joker | 6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7

Analysis

max time kernel
151s
max time network
162s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19-09-2022 08:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe
Size

124KB
MD5

bcf68ec493c6da5c147ac8531caac217
SHA1

e2b7545c9cecb783a41178c8fcc1bcbc688c2a39
SHA256

6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7
SHA512

1f56b8df607697c9247173523fe8e6f24ffcc0b447d7bc88722a49733c25441087339b6795b35604efa1fa52d9909e89ac09afbdfa9be883e405dd9889002d37
SSDEEP

3072:11i/NU8bOMYcYYcmy5cU+gTn6HOjDhWrzvvQwlgOks5YmMOMYcYY51i/NU83:ni/NjO5YBgegD0PHzSv3Oai/Nv

Score

10^/10

joker infostealer persistence trojan

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}\StubPath = "C:\\system.exe"	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\ie.bat	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe
File created	C:\WINDOWS\SysWOW64\qx.bat	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\windows.exe	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe
File opened for modification	C:\WINDOWS\windows.exe	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe
File opened for modification	C:\WINDOWS\windows.exe	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\ymtuku.com\Total = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\154.203.154.173\Total = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.ymtuku.com\ = "63"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5049e41f34ccd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\154.203.154.173\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "370362633"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.ymtuku.com	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf0000000002000000000010660000000100002000000033251a12ba37f5644ef929078c128bb77478b67a51b0f8c6c737018fad9816fc000000000e800000000200002000000065d0b2d5e97d170f2b56c781b1b31433d432a0c50a66a143b857d2ba052a47b190000000aaf00f9e4518b8a2faed496e20784fb9200ed131b7e1d09457f4fda583531627ce806980aa49cdf116da442fb0fc5e23f4308e6d809b4a9f5c753bf831edff0ea17879b02e24bba768b3b22722cf3cca03b6e85c51fb7f4b477a73c3d9ae553bf0d4f79d0a75a637603c406c7ef0fbdeb9d8fd7e5b19e745e6f8dc8603b87d71e2d541c9ca1e8e9c5da4004525ba3b77400000009182e5e200924020a62633e919bb0dd818f916b3f2390b89b790af5664acd9ca4dc1f2c389901d9f59b73d68432487e1b7aa9172ba6b06823f3b10dd92a2848d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{271CF2D1-3827-11ED-85E0-FE41811C61F5} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\154.203.154.173	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://dhku.com"	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2032	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe
2032	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe
2032	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe
2032	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe
2032	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
916	IEXPLORE.EXE
1228	iexplore.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2032	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe
916	IEXPLORE.EXE
916	IEXPLORE.EXE
1364	IEXPLORE.EXE
1364	IEXPLORE.EXE
1228	iexplore.exe
1228	iexplore.exe
1780	IEXPLORE.EXE
1780	IEXPLORE.EXE
1780	IEXPLORE.EXE
1780	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 916	2032	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	27
PID 2032 wrote to memory of 916	2032	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	27
PID 2032 wrote to memory of 916	2032	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	27
PID 2032 wrote to memory of 916	2032	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	27
PID 916 wrote to memory of 1364	916	IEXPLORE.EXE	29
PID 916 wrote to memory of 1364	916	IEXPLORE.EXE	29
PID 916 wrote to memory of 1364	916	IEXPLORE.EXE	29
PID 916 wrote to memory of 1364	916	IEXPLORE.EXE	29
PID 2032 wrote to memory of 1228	2032	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	30
PID 2032 wrote to memory of 1228	2032	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	30
PID 2032 wrote to memory of 1228	2032	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	30
PID 2032 wrote to memory of 1228	2032	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	30
PID 2032 wrote to memory of 580	2032	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	31
PID 2032 wrote to memory of 580	2032	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	31
PID 2032 wrote to memory of 580	2032	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	31
PID 2032 wrote to memory of 580	2032	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	31
PID 580 wrote to memory of 272	580	cmd.exe	33
PID 580 wrote to memory of 272	580	cmd.exe	33
PID 580 wrote to memory of 272	580	cmd.exe	33
PID 580 wrote to memory of 272	580	cmd.exe	33
PID 2032 wrote to memory of 428	2032	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	34
PID 2032 wrote to memory of 428	2032	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	34
PID 2032 wrote to memory of 428	2032	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	34
PID 2032 wrote to memory of 428	2032	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	34
PID 428 wrote to memory of 1748	428	cmd.exe	36
PID 428 wrote to memory of 1748	428	cmd.exe	36
PID 428 wrote to memory of 1748	428	cmd.exe	36
PID 428 wrote to memory of 1748	428	cmd.exe	36
PID 2032 wrote to memory of 1568	2032	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	37
PID 2032 wrote to memory of 1568	2032	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	37
PID 2032 wrote to memory of 1568	2032	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	37
PID 2032 wrote to memory of 1568	2032	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	37
PID 1568 wrote to memory of 692	1568	cmd.exe	39
PID 1568 wrote to memory of 692	1568	cmd.exe	39
PID 1568 wrote to memory of 692	1568	cmd.exe	39
PID 1568 wrote to memory of 692	1568	cmd.exe	39
PID 2032 wrote to memory of 848	2032	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	40
PID 2032 wrote to memory of 848	2032	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	40
PID 2032 wrote to memory of 848	2032	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	40
PID 2032 wrote to memory of 848	2032	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	40
PID 848 wrote to memory of 1772	848	cmd.exe	42
PID 848 wrote to memory of 1772	848	cmd.exe	42
PID 848 wrote to memory of 1772	848	cmd.exe	42
PID 848 wrote to memory of 1772	848	cmd.exe	42
PID 2032 wrote to memory of 1672	2032	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	43
PID 2032 wrote to memory of 1672	2032	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	43
PID 2032 wrote to memory of 1672	2032	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	43
PID 2032 wrote to memory of 1672	2032	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	43
PID 1672 wrote to memory of 1788	1672	cmd.exe	45
PID 1672 wrote to memory of 1788	1672	cmd.exe	45
PID 1672 wrote to memory of 1788	1672	cmd.exe	45
PID 1672 wrote to memory of 1788	1672	cmd.exe	45
PID 2032 wrote to memory of 1660	2032	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	46
PID 2032 wrote to memory of 1660	2032	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	46
PID 2032 wrote to memory of 1660	2032	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	46
PID 2032 wrote to memory of 1660	2032	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	46
PID 1660 wrote to memory of 1920	1660	cmd.exe	48
PID 1660 wrote to memory of 1920	1660	cmd.exe	48
PID 1660 wrote to memory of 1920	1660	cmd.exe	48
PID 1660 wrote to memory of 1920	1660	cmd.exe	48
PID 2032 wrote to memory of 1972	2032	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	49
PID 2032 wrote to memory of 1972	2032	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	49
PID 2032 wrote to memory of 1972	2032	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	49
PID 2032 wrote to memory of 1972	2032	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	49

