joker | 44d19fc60c791727ec324b57e02b79a17ce22a9a80674887f79b31383a63a187

Analysis

max time kernel
148s
max time network
156s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19-09-2022 06:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44d19fc60c791727ec324b57e02b79a17ce22a9a80674887f79b31383a63a187.exe
Size

310KB
MD5

d41167879a48205b6875e364eed85a43
SHA1

0ef92fbe70386c3e0217a2b3ba2231136fa4499d
SHA256

44d19fc60c791727ec324b57e02b79a17ce22a9a80674887f79b31383a63a187
SHA512

28e2315e46af62bbbedc39a0ccb6f50b6e440a73f8c35b7a959702b31efec479da5308afd0cf31ee6e3a1a7eac5f1ac635b0c5a21163d136a7308c0b467c0f05
SSDEEP

6144:v9UfckVda6MixnO7a+yjjIZy7dWtIJmYIoC8MRzLn9/EIn4trabt:1NkVdHkaxCyJVFiPzL9O1aZ

Score

10^/10

joker infostealer trojan

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\safe.ico	44d19fc60c791727ec324b57e02b79a17ce22a9a80674887f79b31383a63a187.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\progra~1\ico\$dpx$.tmp\1f92279497b544438a338439eda9f763.tmp	expand.exe
File created	C:\progra~1\ico\$dpx$.tmp\d8aa357b97e5c5409463130be067a99e.tmp	expand.exe
File opened for modification	C:\progra~1\ico\$dpx$.tmp	expand.exe
File opened for modification	C:\progra~1\ico\Film.ico	expand.exe
File created	C:\progra~1\ico\$dpx$.tmp\f9c29c27dccdb64dab2f5ddfe3177c3d.tmp	expand.exe
File opened for modification	C:\progra~1\ico\Chat.ico	expand.exe
File created	C:\progra~1\ico\$dpx$.tmp\afcb35c4f31b9948a7e04733d9080ea2.tmp	expand.exe
File opened for modification	C:\progra~1\ico\Taobao.ico	expand.exe
File opened for modification	C:\progra~1\ico\Video.ico	expand.exe
File created	C:\progra~1\ico\$dpx$.tmp\c503561e63b5cc488136716459073867.tmp	expand.exe
File opened for modification	C:\progra~1\ico\Beauty.ico	expand.exe
File opened for modification	C:\progra~1\ico\meiv.ico	expand.exe
File created	C:\progra~1\ico\$dpx$.tmp\db25fbe6e0cbbf4b806bc1098b45951b.tmp	expand.exe
File opened for modification	C:\progra~1\ico\$dpx$.tmp\job.xml	expand.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.779dh.com\ = "63"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80a2de8f1dccd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\mitao01.bar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\mitao01.bar\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C25DF8A1-3810-11ED-8B55-6651945CA213} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\779dh.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "370352990"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\ename.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf000000000200000000001066000000010000200000006000980baaaf3f723670684e9ddd9f855c2fb7215300df3415d56225c74b89cb000000000e8000000002000020000000b65ef7b42bf952d8aca627fb583ee7837da176448f1cac0eaadd5ce0d040adfa9000000032f061b981abca2523708d1e9c3725bf25781c7fc087fe6d41c57b0de7c9be8c2e52cc2fbea4066e5395cc002bf28e2643d3ec778900f432cb7bf74e3eec23576d8bbe9576af545c7c7cdffd952408852e0c99626023e00ead29817370df3c40192918916ae61f1a84000aec829529199d871d1cc693fd8a24e8f62115d0071656ce09dbe66f88d3f3807d6bdb08701940000000f208db26cd8cdaa434eb3a72eab2ca1cb40c1c6810a5a4e8f93112d3c0c01087ca523322aaa19e2c5d8bb67d257853ac2cdfdbb378dd3a7531eaf7f0a61224c9	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\618889.shop.ename.com\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\ename.com\Total = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\mitao01.bar\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\618889.shop.ename.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.779dh.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\779dh.com\Total = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\779dh.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "126"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.779dh.com\ = "126"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\mitao01.bar\Total = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\779dh.com\Total = "126"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1896	44d19fc60c791727ec324b57e02b79a17ce22a9a80674887f79b31383a63a187.exe
