

Download Submit
\Users\Admin\AppData\Local\Temp\2071.exe

Filesize
114KB

MD5
6a3403a72b8efaecf87009a0cdf709c7

SHA1
4db26c3d0ef07c6107278b7583365fe47da6c03f

SHA256
3f4b5cde4f217058f2914d18e52b5e744776079b161a6297518a87027076743d

SHA512
4c114d63fc10dbccff5811b545924dd07f1690ffa581e68faf5609955ad02791a1d83313cc52bb5e6ae7a0e2c784d257c7256c3b9c78c5927ed0709e32f02a51

Download Submit
\Users\Admin\AppData\Local\Temp\p.exe

Filesize
33KB

MD5
a97b8231899c20daa06ca80a3962c6f4

SHA1
8b739b51d895b5134ec308d394067b7b44696be1

SHA256
04534e4a204a516e10353a7413cd1558a48968d2c6c1fa44eeb1486876556054

SHA512
45ae5b2742aa61eaa7d0526b1d6b60b620f36d93f4d95a122a531a247124e15f8fcc0151a6eacd9c4222849a7ffa629f2b37df15b10e936367d7092b267e5127

Download Submit
\Users\Admin\AppData\Local\Temp\p.exe

Filesize
33KB

MD5
a97b8231899c20daa06ca80a3962c6f4

SHA1
8b739b51d895b5134ec308d394067b7b44696be1

SHA256
04534e4a204a516e10353a7413cd1558a48968d2c6c1fa44eeb1486876556054

SHA512
45ae5b2742aa61eaa7d0526b1d6b60b620f36d93f4d95a122a531a247124e15f8fcc0151a6eacd9c4222849a7ffa629f2b37df15b10e936367d7092b267e5127

Download Submit
\Users\Admin\AppData\Local\Temp\ìÅÎèÖúÊÖ³é½±¹Ò3.0.9-BÃë³é°æ.exe

Filesize
1.6MB

MD5
1fbf2178409a4f816be8f766288e7439

SHA1
05800a7052e6196a704b71e252d3a639bd306724

SHA256
a02c27e0682c04806cc5055ea8dd942b5cb72f0f0954bfc87492abb8b019f2d8

SHA512
f113fe70c7aa67752f5567f67098642ab6753211f3cc6a65cadf1054e7c95d38510d6fc5b7600af7dcd4a256b53df70c5842212ba7fa01af2ec855ea49f294d3

Download Submit
\Users\Admin\AppData\Local\Temp\ìÅÎèÖúÊÖ³é½±¹Ò3.0.9-BÃë³é°æ.exe

Filesize
1.6MB

MD5
1fbf2178409a4f816be8f766288e7439

SHA1
05800a7052e6196a704b71e252d3a639bd306724

SHA256
a02c27e0682c04806cc5055ea8dd942b5cb72f0f0954bfc87492abb8b019f2d8

SHA512
f113fe70c7aa67752f5567f67098642ab6753211f3cc6a65cadf1054e7c95d38510d6fc5b7600af7dcd4a256b53df70c5842212ba7fa01af2ec855ea49f294d3

Download Submit
\Windows\SysWOW64\intel.dll

Filesize
142KB

MD5
5b6ae60afa76e99a591556ba5bdc0acb

SHA1
e3f12b7fe4337a55c9e859a5ceec95f749cf457b

SHA256
7a0cbe06ce186a11a3240015a9e7adc24db91a78f35170933efdc062aa1c4378

SHA512
4394f5f198eaf5315e4dba3a03204b9ef3fd4340ef7a98fa865c7dab15fe28d9586ac8cfe738ec60c9961437586d5deba25c6622e1f8af3c4e806022c236c98a

Download Submit
\Windows\SysWOW64\intel.dll

Filesize
142KB

MD5
5b6ae60afa76e99a591556ba5bdc0acb

SHA1
e3f12b7fe4337a55c9e859a5ceec95f749cf457b

SHA256
7a0cbe06ce186a11a3240015a9e7adc24db91a78f35170933efdc062aa1c4378

SHA512
4394f5f198eaf5315e4dba3a03204b9ef3fd4340ef7a98fa865c7dab15fe28d9586ac8cfe738ec60c9961437586d5deba25c6622e1f8af3c4e806022c236c98a

Download Submit
\Windows\zoues\svchost.exe

Filesize
33KB

MD5
b8299a947177ce0dc668af3ff05c46fa

SHA1
e82e614cffffbfc2ff2b0f3130abd495cbf76b44

SHA256
ad46cf29d9a8568a66c2abc2561af34e2546d6c3009c7139b1a7761a0ce98ada

SHA512
f2b8d98592979073ba2ebd2de084485f1d1d1e8ff0d6b86a806ee2f105b7770836a0b3f77e569e8fecdb6c65c6aba08ed63b88c426dd873481eb6c792fccd939

Download Submit
memory/580-85-0x0000000000400000-0x00000000007A2000-memory.dmp

Filesize
3.6MB

Download
memory/580-79-0x0000000000400000-0x00000000007A2000-memory.dmp

Filesize
3.6MB

Download
memory/580-81-0x0000000077340000-0x00000000774C0000-memory.dmp

Filesize
1.5MB

Download
memory/580-82-0x0000000000400000-0x00000000007A2000-memory.dmp

Filesize
3.6MB

Download
memory/580-86-0x0000000077340000-0x00000000774C0000-memory.dmp

Filesize
1.5MB

Download
memory/1224-54-0x0000000074DC1000-0x0000000074DC3000-memory.dmp

Filesize
8KB

Download
memory/1224-77-0x0000000000400000-0x00000000005C8B3B-memory.dmp

Filesize
1.8MB

Download
memory/1224-55-0x0000000000400000-0x00000000005C8B3B-memory.dmp

Filesize
1.8MB

Download
memory/1892-88-0x0000000000AC0000-0x0000000000AD0000-memory.dmp

Filesize
64KB

Download
memory/1892-78-0x0000000000FE0000-0x0000000001026000-memory.dmp

Filesize
280KB

Download
memory/1892-68-0x0000000000FE0000-0x0000000001026000-memory.dmp

Filesize
280KB

Download
memory/1892-70-0x0000000000FE0000-0x0000000001026000-memory.dmp

Filesize
280KB

Download
memory/1892-98-0x0000000000FE0000-0x0000000001026000-memory.dmp

Filesize
280KB

Download