Views/modifies file attributes 1 TTPs 7 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1792	attrib.exe
272	attrib.exe
1748	attrib.exe
692	attrib.exe
1772	attrib.exe
1788	attrib.exe
1920	attrib.exe

C:\Users\Admin\AppData\Local\Temp\6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe
"C:\Users\Admin\AppData\Local\Temp\6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.212ok.com/Gbook.asp?qita
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:916 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1364
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1228
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1228 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1780
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:580
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
    3⤵
    - Views/modifies file attributes
    PID:272
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:428
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
    3⤵
    - Views/modifies file attributes
    PID:1748
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
    3⤵
    - Views/modifies file attributes
    PID:692
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
    3⤵
    - Views/modifies file attributes
    PID:1772
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
    3⤵
    - Views/modifies file attributes
    PID:1788
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\WINDOWS\windows.exe"
    3⤵
    - Drops file in Windows directory
    - Views/modifies file attributes
    PID:1920
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"
  2⤵
  PID:1972
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "c:\system.exe"
    3⤵
    - Views/modifies file attributes
    PID:1792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F

Filesize
7KB

MD5
30232b2aef21004b9c41f678e2e19f48

SHA1
020a79b36caa521641f4afb15aea28c2d5d4d574

SHA256
d3e6fcf8a9a7b1889d36cb46c20a2eb750fa4b96ab66c1a5496f2a217cad6255

SHA512
02481095b4e6ad46d5a124793169639976074c7dd713bd551e30e01f6aa65fe6b552864ca40359b931f089f437f2e2acd1f29c80db9561af49202929732d8fd7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
6c6a24456559f305308cb1fb6c5486b3