1896	44d19fc60c791727ec324b57e02b79a17ce22a9a80674887f79b31383a63a187.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1896	44d19fc60c791727ec324b57e02b79a17ce22a9a80674887f79b31383a63a187.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1564	iexplore.exe
1564	iexplore.exe
1564	iexplore.exe
1564	iexplore.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
1896	44d19fc60c791727ec324b57e02b79a17ce22a9a80674887f79b31383a63a187.exe
1896	44d19fc60c791727ec324b57e02b79a17ce22a9a80674887f79b31383a63a187.exe
1896	44d19fc60c791727ec324b57e02b79a17ce22a9a80674887f79b31383a63a187.exe
1564	iexplore.exe
1564	iexplore.exe
1160	IEXPLORE.EXE
1160	IEXPLORE.EXE
1564	iexplore.exe
1564	iexplore.exe
1564	iexplore.exe
1564	iexplore.exe
1564	iexplore.exe
1564	iexplore.exe
1216	IEXPLORE.EXE
1216	IEXPLORE.EXE
1872	IEXPLORE.EXE
1872	IEXPLORE.EXE
1216	IEXPLORE.EXE
1216	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 1752	1896	44d19fc60c791727ec324b57e02b79a17ce22a9a80674887f79b31383a63a187.exe	29
PID 1896 wrote to memory of 1752	1896	44d19fc60c791727ec324b57e02b79a17ce22a9a80674887f79b31383a63a187.exe	29
PID 1896 wrote to memory of 1752	1896	44d19fc60c791727ec324b57e02b79a17ce22a9a80674887f79b31383a63a187.exe	29
PID 1896 wrote to memory of 1752	1896	44d19fc60c791727ec324b57e02b79a17ce22a9a80674887f79b31383a63a187.exe	29
PID 1896 wrote to memory of 1732	1896	44d19fc60c791727ec324b57e02b79a17ce22a9a80674887f79b31383a63a187.exe	28
PID 1896 wrote to memory of 1732	1896	44d19fc60c791727ec324b57e02b79a17ce22a9a80674887f79b31383a63a187.exe	28
PID 1896 wrote to memory of 1732	1896	44d19fc60c791727ec324b57e02b79a17ce22a9a80674887f79b31383a63a187.exe	28
PID 1896 wrote to memory of 1732	1896	44d19fc60c791727ec324b57e02b79a17ce22a9a80674887f79b31383a63a187.exe	28
PID 1752 wrote to memory of 2032	1752	cmd.exe	31
PID 1752 wrote to memory of 2032	1752	cmd.exe	31
PID 1752 wrote to memory of 2032	1752	cmd.exe	31
PID 1752 wrote to memory of 2032	1752	cmd.exe	31
PID 1536 wrote to memory of 1564	1536	explorer.exe	34
PID 1536 wrote to memory of 1564	1536	explorer.exe	34
PID 1536 wrote to memory of 1564	1536	explorer.exe	34
PID 1564 wrote to memory of 1160	1564	iexplore.exe	35
PID 1564 wrote to memory of 1160	1564	iexplore.exe	35
PID 1564 wrote to memory of 1160	1564	iexplore.exe	35
PID 1564 wrote to memory of 1160	1564	iexplore.exe	35
PID 1896 wrote to memory of 932	1896	44d19fc60c791727ec324b57e02b79a17ce22a9a80674887f79b31383a63a187.exe	37
PID 1896 wrote to memory of 932	1896	44d19fc60c791727ec324b57e02b79a17ce22a9a80674887f79b31383a63a187.exe	37
PID 1896 wrote to memory of 932	1896	44d19fc60c791727ec324b57e02b79a17ce22a9a80674887f79b31383a63a187.exe	37
PID 1896 wrote to memory of 932	1896	44d19fc60c791727ec324b57e02b79a17ce22a9a80674887f79b31383a63a187.exe	37
PID 1896 wrote to memory of 1068	1896	44d19fc60c791727ec324b57e02b79a17ce22a9a80674887f79b31383a63a187.exe	38
PID 1896 wrote to memory of 1068	1896	44d19fc60c791727ec324b57e02b79a17ce22a9a80674887f79b31383a63a187.exe	38
PID 1896 wrote to memory of 1068	1896	44d19fc60c791727ec324b57e02b79a17ce22a9a80674887f79b31383a63a187.exe	38
PID 1896 wrote to memory of 1068	1896	44d19fc60c791727ec324b57e02b79a17ce22a9a80674887f79b31383a63a187.exe	38
PID 1896 wrote to memory of 1844	1896	44d19fc60c791727ec324b57e02b79a17ce22a9a80674887f79b31383a63a187.exe	39
PID 1896 wrote to memory of 1844	1896	44d19fc60c791727ec324b57e02b79a17ce22a9a80674887f79b31383a63a187.exe	39
PID 1896 wrote to memory of 1844	1896	44d19fc60c791727ec324b57e02b79a17ce22a9a80674887f79b31383a63a187.exe	39
PID 1896 wrote to memory of 1844	1896	44d19fc60c791727ec324b57e02b79a17ce22a9a80674887f79b31383a63a187.exe	39
PID 1564 wrote to memory of 1216	1564	iexplore.exe	40
PID 1564 wrote to memory of 1216	1564	iexplore.exe	40
PID 1564 wrote to memory of 1216	1564	iexplore.exe	40
PID 1564 wrote to memory of 1216	1564	iexplore.exe	40
PID 1564 wrote to memory of 552	1564	iexplore.exe	41
PID 1564 wrote to memory of 552	1564	iexplore.exe	41
PID 1564 wrote to memory of 552	1564	iexplore.exe	41
PID 1564 wrote to memory of 552	1564	iexplore.exe	41
PID 1564 wrote to memory of 1872	1564	iexplore.exe	42
PID 1564 wrote to memory of 1872	1564	iexplore.exe	42
PID 1564 wrote to memory of 1872	1564	iexplore.exe	42
PID 1564 wrote to memory of 1872	1564	iexplore.exe	42

