joker | e2a7a680c1b1646fc74c0c2f2a9ace11595dee74ca79db9665184c6eea0c991f

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2022, 23:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2a7a680c1b1646fc74c0c2f2a9ace11595dee74ca79db9665184c6eea0c991f.exe
Size

96KB
MD5

688a745ef9d88455295a520729998242
SHA1

08caca424b35f1c2976f417076f0c62e504e6662
SHA256

e2a7a680c1b1646fc74c0c2f2a9ace11595dee74ca79db9665184c6eea0c991f
SHA512

9519cf37acefe889840225bb996d2b31a8eabefb3eb57c5b69c949781018d3918daa768fc2aa2ec78d327985daf7faf9f5c2d422e0d4192ccec9404164281dc1
SSDEEP

768:L28z7t47kXJREBku3/nK5xa/24/ki8qkM7B1YlhrIWYHLxqu+TKW1Kljl9nnyQOD:T4JSuPKTBZrO/A5Qr+TLn+eWQouy+r

Score

10^/10

joker evasion infostealer persistence trojan

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Executes dropped EXE 1 IoCs

pid	Process
3112	inl4728.tmp

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
4732	attrib.exe
784	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	e2a7a680c1b1646fc74c0c2f2a9ace11595dee74ca79db9665184c6eea0c991f.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\fsahdsf = "\"C:\\Users\\Admin\\AppData\\Roaming\\lua\\tmp.\\a.{D71C5380-D2A0-CD69-E3EE-E1002B3A309E}\" hh.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
3564	tasklist.exe

Modifies Internet Explorer settings 1 TTPs 50 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.henniu466.site	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30987775"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "91565583"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30987775"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30987775"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\Total = "126"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\henniu466.site\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.henniu466.site\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com\ = "126"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\henniu466.site\Total = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "65940490"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\henniu466.site	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "189"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "126"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "65784651"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{2ED694D2-41F2-11ED-A0EE-7A46CE8ECE48} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\cnkankan.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\Total = "63"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?S"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?S"	reg.exe

