joker | 8ffd741c68f8c90e56893e5e7971b410f03eadb85e556bd3b64cab5bc648f506

Analysis

max time kernel
178s
max time network
177s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-10-2022 23:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ffd741c68f8c90e56893e5e7971b410f03eadb85e556bd3b64cab5bc648f506.exe
Size

26KB
MD5

40b8cca2ae2c6066bfbef8ce0803c8c0
SHA1

7375081504060e4c044ad664b3581370f335a2d3
SHA256

8ffd741c68f8c90e56893e5e7971b410f03eadb85e556bd3b64cab5bc648f506
SHA512

7c02081c747e9ebdbc12dad69e74fee87ec3cac685ed5f2b5ce642eca6fa51a926dbfb587d7c316d1cf8da2883f3382a3b41f331c33fd8839a33d005b18d252f
SSDEEP

384:rfNhPbj62Tj9xec1JmLfBY5vX0kdaqj0eohDTkVOhvF27z/FUxiWtBlwmRz:rbm2Tbar+f0UaqC9yoYf

Score

10^/10

joker discovery infostealer persistence trojan upx

Malware Config

Extracted

Family

joker

http://mmtie.oss-cn-hangzhou.aliyuncs.com

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker
Downloads MZ/PE file

Drops file in Drivers directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\bc.sys	duba_1_244.exe
File created	C:\Windows\system32\drivers\kisnetm.sys	duba_1_244.exe
File created	C:\Windows\system32\drivers\kisnetm64.sys	duba_1_244.exe
File created	C:\Windows\system32\drivers\ksapi.sys	duba_1_244.exe
File opened for modification	C:\Windows\SysWOW64\drivers\KAVBase.sys	duba_1_244.exe
File created	C:\Windows\system32\drivers\kisknl.sys	duba_1_244.exe
File created	C:\Windows\system32\drivers\kisknl64.sys	duba_1_244.exe
File created	C:\Windows\system32\drivers\kisnetmxp.sys	duba_1_244.exe
File created	C:\Windows\system32\drivers\ksapi64.sys	duba_1_244.exe
File created	C:\Windows\system32\drivers\ksskrpr.sys	duba_1_244.exe
File created	C:\Windows\system32\drivers\bc.sys	duba_1_244.exe

Executes dropped EXE 1 IoCs

pid	Process
2004	duba_1_244.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32	duba_1_244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32\ = "c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\kavmenu64.dll"	duba_1_244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32\ThreadingModel = "Apartment"	duba_1_244.exe

Sets file execution options in registry 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksetupwiz.exe	duba_1_244.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KSETUPWIZ.EXE	duba_1_244.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KSIGNSP.EXE	duba_1_244.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISADDIN.EXE	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kismain.exe	duba_1_244.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRECYCLE.EXE	duba_1_244.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KSCAN.EXE	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kxetray.exe	duba_1_244.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KXETRAY.EXE	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavlog2.exe	duba_1_244.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLIVE.EXE	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kscan.exe	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kxescore.exe	duba_1_244.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UNINST.EXE	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kisaddin.exe	duba_1_244.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISCALL.EXE	duba_1_244.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISMAIN.EXE	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uninst.exe	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kislive.exe	duba_1_244.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVLOG2.EXE	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kiscall.exe	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\krecycle.exe	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksignsp.exe	duba_1_244.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KXESCORE.EXE	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scomregsvrv8.exe	duba_1_244.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCOMREGSVRV8.EXE	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kdrvmgr.exe	duba_1_244.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KDRVMGR.EXE	duba_1_244.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1896-55-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/files/0x00070000000139fe-58.dat	upx
behavioral1/files/0x00070000000139fe-60.dat	upx
behavioral1/files/0x00070000000139fe-64.dat	upx
behavioral1/files/0x00070000000139fe-63.dat	upx
behavioral1/files/0x00070000000139fe-62.dat	upx
behavioral1/memory/2004-66-0x0000000000400000-0x000000000051E000-memory.dmp	upx
behavioral1/memory/2004-73-0x0000000003E40000-0x0000000003EC9000-memory.dmp	upx
behavioral1/memory/2004-75-0x0000000000400000-0x000000000051E000-memory.dmp	upx