C:\Users\Admin\AppData\Local\Temp\44d19fc60c791727ec324b57e02b79a17ce22a9a80674887f79b31383a63a187.exe
"C:\Users\Admin\AppData\Local\Temp\44d19fc60c791727ec324b57e02b79a17ce22a9a80674887f79b31383a63a187.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe http://www.v258.net/list/list16.html?mmm
  2⤵
  PID:1732
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\qsFEZ.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\SysWOW64\expand.exe
    expand.exe "C:\Users\Admin\AppData\Local\Temp\ico.cab" -F:*.* "C:\progra~1\ico"
    3⤵
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:2032
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.q22.cc/?ukt
  2⤵
  PID:932
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.v921.com/?uk
  2⤵
  PID:1068
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.779dh.com/?kj
  2⤵
  PID:1844

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.v258.net/list/list16.html?mmm
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1564 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1160
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1564 CREDAT:537605 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1216
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1564 CREDAT:603139 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    PID:552
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1564 CREDAT:930820 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B

Filesize
1KB

MD5
2c32100249bd03a08745cfeda61bfad5

SHA1
6108968db9e17f3cf7f38e60f9bd33c56d9613cb

SHA256
5c6f494b47b37859489a17b673d3553818ab41d37680559881c4219b933c83ac

SHA512
0f9b7bd18711f274fdc008168c9a65f948f21662ce279f92c28e3c06a0b8f7ac3b902165289cb71fb72adaa1db2630646fd48809d260b559e881e296cad4ed7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B

Filesize
508B

MD5
ccd77f6404a376b99553b154cd2a3c19

SHA1
c9cd7ed64faf103a0e4a0a8591de93114bf3ec88

SHA256
0e4aa1f92532363b14fb9f08b435dbe3a53fd2d57b113a7df7bf6f43a619709c

SHA512
c72afffc90239e749721df64f2058c9126b34813657d706eb6cfff2723430c3c0b4282c2c4e8cbff3b19ec75741ac3069541cc78064bf5104ecf02f1b2edb9f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
066ae16ba7b26fcc50d10101403b592c

SHA1
590812fbc2aeed9a89cde88838729ab09ab620cb

SHA256
59e2bf99ad241721d21056a32bf8e24ffae0dba6a9dc9fae245f22c6c05be6df

SHA512
b78a86f170ebc72e3d31549445acf7ea46e2a6bf248ee1069e74f026fcd30d909206843706062a71954a7150d17bd308f727ed74ddb4715c4047574a0c50f5f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5d5f73971427d10b1db5f9509bfbf192