Modifies registry class 13 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htafile\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D71C5380-D2A0-CD69-E3EE-E1002B3A309E}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D71C5380-D2A0-CD69-E3EE-E1002B3A309E}\Shell\open(&H)\Command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D71C5380-D2A0-CD69-E3EE-E1002B3A309E}\Shell\open(&H)\Command\ = "wscript -e:vbs \"C:\\Users\\Admin\\AppData\\Roaming\\lua\\3.bat\""	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htafile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htafile\NeverShowExt	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htafile\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D71C5380-D2A0-CD69-E3EE-E1002B3A309E}\IsShortCut	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D71C5380-D2A0-CD69-E3EE-E1002B3A309E}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D71C5380-D2A0-CD69-E3EE-E1002B3A309E}\Shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D71C5380-D2A0-CD69-E3EE-E1002B3A309E}\Shell\open(&H)	reg.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3564	tasklist.exe
Token: SeIncBasePriorityPrivilege	1584	e2a7a680c1b1646fc74c0c2f2a9ace11595dee74ca79db9665184c6eea0c991f.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3088	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3088	iexplore.exe
3088	iexplore.exe
3860	IEXPLORE.EXE
3860	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 1536	1584	e2a7a680c1b1646fc74c0c2f2a9ace11595dee74ca79db9665184c6eea0c991f.exe	103
PID 1584 wrote to memory of 1536	1584	e2a7a680c1b1646fc74c0c2f2a9ace11595dee74ca79db9665184c6eea0c991f.exe	103
PID 1584 wrote to memory of 1536	1584	e2a7a680c1b1646fc74c0c2f2a9ace11595dee74ca79db9665184c6eea0c991f.exe	103
PID 1536 wrote to memory of 4504	1536	cmd.exe	105
PID 1536 wrote to memory of 4504	1536	cmd.exe	105
PID 1536 wrote to memory of 4504	1536	cmd.exe	105
PID 4504 wrote to memory of 3088	4504	cmd.exe	107
PID 4504 wrote to memory of 3088	4504	cmd.exe	107
PID 4504 wrote to memory of 1456	4504	cmd.exe	108
PID 4504 wrote to memory of 1456	4504	cmd.exe	108
PID 4504 wrote to memory of 1456	4504	cmd.exe	108
PID 4504 wrote to memory of 2304	4504	cmd.exe	109
PID 4504 wrote to memory of 2304	4504	cmd.exe	109
PID 4504 wrote to memory of 2304	4504	cmd.exe	109
PID 2304 wrote to memory of 4212	2304	cmd.exe	111
PID 2304 wrote to memory of 4212	2304	cmd.exe	111
PID 2304 wrote to memory of 4212	2304	cmd.exe	111
PID 2304 wrote to memory of 636	2304	cmd.exe	112
PID 2304 wrote to memory of 636	2304	cmd.exe	112
PID 2304 wrote to memory of 636	2304	cmd.exe	112
PID 1584 wrote to memory of 3112	1584	e2a7a680c1b1646fc74c0c2f2a9ace11595dee74ca79db9665184c6eea0c991f.exe	113
PID 1584 wrote to memory of 3112	1584	e2a7a680c1b1646fc74c0c2f2a9ace11595dee74ca79db9665184c6eea0c991f.exe	113
PID 1584 wrote to memory of 3112	1584	e2a7a680c1b1646fc74c0c2f2a9ace11595dee74ca79db9665184c6eea0c991f.exe	113
PID 2304 wrote to memory of 4732	2304	cmd.exe	114
PID 2304 wrote to memory of 4732	2304	cmd.exe	114
PID 2304 wrote to memory of 4732	2304	cmd.exe	114
PID 2304 wrote to memory of 784	2304	cmd.exe	115
PID 2304 wrote to memory of 784	2304	cmd.exe	115
PID 2304 wrote to memory of 784	2304	cmd.exe	115
PID 2304 wrote to memory of 3688	2304	cmd.exe	116
PID 2304 wrote to memory of 3688	2304	cmd.exe	116
PID 2304 wrote to memory of 3688	2304	cmd.exe	116
PID 3688 wrote to memory of 3540	3688	rundll32.exe	117
PID 3688 wrote to memory of 3540	3688	rundll32.exe	117
PID 3688 wrote to memory of 3540	3688	rundll32.exe	117
PID 3088 wrote to memory of 3860	3088	iexplore.exe	118
PID 3088 wrote to memory of 3860	3088	iexplore.exe	118
PID 3088 wrote to memory of 3860	3088	iexplore.exe	118
PID 2304 wrote to memory of 3564	2304	cmd.exe	119
PID 2304 wrote to memory of 3564	2304	cmd.exe	119
PID 2304 wrote to memory of 3564	2304	cmd.exe	119
PID 3540 wrote to memory of 2492	3540	runonce.exe	120
PID 3540 wrote to memory of 2492	3540	runonce.exe	120
PID 3540 wrote to memory of 2492	3540	runonce.exe	120
PID 2304 wrote to memory of 4464	2304	cmd.exe	122
PID 2304 wrote to memory of 4464	2304	cmd.exe	122
PID 2304 wrote to memory of 4464	2304	cmd.exe	122
PID 2304 wrote to memory of 2500	2304	cmd.exe	124
PID 2304 wrote to memory of 2500	2304	cmd.exe	124
PID 2304 wrote to memory of 2500	2304	cmd.exe	124
PID 2304 wrote to memory of 4056	2304	cmd.exe	125
PID 2304 wrote to memory of 4056	2304	cmd.exe	125
PID 2304 wrote to memory of 4056	2304	cmd.exe	125
PID 2304 wrote to memory of 3992	2304	cmd.exe	126
PID 2304 wrote to memory of 3992	2304	cmd.exe	126
PID 2304 wrote to memory of 3992	2304	cmd.exe	126
PID 2304 wrote to memory of 2328	2304	cmd.exe	127
PID 2304 wrote to memory of 2328	2304	cmd.exe	127
PID 2304 wrote to memory of 2328	2304	cmd.exe	127
PID 2304 wrote to memory of 2116	2304	cmd.exe	128
PID 2304 wrote to memory of 2116	2304	cmd.exe	128
PID 2304 wrote to memory of 2116	2304	cmd.exe	128
PID 2304 wrote to memory of 2788	2304	cmd.exe	129
PID 2304 wrote to memory of 2788	2304	cmd.exe	129

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
784	attrib.exe
4732	attrib.exe

C:\Users\Admin\AppData\Local\Temp\e2a7a680c1b1646fc74c0c2f2a9ace11595dee74ca79db9665184c6eea0c991f.exe
"C:\Users\Admin\AppData\Local\Temp\e2a7a680c1b1646fc74c0c2f2a9ace11595dee74ca79db9665184c6eea0c991f.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1_load.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\lua\1.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4504
  - - C:\PROGRA~1\INTERN~1\iexplore.exe
      C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://www.cnkankan.com/?82133
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3088
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3088 CREDAT:17410 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3860
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\lua\1.inf
      4⤵
      PID:1456
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\lua\2.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2304
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{D71C5380-D2A0-CD69-E3EE-E1002B3A309E}" /v "IsShortCut" /d "" /f
        5⤵
        Modifies registry class
        
