joker | 1634cd31bc5c8b50aa4efe86d8c5611cc15d2f6d7e9a4441d059189e1efd1cf5

Analysis

max time kernel
74s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2022 16:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4cf13e6374b590864851a7d078c6c0ca.exe
Size

132KB
MD5

4cf13e6374b590864851a7d078c6c0ca
SHA1

7af06765aa146779df01a40dfa95eb666237205c
SHA256

1634cd31bc5c8b50aa4efe86d8c5611cc15d2f6d7e9a4441d059189e1efd1cf5
SHA512

06b6f67f054976d19b6dee7e6d6fb5181dd79450f10becf33e58251a482c1be969f6207138d8a8800ec80b827030b98da233628b42873d9993ca56f113f35c93
SSDEEP

3072:z1i/NU8bOMYcYYcmy5K/40g3nan3vx9kGSYng76s5YmMOMYcYY51i/NU8m:Bi/NjO5u//g+UGSYnum3Oai/Nu

Score

10^/10

joker infostealer persistence trojan

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Executes dropped EXE 1 IoCs

pid	Process
2016	sys.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}	sys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}\StubPath = "file:\\\\C:\\sys.exe"	sys.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	4cf13e6374b590864851a7d078c6c0ca.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	sys.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\ie.bat	sys.exe
File created	C:\WINDOWS\SysWOW64\qx.bat	sys.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\WINDOWS\sys.exe	4cf13e6374b590864851a7d078c6c0ca.exe
File opened for modification	C:\WINDOWS\sys.exe	4cf13e6374b590864851a7d078c6c0ca.exe
File created	C:\WINDOWS\sys.exe	sys.exe
File opened for modification	C:\WINDOWS\sys.exe	sys.exe
File opened for modification	C:\WINDOWS\sys.exe	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
1856	taskkill.exe
1436	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 59 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.ymtuku.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\ymtuku.com\Total = "63"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0fc0a7022cdd801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.ymtuku.com\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\154.203.154.173\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30985506"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\ymtuku.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\ymtuku.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\154.203.154.173\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30985506"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "126"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30985506"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c086017022cdd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\154.203.154.173\Total = "63"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b14216000000000200000000001066000000010000200000004bcdf8d3fd875011c2cbc16899fedbcc3164edc7edc3bf29ba744945b7061ff5000000000e8000000002000020000000170452305f7a251737b33663fd15e2cc229aced514401810dfb7d941ab4183da20000000518f08933bb9d335455119ad8086de16885b99c2f7993c56a62405ac1ef3146c40000000b31f7b4282395b5e494e7f096b7d4a9d58fb1707f8d786d3f65a2b0f473cd6bae847b58cb8995b27bcbc8f9bb733fdea181b145b25ac891e53c750be53372ac4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1824150476"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1828527334"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{98211A97-3915-11ED-B696-D2371B4A40BE} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	sys.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b142160000000002000000000010660000000100002000000000f0af55795a80bca45f281294c3171bde9e161b96defcb579db3fe14f1d8691000000000e80000000020000200000009de1bef406a00fc5f1e4c7e53aea69fbc6a6a37ad8035e021a1f8f06b34129e4200000007c91fec3f729fe5c11fb29710899e0d245bd652ed7c2be37606ff7de28d52f3440000000c0818c578d32d20c78757d9c35db8f17b1aca53fb05bd2c95efce3cee339ce87a8f8297fc2562099d9458003f923ca08305f79e208466c92b39dc8527d593e01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "370465017"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\ymtuku.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\154.203.154.173	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1824150476"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://dhku.com"	sys.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2016	sys.exe