SHA1
b8354ca13b2110ea3f8e89ee42596d8a9a4b2a56

SHA256
6248c3df768425e346052b495e569fd7335ef4bfd39d7aff52985c99bd358b28

SHA512
76a9139ca6a611992051eb160e97f505819ac0c6eede57d072932e57edfc709cf6e9002129d0449eb903e99f55d32951803c467a61fc520c529579d78ec826dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsFEZ.bat

Filesize
98B

MD5
ada787702460241a372c495dc53dbdcf

SHA1
da7d65ec9541fe9ed13b3531f38202f83b0ac96d

SHA256
0d0f600f95192d2d602dbda346c4e08745295f331f5a0349deae21705367b850

SHA512
c86091735b855691c89c7946145591dec6a6a6a36a2438d392587a9cc1f2d85c1ebe44fcff1cc9d94271a24ebbc2ca38639577a6f5c592e9e10517da26572708

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\F5Q3VNAW.txt

Filesize
608B

MD5
b93ff4b1f055a8907a0231ddd40e92db

SHA1
5f4b6c6bb1ab5883789289a654ea457c37f4e401

SHA256
a105de3db7721c1ae0bee7500706afde8166399cad2e97087fe6f6db3d67ae42

SHA512
e77d047d4017fb462d7ae30c3b3f8deb5346d420d6237cbe6f36ce3df17a6a34497692d0cc4d6d7441858c6e8893fdf9b1149fd5c37c1ef5f04fd48c41de6b5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\IJS8NA3X.txt

Filesize
112B

MD5
cef3fdde26dd0b1a136ec4cba667827d

SHA1
b2653d2704abcff4001b98cb697db0020a783163

SHA256
3d9a1be612622cf5481579f2737c477ed2d238323ae2e85775155cda2d30a2d4

SHA512
3b469715ae7775aae907b74d8718c1fe0d6b1f88bb91d2e314ea4e1ea44f3920accd2496cec429d0c580bde0115727c09605f85e45dc906d1052de17f69704bd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\QZMF7LXN.txt

Filesize
116B

MD5
730098b0b8d1b16d5e6505603bd6f211

SHA1
58a16cac176b6d47bc7dbccf2597e919b884682c

SHA256
a8ec760bb5a752aff7ac706a02c861e376ff111a2cbe232a66b25f7aec85ffd4

SHA512
cea35b05909d9ba5b9f78ebbc1fbc7beeb37cdee55993fd424baa8883af23468be1955d9ffc0d31c4dc505bed2f802e2f73bd2c1e881306530c6c0f9cd133fa1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\RCBO80O9.txt

Filesize
224B

MD5
506859a2e72672274c9549b1d49cd8a5

SHA1
93d7edcea2deebd03636da45e5cc4ee894fa45e9

SHA256
cccd9d68ed405ee0c8483f464f78469973f8f07cd8d4c3b774ae92eafbec5260

SHA512
fd7c628267acad99fccffd15e7e2bac245d8b984f73e7d7d4cd1fc7e7abe96a5497ccfa85383a3bf45a63d3d32f7916f9ca38f0f67022e0f21a988f1917e132e

Download Submit
\??\c:\users\admin\appdata\local\temp\ico.cab

Filesize
20KB

MD5
1319e9998cedc513c68fa6d590b6ad63

SHA1
ae95b333e88a13886994f320f5dfb4856168a710

SHA256
9a5b18efe243fbe9b9b0be3674a24080e9210436986988f3f85a4007905083bb

SHA512
d4052a899c6c310296e2f5fdf6c2031c22d2644be620cb34ddcc6b59789d82a6462daaeb34466c568be48ee975c4a5ab43143eab0792312a6cd0d49f9fbd8d3f

Download Submit
memory/1536-65-0x000007FEFC1F1000-0x000007FEFC1F3000-memory.dmp

Filesize
8KB

Download
memory/1732-63-0x0000000074F11000-0x0000000074F13000-memory.dmp

Filesize
8KB

Download
memory/1896-54-0x00000000763F1000-0x00000000763F3000-memory.dmp

Filesize
8KB

Download
memory/1896-69-0x0000000000400000-0x0000000000548000-memory.dmp

Filesize
1.3MB

Download
memory/1896-57-0x0000000000400000-0x0000000000548000-memory.dmp

Filesize
1.3MB

Download
memory/1896-55-0x0000000000400000-0x0000000000548000-memory.dmp

Filesize
1.3MB

Download