        PID:4212
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{D71C5380-D2A0-CD69-E3EE-E1002B3A309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\lua\3.bat""" /f
        5⤵
        Modifies registry class
        
        PID:636
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\Users\Admin\AppData\Roaming\lua\tmp\a.{D71C5380-D2A0-CD69-E3EE-E1002B3A309E}
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4732
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\Users\Admin\AppData\Roaming\lua\tmp
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:784
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\lua\2.inf
        5⤵
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3688
      - C:\Windows\SysWOW64\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        6⤵
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        7⤵
        
        PID:2492
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3564
    - - C:\Windows\SysWOW64\find.exe
        
        find /i "360tray.exe" tasklist.txt
        5⤵
        
        PID:4464
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu" /v "{871C5380-42A0-1069-A2EA-08002B30309D}" /d "1" /f
        5⤵
        
        PID:2500
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu" /v "{871C5380-42A0-1069-A2EA-08002B30309D}" /d "1" /f
        5⤵
        
        PID:4056
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" /v "{871C5380-42A0-1069-A2EA-08002B30309D}" /d "1" /f
        5⤵
        
        PID:3992
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\htafile" /v "NeverShowExt" /d "" /f
        5⤵
        Modifies registry class
        
        PID:2328
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\htafile\DefaultIcon" /v "" /d "C:\Program Files\Internet Explorer\IEXPLORE.EXE" /f
        5⤵
        Modifies registry class
        
        PID:2116
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d "http://www.82133.com/?S" /f
        5⤵
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        
        PID:2788
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d "http://www.82133.com/?S" /f
        5⤵
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        
        PID:2460
- C:\Users\Admin\AppData\Local\Temp\inl4728.tmp
  C:\Users\Admin\AppData\Local\Temp\inl4728.tmp
  2⤵
  - Executes dropped EXE
  PID:3112
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\E2A7A6~1.EXE > nul
  2⤵
  PID:3348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ckj4gk4\imagestore.dat

Filesize
1KB

MD5
d7bebf6dbeb70a850ea6b9630b6751fa

SHA1
883f073c5526da4d1879678c476ad43431717df2

SHA256
72174ef0ebc12624bf53a707e535ade17bf50cbdb813604b1a15d4cc22d6a6ba

SHA512
98e1503531bc443ee49c9b05e024e452792c9f9aed36692ad7a8f8a07414f0e6d3b985b7bdda8f6fa324c3ed1ea1bc5445b2736e9d2924d05b58454470bfb933

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp

Filesize
1KB

MD5
5e300ab3cf5cfdd7fad2e9cecbe10888

SHA1
6d9cf5fa643d779928a2260749d374200bc3ab7b

SHA256
1ae11a97bc7f49666aaad5abbdaada3989bc7b26bedaace34e79cb274455fa49

SHA512
bb898deb86b91b601291a4174ed8bec5d79d95876ab5ae138d5c132fb50eed213aa95d6cbcc667cdea80bbe4dd68a52e3eeb17466dd74ff8e27b27d9076a3fb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\inl4728.tmp

Filesize
57.2MB

MD5
f25e2ec8ef1357322f2b96eb78adb1d4

SHA1
723c5bd37ddbcf0dd53012b3519c16a1c3aff1a3

SHA256
cb64c40d3e4218a2b468a4f82eec26e0108962d25d5f15c314890941445462f3

SHA512
1bf7090068db3ddf21cb7829cc8f7e64a29e327815beb54b28047144aa5f4008139c31d650c05497f11be95632f8723cfbc0442d1542091582811b529c9f131c

Download Submit
C:\Users\Admin\AppData\Local\Temp\inl4728.tmp

Filesize
57.2MB

MD5
f25e2ec8ef1357322f2b96eb78adb1d4

SHA1
723c5bd37ddbcf0dd53012b3519c16a1c3aff1a3

SHA256
cb64c40d3e4218a2b468a4f82eec26e0108962d25d5f15c314890941445462f3

SHA512
1bf7090068db3ddf21cb7829cc8f7e64a29e327815beb54b28047144aa5f4008139c31d650c05497f11be95632f8723cfbc0442d1542091582811b529c9f131c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tasklist.txt

