Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    151s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/09/2022, 02:55

General

  • Target

    527f1fa4cfec04ee31ec93960dc7ed50.exe

  • Size

    7.5MB

  • MD5

    527f1fa4cfec04ee31ec93960dc7ed50

  • SHA1

    03dd789dda5b17469af784df146256552b7a0535

  • SHA256

    1985acbf54aade2b89a64da25490a8ddaeb5db6af3d4f64034cdbd6193d6830b

  • SHA512

    bf906b984c18cbd491f38d4e9a53be0299afa21b01d61ef99f15453f45a32bdf2d6413439e4beed2fd02e6f0be142c70fe218e58d8f2905163507c8d9dd1e4f9

  • SSDEEP

    196608:LtbqGpfawaDA8j+Y5XdFvDy+DQ3Xdj/JCI4ipuFIT2ZajbqGpfawaDA83Q:LtbfI5XLvDtQXh/JP4mib0jbfT

Malware Config

Signatures

  • joker

    Joker is an Android malware that targets billing and SMS fraud.

  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\527f1fa4cfec04ee31ec93960dc7ed50.exe
    "C:\Users\Admin\AppData\Local\Temp\527f1fa4cfec04ee31ec93960dc7ed50.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:2160

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MSINET.OCX

    Filesize

    128KB

    MD5

    bed46f55af9a7b495ec0f2de0cb5ad3f

    SHA1

    e9c47a7cabbf62e154dca7dba2301cc8eac1047e

    SHA256

    c11615f4561755632da7469e6c5fbf3ead40e0d9747030c90077b70115692ce3

    SHA512

    4938f4e4007e63d990d6b18907b71b7108d9f1d5cbeab194bdf3c25226da20b2995102d79daa262b433f6a4479a9cceafea6c8f5b6f86bd190c751e7c0bd788b

  • C:\Users\Admin\AppData\Local\Temp\MSINET.OCX

    Filesize

    128KB

    MD5

    bed46f55af9a7b495ec0f2de0cb5ad3f

    SHA1

    e9c47a7cabbf62e154dca7dba2301cc8eac1047e

    SHA256

    c11615f4561755632da7469e6c5fbf3ead40e0d9747030c90077b70115692ce3

    SHA512

    4938f4e4007e63d990d6b18907b71b7108d9f1d5cbeab194bdf3c25226da20b2995102d79daa262b433f6a4479a9cceafea6c8f5b6f86bd190c751e7c0bd788b

  • memory/2160-132-0x0000000000400000-0x0000000000B7E000-memory.dmp

    Filesize

    7.5MB

  • memory/2160-133-0x0000000077370000-0x0000000077513000-memory.dmp

    Filesize

    1.6MB

  • memory/2160-134-0x0000000075620000-0x0000000075835000-memory.dmp

    Filesize

    2.1MB

  • memory/2160-136-0x00000000752E0000-0x0000000075480000-memory.dmp

    Filesize

    1.6MB

  • memory/2160-137-0x0000000076F10000-0x0000000076F8A000-memory.dmp

    Filesize

    488KB

  • memory/2160-1485-0x0000000002930000-0x0000000002A30000-memory.dmp

    Filesize

    1024KB

  • memory/2160-1486-0x0000000002930000-0x0000000002A30000-memory.dmp

    Filesize

    1024KB

  • memory/2160-1487-0x0000000000400000-0x0000000000B7E000-memory.dmp

    Filesize

    7.5MB