SHA1
3273ac27d78572f16c3316732b9756ebc22cb6ed

SHA256
efc3c579bd619ceab040c4b8c1b821b2d82c64fddd9e80a00ec0d7f6577ed973

SHA512
587d4a9175a6aa82cd8bb1c11ca6508f95cd218f76ac322ddbd1bc7146a0e25f8937ee426a6fb0fb0bb045cedb24d8c8a9edfe9f654112f293d8701220f726b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8F

Filesize
226B

MD5
0d8529f85610b5626dce8de0cfd59a8d

SHA1
6c9d100d9c2300a685d8dc3e994d9745d22b3a0d

SHA256
3b3728ea7cd6a45f9bc0151dcf328f879f279a0c51fd81a839163a5083a92c52

SHA512
2ac048281800ad09fd18273e40bfce47c3c469a60f2a9c160767941d4a21148b5cfadf73692871a0e13cd48da920ad968f5a25b977e40fc973f799a5e8798e46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
27de221e5ba9053c88cc8d0bef54ec75

SHA1
2c47990fd6f9a1bbed4ac5eaa21b31c3b996cfe5

SHA256
c2e7e988686750c8cb4cc1567a5dc510b6f28f45b449567132796eca8a920b59

SHA512
0cbcd7d612a4850387d5efd13c2006bd624458957fc734aa3f34ba6880afaf7aa5fa0562f717733cfabb617852b9ccdecc80fef537894e58d4a144e1c59d1968

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{271CF2D1-3827-11ED-85E0-FE41811C61F5}.dat

Filesize
5KB

MD5
299b498ceca6ef0455fe786303fbf9b1

SHA1
9a15f8e3c1ee6ebb1d2e2bce2d5021ae47464e7b

SHA256
446ef019dfef0a753328605155a764d0373e82e0806f2678cd94d6704f39e60d

SHA512
ef7a678aaed463a4f20ffd3892583ae38ac260a1e7040443870bd11612fa5629991aa3bccd4fa9101722b1cb21f513df826cf6cb0d647df0faa8e7631c9ae112

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\lwrmjt1\imagestore.dat

Filesize
5KB

MD5
8a3b0890ed108e0d469dcec1257836a7

SHA1
25f0914e9bda7106242c365a3d4e92a64372442d

SHA256
f889fac5143462ab8a022e4f6095956590fac533e298cc3b1e03faa83353ae3d

SHA512
54055940a3d5e1f36bc8ad0b6c3f8749d0470ecf5889173d2813630b4c01f62e2794cc04306f71919267e7583ce24da4982959d52f710bd397ce4924e2ba3e3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\NIE5D9FU.txt

Filesize
603B

MD5
bc17a45a4c57dbb55189c192a09ab8c0

SHA1
8be43e1a3b7ad1305db2f2597e063fea64625eb3

SHA256
cc9928878b20af3a1ac0c43c9b7e3962d18ee8cd0a3f35d60e1092cc770f3fca

SHA512
d6b79b6877720d43501d5e539b3c8edf5ae693e2b87df1bd6732c06d974c02d0e6ef419e959ec67d000699efe1d04e1cf3804b8e8d7b8ec7623f6a1a02708dce

Download Submit
C:\WINDOWS\windows.exe

Filesize
124KB

MD5
00aa71016673430d9f9a263fd74c33a1

SHA1
fbc0731a283990735c41a2bf54455b2c24f34f0c

SHA256
d37563b3a48023a5d5e53ec26f395f34708a80c0a74ea7898e2e667e94c05743

SHA512
b7deb3d12c759cb5ea87d397d324b374afeeb708e246f25925a35ed344e73afd5a0b94a1e7cb64ae936e8b2906ad9c998fc56950ba0b2b298c969748e9f976cc

Download Submit
C:\system.exe

Filesize
124KB

MD5
faa85927faddc876cd0649e2edb06f18

SHA1
cff674009f96f8011a74ff12d5319d0ca1e51d4c

SHA256
357a2cd49ac469a10273cf7c6e43b20a02f4912ca79722f71064a7281ca5d646

SHA512
eac331f7db15b40b643b93fece9188397fc0ea048cba3fac54a08fca340fef70b5dd63833a4a71297f9d300bdd13700cd273f03dca00a15b90657adc5096b074

Download Submit
memory/2032-56-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download