Filesize
7KB

MD5
400d36d8caf62629d614f2823fbb4d99

SHA1
f807736e3e3e72c8ff0a33c8921809e3c01dd9f8

SHA256
395cc7698141553e07657e9169093c4b2086290532d743d6797ce786b3012094

SHA512
3b80a5e7297bd0f5a34c517fc5b7a114c2ff35035e76de6eb3f0a2c820664a1de8a19a35a248fe9095336ae9d2632035d5130dd4ce760a5708631859d5a77cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1_load.bat

Filesize
50B

MD5
e08ad52d3d132292f9c51e7cfec5fe08

SHA1
269f7eb185a9ff02664297bfb6f5df9f86ec10f0

SHA256
bd2a3003fb1f771283b30a044c49aecb72bfdff4322330337dba4992ecd198f4

SHA512
3dc0331f3ee9a57de7bda71a94953239bc7033a130f2b783b35d17ce3ed7b7928c154323d10ba81bd81d3bfd2d7c123cec55f5178d2b44286c2f857ccd6a1722

Download Submit
C:\Users\Admin\AppData\Roaming\lua\1.bat

Filesize
2KB

MD5
e9b0ea3bb8833d31df07f7ceaf019e02

SHA1
d147c5363b7fa233cbf2247897a465661f5ad408

SHA256
c9908af4e516f3fe5631e31d099f16f8c4e4d8b91d073003c10a3a0a0bc30fe3

SHA512
4c2a36d0498dd3332ca19e969d1ceaab2a57ef4d12adcc3ffff218a9d72dbfc1622fb22c08215da778821d50d3fd72b0d559f891196176e00459ef01300c9b2b

Download Submit
C:\Users\Admin\AppData\Roaming\lua\1.inf

Filesize
424B

MD5
5d8e8066c8e44558a044f4de83b79df2

SHA1
4920014abe179ae430bb55b3c4bdb6966327f551

SHA256
1d51c8abf3a0f5d4b2e61209507052bd12797d12c7821cb8868a0f3cd9950149

SHA512
792b8d0dcb3309ac0513d45e683dbf301ad06d60f4ae770b9d6c0d975eef6b85af17fb3f05fb74866556a11ef0c92f98b20fd81d455ab4b97606257fa782ea81

Download Submit
C:\Users\Admin\AppData\Roaming\lua\2.bat

Filesize
8KB

MD5
5dcf155ae2c093206144787c4779f144

SHA1
ac7c66e86e2db016cc3ef4c39cf367b873bf228f

SHA256
08420f73da6a96d1769e773960de1fd09be9db90d54308564ca8e5bc8b37246d

SHA512
93d1012e581c3b84858fc90efeb1d78022f00f82d4594a36cbcbca44e0ba5464b0f9b7516bd391b04d4b9d0ad54c1e9b9071ddd5690c466b22ba142f7d2d0564

Download Submit
C:\Users\Admin\AppData\Roaming\lua\2.inf

Filesize
244B

MD5
2de3e6e4faea8c4a10ddd4f26455caca

SHA1
b7c02274aa020619e6c7b925427b027ffcc28629

SHA256
9f29d64886130752a5fe40ce6e83a8f35dc65340871cfe435499a609037c2824

SHA512
0e49cbd89766d3697ce4c9a2c83de32ebaee2d41f1a635a94cf0c73541aaa614f4f5b755f55d21fdea07fc76985bc741f2649abc1c6a32e9876ffa6b3a1c33c8

Download Submit
memory/1584-133-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1584-221-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1584-132-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3088-200-0x00007FF9870D0000-0x00007FF98713E000-memory.dmp