Loads dropped DLL 6 IoCs

pid	Process
1896	8ffd741c68f8c90e56893e5e7971b410f03eadb85e556bd3b64cab5bc648f506.exe
2004	duba_1_244.exe
2004	duba_1_244.exe
2004	duba_1_244.exe
2004	duba_1_244.exe
2004	duba_1_244.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	duba_1_244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kxesc = "\"c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\kxetray.exe\" -autorun"	duba_1_244.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kswscxex.dll	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\chs\extendimg\2.jpg	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\uninstall\start_acc.png	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\ksedset.ini	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\gamesdb_dc_mini.dat	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\netmodeconfig.dat	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rule.krf	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\sp3a.nlb	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\jsonv6.dll	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kshmpg.dll	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksedset.ini	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\recommendctrl.config	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksapi64.sys	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kwsui.dll	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\ksde\kisknl64.sys	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\deswitch.dat	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\kpretend.dat	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kavlog2.exe	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\keasyipcn.dll	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\khandler.dll	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\khistory.ini	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\chs\delaydownloader.dat	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\kplc.dat	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\kqsccfg.dat	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kscan.exe	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kisfdpro64.dll	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\ksde\kmctrl.dll	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksdectrl.dll	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\chs\web\kingsoft_main.htm	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\quarantine.ini	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\ksskrpr.sys	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\safeurl.dat	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kcleaner.exe	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kdrvmgr.exe	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\microsoft.vc80.mfc.manifest	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kdh.dat	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\floatskin\dudubao.skin	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\uni0nst.exe	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\msvcp80.dll	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\chs\web\kingsoft_duba.htm	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\chs\upcfg.dat	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\floatskin\config.ini	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\vinfo.ini	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\kae\karchive.dat	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\lpolicy.dat	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kavpid.kid	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kpassport.dll	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\uninstall\scan_virus.png	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\speedtest.xml	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\ksnetm\kisnetmxp.sys	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kpopclt.dll	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxebscsp.dll	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\ksfilter.dat	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\krecycle.exe	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kupdata.exe	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\ksde\klengine.dll	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\ksscore.dll	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\floatskin\skinicon\defaultshrink_skin_img.png	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\floatskin\skinicon\tianshizhiyi_skin_img.png	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\chs\uplive.svr	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kislive.exe	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\lbhelper.dll	duba_1_244.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\sqlite.dll	duba_1_244.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}\ = "CKavMenuShell Class"	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\duba_32bit	duba_1_244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\duba_32bit\ = "{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}"	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\duba_32bit	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\duba_64bit	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers	duba_1_244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\duba_32bit\ = "{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}"	duba_1_244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32\ThreadingModel = "Apartment"	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	duba_1_244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}\InprocServer32\ = "c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\kavmenu.dll"	duba_1_244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\duba_32bit\ = "{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}"	duba_1_244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\duba_32bit\ = "{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}"	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Shellex\ContextMenuHandlers\duba_64bit	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\Shellex\ContextMenuHandlers\duba_64bit	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex	duba_1_244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}"	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	duba_1_244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}"	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}\InprocServer32	duba_1_244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}\InprocServer32\ThreadingModel = "Apartment"	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\duba_32bit	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\Shellex\ContextMenuHandlers\duba_64bit	duba_1_244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}"	duba_1_244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}"	duba_1_244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\duba_32bit	duba_1_244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32\ = "c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\kavmenu64.dll"	duba_1_244.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2004	duba_1_244.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 2004	1896	8ffd741c68f8c90e56893e5e7971b410f03eadb85e556bd3b64cab5bc648f506.exe	29
PID 1896 wrote to memory of 2004	1896	8ffd741c68f8c90e56893e5e7971b410f03eadb85e556bd3b64cab5bc648f506.exe	29
PID 1896 wrote to memory of 2004	1896	8ffd741c68f8c90e56893e5e7971b410f03eadb85e556bd3b64cab5bc648f506.exe	29
PID 1896 wrote to memory of 2004	1896	8ffd741c68f8c90e56893e5e7971b410f03eadb85e556bd3b64cab5bc648f506.exe	29
PID 1896 wrote to memory of 2004	1896	8ffd741c68f8c90e56893e5e7971b410f03eadb85e556bd3b64cab5bc648f506.exe	29
PID 1896 wrote to memory of 2004	1896	8ffd741c68f8c90e56893e5e7971b410f03eadb85e556bd3b64cab5bc648f506.exe	29
PID 1896 wrote to memory of 2004	1896	8ffd741c68f8c90e56893e5e7971b410f03eadb85e556bd3b64cab5bc648f506.exe	29

C:\Users\Admin\AppData\Local\Temp\8ffd741c68f8c90e56893e5e7971b410f03eadb85e556bd3b64cab5bc648f506.exe
"C:\Users\Admin\AppData\Local\Temp\8ffd741c68f8c90e56893e5e7971b410f03eadb85e556bd3b64cab5bc648f506.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\duba_1_244.exe
  "C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\duba_1_244.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Registers COM server for autorun
  - Sets file execution options in registry
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:2004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\duba_1_244.exe

Filesize
16.8MB

MD5
1f1c87b2b8528523907cc58c00923df8

SHA1
ea0f7ad5e2d0bc48e52ea9e00c56dc14ea026514

SHA256
37e29c28eb4a4753f6926c2f7dfd169a09e184264f537c64893637716237733a

SHA512
2a8d2107eb8d479d8378c780389278e2d20653954d93dea72700b9bb9c21bc7ecf826243c1aadf8a6bc2705cc9d0055a01cf24c32a8ba38cca87ca51abd66fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\duba_1_244.exe

Filesize
16.8MB

MD5
1f1c87b2b8528523907cc58c00923df8

SHA1
ea0f7ad5e2d0bc48e52ea9e00c56dc14ea026514

SHA256
37e29c28eb4a4753f6926c2f7dfd169a09e184264f537c64893637716237733a

SHA512
2a8d2107eb8d479d8378c780389278e2d20653954d93dea72700b9bb9c21bc7ecf826243c1aadf8a6bc2705cc9d0055a01cf24c32a8ba38cca87ca51abd66fbc