2016	sys.exe
2016	sys.exe
2016	sys.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1284	iexplore.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1856	taskkill.exe
Token: SeDebugPrivilege	1436	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1284	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4984	4cf13e6374b590864851a7d078c6c0ca.exe
2016	sys.exe
1284	iexplore.exe
1284	iexplore.exe
2088	IEXPLORE.EXE
2088	IEXPLORE.EXE
2088	IEXPLORE.EXE
2088	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 4984 wrote to memory of 1856	4984	4cf13e6374b590864851a7d078c6c0ca.exe	81
PID 4984 wrote to memory of 1856	4984	4cf13e6374b590864851a7d078c6c0ca.exe	81
PID 4984 wrote to memory of 1856	4984	4cf13e6374b590864851a7d078c6c0ca.exe	81
PID 4984 wrote to memory of 2016	4984	4cf13e6374b590864851a7d078c6c0ca.exe	83
PID 4984 wrote to memory of 2016	4984	4cf13e6374b590864851a7d078c6c0ca.exe	83
PID 4984 wrote to memory of 2016	4984	4cf13e6374b590864851a7d078c6c0ca.exe	83
PID 4984 wrote to memory of 1032	4984	4cf13e6374b590864851a7d078c6c0ca.exe	85
PID 4984 wrote to memory of 1032	4984	4cf13e6374b590864851a7d078c6c0ca.exe	85
PID 4984 wrote to memory of 1032	4984	4cf13e6374b590864851a7d078c6c0ca.exe	85
PID 2016 wrote to memory of 1436	2016	sys.exe	86
PID 2016 wrote to memory of 1436	2016	sys.exe	86
PID 2016 wrote to memory of 1436	2016	sys.exe	86
PID 2016 wrote to memory of 1284	2016	sys.exe	88
PID 2016 wrote to memory of 1284	2016	sys.exe	88
PID 1284 wrote to memory of 2088	1284	iexplore.exe	89
PID 1284 wrote to memory of 2088	1284	iexplore.exe	89
PID 1284 wrote to memory of 2088	1284	iexplore.exe	89
PID 2016 wrote to memory of 3508	2016	sys.exe	90
PID 2016 wrote to memory of 3508	2016	sys.exe	90
PID 2016 wrote to memory of 3508	2016	sys.exe	90
PID 3508 wrote to memory of 3528	3508	cmd.exe	92
PID 3508 wrote to memory of 3528	3508	cmd.exe	92
PID 3508 wrote to memory of 3528	3508	cmd.exe	92
PID 2016 wrote to memory of 3592	2016	sys.exe	93
PID 2016 wrote to memory of 3592	2016	sys.exe	93
PID 2016 wrote to memory of 3592	2016	sys.exe	93
PID 3592 wrote to memory of 4368	3592	cmd.exe	95
PID 3592 wrote to memory of 4368	3592	cmd.exe	95
PID 3592 wrote to memory of 4368	3592	cmd.exe	95
PID 2016 wrote to memory of 1980	2016	sys.exe	96
PID 2016 wrote to memory of 1980	2016	sys.exe	96
PID 2016 wrote to memory of 1980	2016	sys.exe	96
PID 1980 wrote to memory of 4992	1980	cmd.exe	98
PID 1980 wrote to memory of 4992	1980	cmd.exe	98
PID 1980 wrote to memory of 4992	1980	cmd.exe	98
PID 2016 wrote to memory of 3432	2016	sys.exe	99
PID 2016 wrote to memory of 3432	2016	sys.exe	99
PID 2016 wrote to memory of 3432	2016	sys.exe	99
PID 3432 wrote to memory of 3372	3432	cmd.exe	101
PID 3432 wrote to memory of 3372	3432	cmd.exe	101
PID 3432 wrote to memory of 3372	3432	cmd.exe	101
PID 2016 wrote to memory of 4404	2016	sys.exe	102
PID 2016 wrote to memory of 4404	2016	sys.exe	102
PID 2016 wrote to memory of 4404	2016	sys.exe	102
PID 4404 wrote to memory of 2228	4404	cmd.exe	104
PID 4404 wrote to memory of 2228	4404	cmd.exe	104
PID 4404 wrote to memory of 2228	4404	cmd.exe	104
PID 2016 wrote to memory of 4680	2016	sys.exe	105
PID 2016 wrote to memory of 4680	2016	sys.exe	105
PID 2016 wrote to memory of 4680	2016	sys.exe	105
PID 4680 wrote to memory of 2924	4680	cmd.exe	107
PID 4680 wrote to memory of 2924	4680	cmd.exe	107
PID 4680 wrote to memory of 2924	4680	cmd.exe	107
PID 2016 wrote to memory of 3188	2016	sys.exe	108
PID 2016 wrote to memory of 3188	2016	sys.exe	108
PID 2016 wrote to memory of 3188	2016	sys.exe	108
PID 3188 wrote to memory of 3496	3188	cmd.exe	110
PID 3188 wrote to memory of 3496	3188	cmd.exe	110
PID 3188 wrote to memory of 3496	3188	cmd.exe	110

Views/modifies file attributes 1 TTPs 7 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
4368	attrib.exe
4992	attrib.exe
3372	attrib.exe
2228	attrib.exe
2924	attrib.exe
3496	attrib.exe
3528	attrib.exe

C:\Users\Admin\AppData\Local\Temp\4cf13e6374b590864851a7d078c6c0ca.exe
"C:\Users\Admin\AppData\Local\Temp\4cf13e6374b590864851a7d078c6c0ca.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /im KSafeTray.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1856
- C:\WINDOWS\sys.exe
  "C:\WINDOWS\sys.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Installed Components in the registry
  - Checks computer location settings
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill.exe /im KSafeTray.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1436
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1284
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1284 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2088
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3508
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
      4⤵
      Views/modifies file attributes
      PID:3528
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3592
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
      4⤵
      Views/modifies file attributes
      PID:4368
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1980
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
      4⤵
      Views/modifies file attributes
      PID:4992
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3432
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
      4⤵
      Views/modifies file attributes
      PID:3372
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4404
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
      4⤵
      Views/modifies file attributes
      PID:2228
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\sys.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4680
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h "C:\WINDOWS\sys.exe"
      4⤵
      Drops file in Windows directory
      Views/modifies file attributes
      PID:2924
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib +h "c:\sys.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3188
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h "c:\sys.exe"
      4⤵
      Views/modifies file attributes
      PID:3496
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del 4cf13e6374b590864851a7d078c6c0ca.exe
  2⤵
  PID:1032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
50ccb6305f667bc427d115125f962cac

SHA1
b0d82ebe2f5cf5b520ba7edcf7b2734cf4f2d200

SHA256
fd9644d82e1e00505eb4e716136b42befb20145a05057f0cb052d1793a853a58

SHA512
9687b5fefe3505705846b3dfa22cbcbcf7c04fdfc1f386998f1a0c8e275ad67faa9976ed51638cfe0d219422fd93dc8ee037653b96bf1956b298b31eb35b507c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
f62148dfed6458eb72320a43e1927f6c

SHA1
a66f4b2abf072ea895c68a0d32739119ae9643cf

SHA256
270d9e901cca11caa40e7876f12ad0637af6974a733e3bb04b10c8197a51e3ea

SHA512
feccf713aa4bf4b30b1dc3c8b75c72d27b72f16caca45b576d01c768734b7fe1835ff67401ddd26ea8d495204ea2c93ad089c9dc2ffe12fb49affcee00b8ed0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\dqptnfu\imagestore.dat

Filesize
1KB

MD5
a7b7f5625fb3c11322366f9f82d77727

SHA1
cc39c0c3ef6732356281fbe532cf0036fe0aff1a

SHA256
49ecf15281421c6f8b4cdad7ecfbbb83a8b912f5e506016cb839adef40edd689

SHA512
9896c399550ec183dad8cefe51f37cd02cc4727f05cafbfdb89a1fa37162f4f92b38a88e1a9df7128f6507b83d7af128244ba1f43c5871284f716ed8863f702f

Download Submit
C:\WINDOWS\sys.exe

Filesize
132KB

MD5
15c1bcf033df1c97d0175bd6b9834187

SHA1
6af8d59889d956b129d5b9c1edd16c4fec5d6e2f

SHA256
b89db2a402dbbb3b70f35a5a9a4a44632accad003b56b53bf0828351271b4e18

SHA512
b98684b0f8aa9805fda8978b1a9297bed370bebbae00dbc89a9b22693c95bcb37b2cecfebed398878552c28728e983c9d11fac7a4c703a568708b3d9ac521c2b

Download Submit
C:\Windows\sys.exe

Filesize
132KB

MD5
15c1bcf033df1c97d0175bd6b9834187

SHA1
6af8d59889d956b129d5b9c1edd16c4fec5d6e2f

SHA256
b89db2a402dbbb3b70f35a5a9a4a44632accad003b56b53bf0828351271b4e18

SHA512
b98684b0f8aa9805fda8978b1a9297bed370bebbae00dbc89a9b22693c95bcb37b2cecfebed398878552c28728e983c9d11fac7a4c703a568708b3d9ac521c2b

Download Submit
C:\sys.exe

Filesize
132KB

MD5
9286db426c4025c164c9051af18f27ac

SHA1
37fc1d0ca73379582ff206eee23a69876a774b04

SHA256
c297e7a1c49834031c8ce642b1e57b6f897ef23d8a2a21af8b2efdb8b6b07351

SHA512
d95c7f308e2b22694976c5db6ad5f02632a09898069ea687acffe287f3838a2de9bbd34531715a423fddfb71aeb467d431d47eeecb6d4463f8a78a25dd8f5895

Download Submit
\??\c:\sys.exe

Filesize
132KB

MD5
9286db426c4025c164c9051af18f27ac

SHA1
37fc1d0ca73379582ff206eee23a69876a774b04

SHA256
c297e7a1c49834031c8ce642b1e57b6f897ef23d8a2a21af8b2efdb8b6b07351

SHA512
d95c7f308e2b22694976c5db6ad5f02632a09898069ea687acffe287f3838a2de9bbd34531715a423fddfb71aeb467d431d47eeecb6d4463f8a78a25dd8f5895

Download Submit