Filesize
440KB

Download
memory/3088-189-0x00007FF9870D0000-0x00007FF98713E000-memory.dmp

Filesize
440KB

Download
memory/3088-228-0x00007FF9870D0000-0x00007FF98713E000-memory.dmp

Filesize
440KB

Download
memory/3088-165-0x00007FF9870D0000-0x00007FF98713E000-memory.dmp

Filesize
440KB

Download
memory/3088-155-0x00007FF9870D0000-0x00007FF98713E000-memory.dmp

Filesize
440KB

Download
memory/3088-167-0x00007FF9870D0000-0x00007FF98713E000-memory.dmp

Filesize
440KB

Download
memory/3088-154-0x00007FF9870D0000-0x00007FF98713E000-memory.dmp

Filesize
440KB

Download
memory/3088-160-0x00007FF9870D0000-0x00007FF98713E000-memory.dmp

Filesize
440KB

Download
memory/3088-168-0x00007FF9870D0000-0x00007FF98713E000-memory.dmp

Filesize
440KB

Download
memory/3088-170-0x00007FF9870D0000-0x00007FF98713E000-memory.dmp

Filesize
440KB

Download
memory/3088-171-0x00007FF9870D0000-0x00007FF98713E000-memory.dmp

Filesize
440KB

Download
memory/3088-227-0x00007FF9870D0000-0x00007FF98713E000-memory.dmp

Filesize
440KB

Download
memory/3088-172-0x00007FF9870D0000-0x00007FF98713E000-memory.dmp

Filesize
440KB

Download
memory/3088-153-0x00007FF9870D0000-0x00007FF98713E000-memory.dmp

Filesize
440KB

Download
memory/3088-175-0x00007FF9870D0000-0x00007FF98713E000-memory.dmp

Filesize
440KB

Download
memory/3088-222-0x00007FF9870D0000-0x00007FF98713E000-memory.dmp

Filesize
440KB

Download
memory/3088-152-0x00007FF9870D0000-0x00007FF98713E000-memory.dmp

Filesize
440KB

Download
memory/3088-180-0x00007FF9870D0000-0x00007FF98713E000-memory.dmp

Filesize
440KB

Download
memory/3088-142-0x00007FF9870D0000-0x00007FF98713E000-memory.dmp

Filesize
440KB

Download
memory/3088-183-0x00007FF9870D0000-0x00007FF98713E000-memory.dmp

Filesize
440KB

Download
memory/3088-184-0x00007FF9870D0000-0x00007FF98713E000-memory.dmp

Filesize
440KB

Download
memory/3088-182-0x00007FF9870D0000-0x00007FF98713E000-memory.dmp

Filesize
440KB

Download
memory/3088-185-0x00007FF9870D0000-0x00007FF98713E000-memory.dmp

Filesize
440KB

Download
memory/3088-186-0x00007FF9870D0000-0x00007FF98713E000-memory.dmp

Filesize
440KB

Download
memory/3088-187-0x00007FF9870D0000-0x00007FF98713E000-memory.dmp

Filesize
440KB

Download
memory/3088-188-0x00007FF9870D0000-0x00007FF98713E000-memory.dmp

Filesize
440KB

Download
memory/3088-159-0x00007FF9870D0000-0x00007FF98713E000-memory.dmp

Filesize
440KB

Download
memory/3088-193-0x00007FF9870D0000-0x00007FF98713E000-memory.dmp

Filesize
440KB

Download
memory/3088-194-0x00007FF9870D0000-0x00007FF98713E000-memory.dmp

Filesize
440KB

Download
memory/3088-150-0x00007FF9870D0000-0x00007FF98713E000-memory.dmp

Filesize
440KB

Download
memory/3088-196-0x00007FF9870D0000-0x00007FF98713E000-memory.dmp

Filesize
440KB

Download
memory/3088-198-0x00007FF9870D0000-0x00007FF98713E000-memory.dmp

Filesize
440KB

Download
memory/3088-144-0x00007FF9870D0000-0x00007FF98713E000-memory.dmp

Filesize
440KB

Download
memory/3088-151-0x00007FF9870D0000-0x00007FF98713E000-memory.dmp

Filesize
440KB

Download
memory/3088-149-0x00007FF9870D0000-0x00007FF98713E000-memory.dmp

Filesize
440KB

Download
memory/3088-205-0x00007FF9870D0000-0x00007FF98713E000-memory.dmp

Filesize
440KB

Download
memory/3088-147-0x00007FF9870D0000-0x00007FF98713E000-memory.dmp

Filesize
440KB

Download
memory/3088-146-0x00007FF9870D0000-0x00007FF98713E000-memory.dmp

Filesize
440KB

Download
memory/3088-215-0x00007FF9870D0000-0x00007FF98713E000-memory.dmp

Filesize
440KB

Download
memory/3088-209-0x00007FF9870D0000-0x00007FF98713E000-memory.dmp

Filesize
440KB

Download
memory/3088-210-0x00007FF9870D0000-0x00007FF98713E000-memory.dmp

Filesize
440KB

Download
memory/3088-211-0x00007FF9870D0000-0x00007FF98713E000-memory.dmp

Filesize
440KB

Download
memory/3088-212-0x00007FF9870D0000-0x00007FF98713E000-memory.dmp

Filesize
440KB

Download
memory/3088-213-0x00007FF9870D0000-0x00007FF98713E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads