joker | 5c4655b513f7c645a3549966aef30f94ec6ce60ea66f8047920a71a09eb3fab3

Analysis

max time kernel
134s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2022, 16:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8beead19f19ceaa357d46eb78b65ad0b.exe
Size

132KB
MD5

8beead19f19ceaa357d46eb78b65ad0b
SHA1

18dcea4f9e302d4e430b093d2cb516cb765f577d
SHA256

5c4655b513f7c645a3549966aef30f94ec6ce60ea66f8047920a71a09eb3fab3
SHA512

b498e621119f832aa7326731b803c7dabdac5e8b7f40c5ccc06042d87246e4c71399f6c64a8068fdd267b76d8e6a9c1d7d4ba024a2cf251b5510a24254e9d0b8
SSDEEP

3072:81i/NU8bOMYcYYcmy5K/40g3nan3vx9kGSYng76s5YmMOMYcYY51i/NU87:qi/NjO5u//g+UGSYnum3Oai/Nj

Score

10^/10

joker infostealer persistence trojan

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Executes dropped EXE 1 IoCs

pid	Process
408	sys.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}	sys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}\StubPath = "file:\\\\C:\\sys.exe"	sys.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	8beead19f19ceaa357d46eb78b65ad0b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	sys.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\ie.bat	sys.exe
File created	C:\WINDOWS\SysWOW64\qx.bat	sys.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\WINDOWS\sys.exe	8beead19f19ceaa357d46eb78b65ad0b.exe
File opened for modification	C:\WINDOWS\sys.exe	8beead19f19ceaa357d46eb78b65ad0b.exe
File created	C:\WINDOWS\sys.exe	sys.exe
File opened for modification	C:\WINDOWS\sys.exe	sys.exe
File opened for modification	C:\WINDOWS\sys.exe	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
4528	taskkill.exe
5048	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 59 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\154.203.154.173\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30985506"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C54FA1CA-3915-11ED-AECB-4AA92575F981} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2582643115"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c02dd59f22cdd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	sys.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\ymtuku.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\ymtuku.com\Total = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\154.203.154.173\Total = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\154.203.154.173\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0e8699f22cdd801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000883ed98174fc174d8e18111dae0d9120000000000200000000001066000000010000200000009957861fe2496547fa7bb1254e8e52a9d70dee8529d30065ae03a9978529796b000000000e80000000020000200000002da95c7f206995bc83c89f808510517efca2c7f3bf24bd0b8ff13cb6db4a2bf7200000006107b0b04420f22213cd9a5d8b24ca64d42146603c39a04a865ff16ca81a651f40000000f86c763e3510a70832889ea9dd81933451accbf2880b9cc5eb01d27b39c94763dcb72c4bfc3f5a2e7532ee0e4cb354cd3b73dee7af66fc3ff69e8c7fea4cc999	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DOMStorage\ymtuku.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\ymtuku.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.ymtuku.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "126"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30985506"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30985506"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2582643115"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000883ed98174fc174d8e18111dae0d9120000000000200000000001066000000010000200000001e94a726b00d769ca4ec05c11e2b3e78662b4816c65530754060e049a71ef037000000000e8000000002000020000000351c06d71e514fae0b9fb6b1f35d8fa97d0bc4d13103a4e652a6cff04bdc434f200000005ad4474a5064506da487656bdd26d75daf2c61720fd2551b8366bfbb8fd60d60400000008983f9195b24479da83b9623d647901bb33c8ff29812cb4c1e247a6aaf6c2dd85a0e502619ccf9dc74df66e2e8b82d1da10b2dfb64e40c2f8d0e5e394d7c3133	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2600613364"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "370465095"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.ymtuku.com\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DOMStorage\154.203.154.173	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://dhku.com"	sys.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
408	sys.exe
408	sys.exe
408	sys.exe
408	sys.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4944	iexplore.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4528	taskkill.exe
Token: SeDebugPrivilege	5048	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4944	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4440	8beead19f19ceaa357d46eb78b65ad0b.exe
408	sys.exe
4944	iexplore.exe
4944	iexplore.exe
1336	IEXPLORE.EXE
1336	IEXPLORE.EXE
1336	IEXPLORE.EXE
1336	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 4440 wrote to memory of 4528	4440	8beead19f19ceaa357d46eb78b65ad0b.exe	79
PID 4440 wrote to memory of 4528	4440	8beead19f19ceaa357d46eb78b65ad0b.exe	79
PID 4440 wrote to memory of 4528	4440	8beead19f19ceaa357d46eb78b65ad0b.exe	79
PID 4440 wrote to memory of 408	4440	8beead19f19ceaa357d46eb78b65ad0b.exe	82
PID 4440 wrote to memory of 408	4440	8beead19f19ceaa357d46eb78b65ad0b.exe	82
PID 4440 wrote to memory of 408	4440	8beead19f19ceaa357d46eb78b65ad0b.exe	82
PID 4440 wrote to memory of 4744	4440	8beead19f19ceaa357d46eb78b65ad0b.exe	83
PID 4440 wrote to memory of 4744	4440	8beead19f19ceaa357d46eb78b65ad0b.exe	83
PID 4440 wrote to memory of 4744	4440	8beead19f19ceaa357d46eb78b65ad0b.exe	83
PID 408 wrote to memory of 5048	408	sys.exe	85
PID 408 wrote to memory of 5048	408	sys.exe	85
PID 408 wrote to memory of 5048	408	sys.exe	85
PID 408 wrote to memory of 4944	408	sys.exe	87
PID 408 wrote to memory of 4944	408	sys.exe	87
PID 4944 wrote to memory of 1336	4944	iexplore.exe	88
PID 4944 wrote to memory of 1336	4944	iexplore.exe	88
PID 4944 wrote to memory of 1336	4944	iexplore.exe	88
PID 408 wrote to memory of 2704	408	sys.exe	89
PID 408 wrote to memory of 2704	408	sys.exe	89
PID 408 wrote to memory of 2704	408	sys.exe	89
PID 2704 wrote to memory of 1532	2704	cmd.exe	91
PID 2704 wrote to memory of 1532	2704	cmd.exe	91
PID 2704 wrote to memory of 1532	2704	cmd.exe	91
PID 408 wrote to memory of 116	408	sys.exe	92
PID 408 wrote to memory of 116	408	sys.exe	92
PID 408 wrote to memory of 116	408	sys.exe	92
PID 116 wrote to memory of 3092	116	cmd.exe	94
PID 116 wrote to memory of 3092	116	cmd.exe	94
PID 116 wrote to memory of 3092	116	cmd.exe	94
PID 408 wrote to memory of 2068	408	sys.exe	95
PID 408 wrote to memory of 2068	408	sys.exe	95
PID 408 wrote to memory of 2068	408	sys.exe	95
PID 2068 wrote to memory of 2796	2068	cmd.exe	97
PID 2068 wrote to memory of 2796	2068	cmd.exe	97
PID 2068 wrote to memory of 2796	2068	cmd.exe	97
PID 408 wrote to memory of 3556	408	sys.exe	98
PID 408 wrote to memory of 3556	408	sys.exe	98
PID 408 wrote to memory of 3556	408	sys.exe	98
PID 3556 wrote to memory of 3372	3556	cmd.exe	100
PID 3556 wrote to memory of 3372	3556	cmd.exe	100
PID 3556 wrote to memory of 3372	3556	cmd.exe	100
PID 408 wrote to memory of 2624	408	sys.exe	101
PID 408 wrote to memory of 2624	408	sys.exe	101
PID 408 wrote to memory of 2624	408	sys.exe	101
PID 2624 wrote to memory of 3944	2624	cmd.exe	103
PID 2624 wrote to memory of 3944	2624	cmd.exe	103
PID 2624 wrote to memory of 3944	2624	cmd.exe	103
PID 408 wrote to memory of 3120	408	sys.exe	104
PID 408 wrote to memory of 3120	408	sys.exe	104
PID 408 wrote to memory of 3120	408	sys.exe	104
PID 3120 wrote to memory of 3040	3120	cmd.exe	106
PID 3120 wrote to memory of 3040	3120	cmd.exe	106
PID 3120 wrote to memory of 3040	3120	cmd.exe	106
PID 408 wrote to memory of 2172	408	sys.exe	107
PID 408 wrote to memory of 2172	408	sys.exe	107
PID 408 wrote to memory of 2172	408	sys.exe	107
PID 2172 wrote to memory of 1464	2172	cmd.exe	109
PID 2172 wrote to memory of 1464	2172	cmd.exe	109
PID 2172 wrote to memory of 1464	2172	cmd.exe	109

Views/modifies file attributes 1 TTPs 7 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
3040	attrib.exe
1464	attrib.exe
1532	attrib.exe
3092	attrib.exe
2796	attrib.exe
3372	attrib.exe
3944	attrib.exe

C:\Users\Admin\AppData\Local\Temp\8beead19f19ceaa357d46eb78b65ad0b.exe
"C:\Users\Admin\AppData\Local\Temp\8beead19f19ceaa357d46eb78b65ad0b.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /im KSafeTray.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4528
- C:\WINDOWS\sys.exe
  "C:\WINDOWS\sys.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Installed Components in the registry
  - Checks computer location settings
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:408
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill.exe /im KSafeTray.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5048
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4944
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4944 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1336
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
      4⤵
      Views/modifies file attributes
      PID:1532
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:116
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
      4⤵
      Views/modifies file attributes
      PID:3092
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2068
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
      4⤵
      Views/modifies file attributes
      PID:2796
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3556
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
      4⤵
      Views/modifies file attributes
      PID:3372
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
      4⤵
      Views/modifies file attributes
      PID:3944
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\sys.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3120
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h "C:\WINDOWS\sys.exe"
      4⤵
      Drops file in Windows directory
      Views/modifies file attributes
      PID:3040
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib +h "c:\sys.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h "c:\sys.exe"
      4⤵
      Views/modifies file attributes
      PID:1464
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del 8beead19f19ceaa357d46eb78b65ad0b.exe
  2⤵
  PID:4744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
50ccb6305f667bc427d115125f962cac

SHA1
b0d82ebe2f5cf5b520ba7edcf7b2734cf4f2d200

SHA256
fd9644d82e1e00505eb4e716136b42befb20145a05057f0cb052d1793a853a58

SHA512
9687b5fefe3505705846b3dfa22cbcbcf7c04fdfc1f386998f1a0c8e275ad67faa9976ed51638cfe0d219422fd93dc8ee037653b96bf1956b298b31eb35b507c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
691d89f6d0f05efa5d7c03bd99c1ef20

SHA1
dd17ea5c06b858dd114c04da17861789867f256a

SHA256
b2cdda53f9e386d27748bee12096120902a8bea6e783c8f003865252e7b24af7

SHA512
141cf20292ff82d308927b049607029f723d60e54c649311c87f124e1982c43c3697c0cad2d116ec5078b9ee464ea12e73d49d90f96a50dbca9c7b58662ce666

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\z2evvp3\imagestore.dat

Filesize
1KB

MD5
8897a0430252955fbece867beb0091bc

SHA1
967f0d5e8bafbc1575fca80d134242e485cbbd87

SHA256
85c8e3e39bd8cf64182e035081151e76682b7528eb394f590cff1bc2a5846a93

SHA512
9478759f3138f97fd733dec9eb457df3b5ff54c5c3df2e2e6853eec38ed7605f244a45c6cda8485a443838d8b5c5282627bd4ac0ed57f9977f2fe18de38093fa

Download Submit
C:\WINDOWS\sys.exe

Filesize
132KB

MD5
42df30be9602b51954e41cc2d91b577e

SHA1
89217bb67dbab064b958f86c8e65be95cac47fdd

SHA256
6b1320117d8bef68a7695d98c797c5acf66c517d0a3873c24234118ffaa021c4

SHA512
be5aa5af95ba26ba41d1ace845a6cdeed79d91d71a6ae68881f2de6201c73aa6d643875ecd4ededf9135f6ad9363ad03c84df90c7c24ffa3f6967f2abb2948d8

Download Submit
C:\Windows\sys.exe

Filesize
132KB

MD5
42df30be9602b51954e41cc2d91b577e

SHA1
89217bb67dbab064b958f86c8e65be95cac47fdd

SHA256
6b1320117d8bef68a7695d98c797c5acf66c517d0a3873c24234118ffaa021c4

SHA512
be5aa5af95ba26ba41d1ace845a6cdeed79d91d71a6ae68881f2de6201c73aa6d643875ecd4ededf9135f6ad9363ad03c84df90c7c24ffa3f6967f2abb2948d8

Download Submit
C:\sys.exe

Filesize
132KB

MD5
ee567dadd1ccb0ea82993f062328a113

SHA1
20224d489c76b7bf11cc664c711959759d7d17a7

SHA256
e3ade3c3b28d89a18532e4b8b42a0f61035dcb55fab4414ce4eb0a76b20b9686

SHA512
619d69c6a81eb5499525460710e7e86b539d63f6a10bc9a830296b396b68c63651a152595afd295b50ac0b68681c21bb7a090f653a82023813a021c7740aa35f

Download Submit
\??\c:\sys.exe

Filesize
132KB

MD5
ee567dadd1ccb0ea82993f062328a113

SHA1
20224d489c76b7bf11cc664c711959759d7d17a7

SHA256
e3ade3c3b28d89a18532e4b8b42a0f61035dcb55fab4414ce4eb0a76b20b9686

SHA512
619d69c6a81eb5499525460710e7e86b539d63f6a10bc9a830296b396b68c63651a152595afd295b50ac0b68681c21bb7a090f653a82023813a021c7740aa35f

Download Submit