joker | 5c4655b513f7c645a3549966aef30f94ec6ce60ea66f8047920a71a09eb3fab3

Analysis

max time kernel
144s
max time network
154s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/09/2022, 16:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8beead19f19ceaa357d46eb78b65ad0b.exe
Size

132KB
MD5

8beead19f19ceaa357d46eb78b65ad0b
SHA1

18dcea4f9e302d4e430b093d2cb516cb765f577d
SHA256

5c4655b513f7c645a3549966aef30f94ec6ce60ea66f8047920a71a09eb3fab3
SHA512

b498e621119f832aa7326731b803c7dabdac5e8b7f40c5ccc06042d87246e4c71399f6c64a8068fdd267b76d8e6a9c1d7d4ba024a2cf251b5510a24254e9d0b8
SSDEEP

3072:81i/NU8bOMYcYYcmy5K/40g3nan3vx9kGSYng76s5YmMOMYcYY51i/NU87:qi/NjO5u//g+UGSYnum3Oai/Nj

Score

10^/10

joker infostealer persistence trojan

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Executes dropped EXE 1 IoCs

pid	Process
1472	sys.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}	sys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}\StubPath = "file:\\\\C:\\sys.exe"	sys.exe

Deletes itself 1 IoCs

pid	Process
1236	cmd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\ie.bat	sys.exe
File created	C:\WINDOWS\SysWOW64\qx.bat	sys.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\sys.exe	attrib.exe
File created	C:\WINDOWS\sys.exe	8beead19f19ceaa357d46eb78b65ad0b.exe
File opened for modification	C:\WINDOWS\sys.exe	8beead19f19ceaa357d46eb78b65ad0b.exe
File created	C:\WINDOWS\sys.exe	sys.exe
File opened for modification	C:\WINDOWS\sys.exe	sys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
976	taskkill.exe
1712	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 55 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\154.203.154.173	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	sys.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\ymtuku.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\ymtuku.com\Total = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\154.203.154.173\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "126"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\154.203.154.173\Total = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "370465091"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C2B68781-3915-11ED-8499-660C31E8D015} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c0000000002000000000010660000000100002000000099971762b167e26faf4d08acae172d0e2b8571f7c9f86e9ef642149c9518d015000000000e8000000002000020000000436a768a25bcce0fda035ad26e8f64c83dff20e4289687dda9a178302ff79f2320000000ed4b5b27c6172516db3ee8e220ba018c4046b8dc6f006ac9ff04b7d72949efcb40000000627f637e20980349b52cdd1ffd4bb86be942e880e278f96ce4a70303de0e279834dd826b8168aa70ce34b298fbe4f0b26f26a6b92bedeea6528177ccfe355271	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.ymtuku.com\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\ymtuku.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30f48ba322cdd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.ymtuku.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\154.203.154.173\ = "63"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c000000000200000000001066000000010000200000002b9c6560168fe3107fb932e087d2f3a42f6e7054aae7cf0338f03ff5b9257ac8000000000e8000000002000020000000e6a295d753ec370f932e4b7a681f1d436438f650a11fa68426cbe7f833dd893f9000000045a0c7ec3ae9756287cb2018e53c0afd210c1beb9b55ee13af06b56c3ac2a7875f50c58e1928b317ef48bacbbe493ca3a1cab1aa13a8b6060a3ceeb079d80c682d60812b0290bea3f8cd619f318140a840d8f85aa5c38962fb3fadb8f027b458aeeb616b2ca553d0782df09e50c0a782d2305998f9d051dc24a05805f50f3c05c08a2d68dfb54330be57d611b842b157400000006e481644481461fd649bb35cc87f830a5cc94c889f9898eac34af0a938e3fd9d63967353c8681d0f09be218bfe7f880c9fae9d6e689a9246a4ecd894a2b712d5	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://dhku.com"	sys.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1472	sys.exe
1472	sys.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1712	taskkill.exe
Token: SeDebugPrivilege	976	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1324	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1492	8beead19f19ceaa357d46eb78b65ad0b.exe
1472	sys.exe
1324	iexplore.exe
1324	iexplore.exe
1992	IEXPLORE.EXE
1992	IEXPLORE.EXE
1992	IEXPLORE.EXE
1992	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 1712	1492	8beead19f19ceaa357d46eb78b65ad0b.exe	26
PID 1492 wrote to memory of 1712	1492	8beead19f19ceaa357d46eb78b65ad0b.exe	26
PID 1492 wrote to memory of 1712	1492	8beead19f19ceaa357d46eb78b65ad0b.exe	26
PID 1492 wrote to memory of 1712	1492	8beead19f19ceaa357d46eb78b65ad0b.exe	26
PID 1492 wrote to memory of 1472	1492	8beead19f19ceaa357d46eb78b65ad0b.exe	28
PID 1492 wrote to memory of 1472	1492	8beead19f19ceaa357d46eb78b65ad0b.exe	28
PID 1492 wrote to memory of 1472	1492	8beead19f19ceaa357d46eb78b65ad0b.exe	28
PID 1492 wrote to memory of 1472	1492	8beead19f19ceaa357d46eb78b65ad0b.exe	28
PID 1492 wrote to memory of 1236	1492	8beead19f19ceaa357d46eb78b65ad0b.exe	29
PID 1492 wrote to memory of 1236	1492	8beead19f19ceaa357d46eb78b65ad0b.exe	29
PID 1492 wrote to memory of 1236	1492	8beead19f19ceaa357d46eb78b65ad0b.exe	29
PID 1492 wrote to memory of 1236	1492	8beead19f19ceaa357d46eb78b65ad0b.exe	29
PID 1472 wrote to memory of 976	1472	sys.exe	30
PID 1472 wrote to memory of 976	1472	sys.exe	30
PID 1472 wrote to memory of 976	1472	sys.exe	30
PID 1472 wrote to memory of 976	1472	sys.exe	30
PID 1472 wrote to memory of 1324	1472	sys.exe	33
PID 1472 wrote to memory of 1324	1472	sys.exe	33
PID 1472 wrote to memory of 1324	1472	sys.exe	33
PID 1472 wrote to memory of 1324	1472	sys.exe	33
PID 1324 wrote to memory of 1992	1324	iexplore.exe	36
PID 1324 wrote to memory of 1992	1324	iexplore.exe	36
PID 1324 wrote to memory of 1992	1324	iexplore.exe	36
PID 1324 wrote to memory of 1992	1324	iexplore.exe	36
PID 1472 wrote to memory of 1768	1472	sys.exe	37
PID 1472 wrote to memory of 1768	1472	sys.exe	37
PID 1472 wrote to memory of 1768	1472	sys.exe	37
PID 1472 wrote to memory of 1768	1472	sys.exe	37
PID 1768 wrote to memory of 1452	1768	cmd.exe	39
PID 1768 wrote to memory of 1452	1768	cmd.exe	39
PID 1768 wrote to memory of 1452	1768	cmd.exe	39
PID 1768 wrote to memory of 1452	1768	cmd.exe	39
PID 1472 wrote to memory of 1152	1472	sys.exe	40
PID 1472 wrote to memory of 1152	1472	sys.exe	40
PID 1472 wrote to memory of 1152	1472	sys.exe	40
PID 1472 wrote to memory of 1152	1472	sys.exe	40
PID 1152 wrote to memory of 1524	1152	cmd.exe	42
PID 1152 wrote to memory of 1524	1152	cmd.exe	42
PID 1152 wrote to memory of 1524	1152	cmd.exe	42
PID 1152 wrote to memory of 1524	1152	cmd.exe	42
PID 1472 wrote to memory of 1016	1472	sys.exe	43
PID 1472 wrote to memory of 1016	1472	sys.exe	43
PID 1472 wrote to memory of 1016	1472	sys.exe	43
PID 1472 wrote to memory of 1016	1472	sys.exe	43
PID 1016 wrote to memory of 1676	1016	cmd.exe	45
PID 1016 wrote to memory of 1676	1016	cmd.exe	45
PID 1016 wrote to memory of 1676	1016	cmd.exe	45
PID 1016 wrote to memory of 1676	1016	cmd.exe	45
PID 1472 wrote to memory of 1652	1472	sys.exe	46
PID 1472 wrote to memory of 1652	1472	sys.exe	46
PID 1472 wrote to memory of 1652	1472	sys.exe	46
PID 1472 wrote to memory of 1652	1472	sys.exe	46
PID 1652 wrote to memory of 1856	1652	cmd.exe	48
PID 1652 wrote to memory of 1856	1652	cmd.exe	48
PID 1652 wrote to memory of 1856	1652	cmd.exe	48
PID 1652 wrote to memory of 1856	1652	cmd.exe	48
PID 1472 wrote to memory of 1580	1472	sys.exe	49
PID 1472 wrote to memory of 1580	1472	sys.exe	49
PID 1472 wrote to memory of 1580	1472	sys.exe	49
PID 1472 wrote to memory of 1580	1472	sys.exe	49
PID 1580 wrote to memory of 1496	1580	cmd.exe	51
PID 1580 wrote to memory of 1496	1580	cmd.exe	51
PID 1580 wrote to memory of 1496	1580	cmd.exe	51
PID 1580 wrote to memory of 1496	1580	cmd.exe	51

Views/modifies file attributes 1 TTPs 7 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1020	attrib.exe
1452	attrib.exe
1524	attrib.exe
1676	attrib.exe
1856	attrib.exe
1496	attrib.exe
1388	attrib.exe

C:\Users\Admin\AppData\Local\Temp\8beead19f19ceaa357d46eb78b65ad0b.exe
"C:\Users\Admin\AppData\Local\Temp\8beead19f19ceaa357d46eb78b65ad0b.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /im KSafeTray.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1712
- C:\WINDOWS\sys.exe
  "C:\WINDOWS\sys.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Installed Components in the registry
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill.exe /im KSafeTray.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:976
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1324
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1324 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1992
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1768
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
      4⤵
      Views/modifies file attributes
      PID:1452
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1152
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
      4⤵
      Views/modifies file attributes
      PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1016
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
      4⤵
      Views/modifies file attributes
      PID:1676
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1652
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
      4⤵
      Views/modifies file attributes
      PID:1856
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1580
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
      4⤵
      Views/modifies file attributes
      PID:1496
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\sys.exe"
    3⤵
    PID:2012
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h "C:\WINDOWS\sys.exe"
      4⤵
      Drops file in Windows directory
      Views/modifies file attributes
      PID:1388
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib +h "c:\sys.exe"
    3⤵
    PID:1304
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h "c:\sys.exe"
      4⤵
      Views/modifies file attributes
      PID:1020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del 8beead19f19ceaa357d46eb78b65ad0b.exe
  2⤵
  - Deletes itself
  PID:1236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F

Filesize
7KB

MD5
30232b2aef21004b9c41f678e2e19f48

SHA1
020a79b36caa521641f4afb15aea28c2d5d4d574

SHA256
d3e6fcf8a9a7b1889d36cb46c20a2eb750fa4b96ab66c1a5496f2a217cad6255

SHA512
02481095b4e6ad46d5a124793169639976074c7dd713bd551e30e01f6aa65fe6b552864ca40359b931f089f437f2e2acd1f29c80db9561af49202929732d8fd7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
6c6a24456559f305308cb1fb6c5486b3

SHA1
3273ac27d78572f16c3316732b9756ebc22cb6ed

SHA256
efc3c579bd619ceab040c4b8c1b821b2d82c64fddd9e80a00ec0d7f6577ed973

SHA512
587d4a9175a6aa82cd8bb1c11ca6508f95cd218f76ac322ddbd1bc7146a0e25f8937ee426a6fb0fb0bb045cedb24d8c8a9edfe9f654112f293d8701220f726b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8F

Filesize
226B

MD5
0e40392b6c08dff3b955c5afb5c42b48

SHA1
45fd902d981767f36c7695c0620d501d6fa62ba9

SHA256
e7bb22c0343a813278975d1f57da379bc6b8de6502e3c9d83c7809878d4cc486

SHA512
cfa73aa2d6767bf2e1edfbe35a614b36b44f24c3ab2d10ad36bc2865fef736e2162ec0205ed2113a9a91cc8873a6f99e06a03e3009a57b1c731991f6bbbc967c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
75bc0beb7f5f0f6eeb789d91ee786dc2

SHA1
271d93157348dda1a9f0bd5321204695237fca34

SHA256
57133b08fd45e8baa972068333de52664ef52abdf00fa8481cb1cab5aa72eb70

SHA512
f17140f245a38782029006a1dae82f8acbbea0307811ca7ef962243663a23b023c5177fea2f41c17ff7b9e5ed29aeb6fe50b27a9598c240fc81c3a79569f5d5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\1evexod\imagestore.dat

Filesize
5KB

MD5
a59d9cb77afd30d41feb489d463f78c2

SHA1
ecf35f6b4d7bc2e0aa11326c7f137fc9c8b58123

SHA256
2642dba2c93f9e8081f4e31d88486822bcbaba66926c790ff15b4b3661d52299

SHA512
4eea3a1af241c4bdb10c7a92f74fc8c308fcd210b30a2a6e932f65bceaaf7beb38f05d6a4e482d842cdb02adb61871959bfa1688655f5bdf3b386c223cf44bf8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\U3MEA8KJ.txt

Filesize
606B

MD5
cacdda609f7b8126fc1ebe56c31649e8

SHA1
345019711519f1571cfd204e809b0461810eeb37

SHA256
1e57f97b8b464fad806217fa397f49b0b7146526e8ca43297f2f991f5f54ff97

SHA512
e7e41bf799c0e0ec5cdd1492922e1111f2f78cabe5bd8e47c088debbd7128a5be7190f7e98bb5c589be41d41ca19e8f62f7760200af5e9ebbeba81f51b838268

Download Submit
C:\WINDOWS\sys.exe

Filesize
132KB

MD5
39b2eb9eb0513deaae236dc07d6942c8

SHA1
79c7193947d4cfadfcdec4d79a1a0eed6ca210c6

SHA256
14cb7939677556424403ea31b50d3194d73011c93f60b4d5f3ceed8b77e4fd32

SHA512
70b15944954286be81007c7cfe7801916fef1bd85d26868b9df2190d581bf643756e00104a79c23195f695bb62a6d82686569d7b673016264a08384027f680f3

Download Submit
C:\Windows\sys.exe

Filesize
132KB

MD5
39b2eb9eb0513deaae236dc07d6942c8

SHA1
79c7193947d4cfadfcdec4d79a1a0eed6ca210c6

SHA256
14cb7939677556424403ea31b50d3194d73011c93f60b4d5f3ceed8b77e4fd32

SHA512
70b15944954286be81007c7cfe7801916fef1bd85d26868b9df2190d581bf643756e00104a79c23195f695bb62a6d82686569d7b673016264a08384027f680f3

Download Submit
C:\sys.exe

Filesize
132KB

MD5
b0e4a2b0b8b60fcb5d011a517d5fe6bf

SHA1
8512e256071d298aacb5874f22563b731c5f95ca

SHA256
29c4c1cb6834a5d904cb00af48841c802e2e458b2fb0bb80adf8c5a99db0b941

SHA512
2b342b27e090bbf02a89800368e56613ee5f505d04ee3717b4bf9c469090762cda34abb21aed37ff80a22be333f573c30bfac59cbbcf7bfc130011dd8133fe7e

Download Submit
\??\c:\sys.exe

Filesize
132KB

MD5
b0e4a2b0b8b60fcb5d011a517d5fe6bf

SHA1
8512e256071d298aacb5874f22563b731c5f95ca

SHA256
29c4c1cb6834a5d904cb00af48841c802e2e458b2fb0bb80adf8c5a99db0b941

SHA512
2b342b27e090bbf02a89800368e56613ee5f505d04ee3717b4bf9c469090762cda34abb21aed37ff80a22be333f573c30bfac59cbbcf7bfc130011dd8133fe7e

Download Submit
memory/1492-57-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download