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\kavmenu.dll

Filesize
69KB

MD5
c8ed4b3af03d82cc3fe2f8c42c22326c

SHA1
78a2e216262b8f1b35e408685cf20f2fa4685d8f

SHA256
1c73f57c31845d3719644f815ca9df1efb18cfc3dfc2dc1b4afddb71261afb31

SHA512
34e6cf09afa68875be24005f90be35bb7c490ac9d2f63befadfdd1902136c383ee903442c9df572e2ccd0b7ea1be10857401c76c5b6923c28f8eaecab5b3c45c

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\security\ksde\kisknl.sys

Filesize
259KB

MD5
1636dd864151388451acb8b2fc1fccb8

SHA1
06e3ac51140a1f7c35f79f8c69e997919838bd01

SHA256
859bdfd8e8f067c3d2328e3cc910d906d07298fd2a5ffc9e89f22df61c499126

SHA512
694911e645fc982ec31aba9283c5e247a93d05b378a3e6eee1374d7f405257bef0e665f58fe29f1dd8417169373a772b6015548c1dc4643266a457b283dcaf10

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\security\ksde\kisknl.sys

Filesize
259KB

MD5
1636dd864151388451acb8b2fc1fccb8

SHA1
06e3ac51140a1f7c35f79f8c69e997919838bd01

SHA256
859bdfd8e8f067c3d2328e3cc910d906d07298fd2a5ffc9e89f22df61c499126

SHA512
694911e645fc982ec31aba9283c5e247a93d05b378a3e6eee1374d7f405257bef0e665f58fe29f1dd8417169373a772b6015548c1dc4643266a457b283dcaf10

Download Submit
\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\duba_1_244.exe

Filesize
16.8MB

MD5
1f1c87b2b8528523907cc58c00923df8

SHA1
ea0f7ad5e2d0bc48e52ea9e00c56dc14ea026514

SHA256
37e29c28eb4a4753f6926c2f7dfd169a09e184264f537c64893637716237733a

SHA512
2a8d2107eb8d479d8378c780389278e2d20653954d93dea72700b9bb9c21bc7ecf826243c1aadf8a6bc2705cc9d0055a01cf24c32a8ba38cca87ca51abd66fbc

Download Submit
\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\duba_1_244.exe

Filesize
16.8MB

MD5
1f1c87b2b8528523907cc58c00923df8

SHA1
ea0f7ad5e2d0bc48e52ea9e00c56dc14ea026514

SHA256
37e29c28eb4a4753f6926c2f7dfd169a09e184264f537c64893637716237733a

SHA512
2a8d2107eb8d479d8378c780389278e2d20653954d93dea72700b9bb9c21bc7ecf826243c1aadf8a6bc2705cc9d0055a01cf24c32a8ba38cca87ca51abd66fbc

Download Submit
\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\duba_1_244.exe

Filesize
16.8MB

MD5
1f1c87b2b8528523907cc58c00923df8

SHA1
ea0f7ad5e2d0bc48e52ea9e00c56dc14ea026514

SHA256
37e29c28eb4a4753f6926c2f7dfd169a09e184264f537c64893637716237733a

SHA512
2a8d2107eb8d479d8378c780389278e2d20653954d93dea72700b9bb9c21bc7ecf826243c1aadf8a6bc2705cc9d0055a01cf24c32a8ba38cca87ca51abd66fbc

Download Submit
memory/1896-55-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1896-74-0x00000000039A0000-0x0000000003ABE000-memory.dmp

Filesize
1.1MB

Download
memory/1896-65-0x00000000039A0000-0x0000000003ABE000-memory.dmp

Filesize
1.1MB

Download
memory/1896-56-0x0000000000020000-0x0000000000034000-memory.dmp

Filesize
80KB

Download
memory/1896-54-0x0000000076871000-0x0000000076873000-memory.dmp

Filesize
8KB

Download
memory/1896-57-0x0000000000020000-0x0000000000034000-memory.dmp

Filesize
80KB

Download
memory/2004-67-0x0000000000520000-0x000000000063E000-memory.dmp

Filesize
1.1MB

Download
memory/2004-68-0x0000000000520000-0x000000000063E000-memory.dmp

Filesize
1.1MB

Download
memory/2004-66-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2004-72-0x0000000003E40000-0x0000000003EC9000-memory.dmp

Filesize
548KB

Download
memory/2004-73-0x0000000003E40000-0x0000000003EC9000-memory.dmp

Filesize
548KB

Download
memory/2004-75-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2004-77-0x0000000000520000-0x000000000063E000-memory.dmp

Filesize
1.1MB

Download
memory/2004-76-0x0000000000520000-0x000000000063E000-memory.dmp

Filesize
1.1MB

Download
memory/2004-78-0x0000000003E40000-0x0000000003EC9000-memory.dmp

Filesize
548KB

Download
memory/2004-79-0x0000000003E40000-0x0000000003EC9000-memory.dmp

Filesize
548KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads