Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

d4ca78167a...03.exe

windows7-x64

1

d4ca78167a...03.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2022, 05:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d4ca78167a5ab2e4f32adad0e970b5d650e5ea89dc705eedc6d83a71c453db03.exe

  • Size

    160KB

  • MD5

    60d0b75a083b93dac514126193445c7c

  • SHA1

    1bd8d1cd4a244105c9ad4e11b727d88e8ec414da

  • SHA256

    d4ca78167a5ab2e4f32adad0e970b5d650e5ea89dc705eedc6d83a71c453db03

  • SHA512

    2016dc7dd27e736bcf0fddb584a74d2a5828fa47b03c7639ed904dac2b8def2e826ef57f28c06aee3022a693c09b19be2928ededcce0490af4f148cc788ba339

  • SSDEEP

    1536:OJwHa3E5YW/io2C+I4LQ54z2B814KX6hN2DDwRCPERKHOJ+O:jHaE5/io2C+I4LQ54z2C14KK3W8RChi

Score
10/10
jokerevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • joker

    Joker is an Android malware that targets billing and SMS fraud.

    infostealertrojanjoker
  • Executes dropped EXE 1 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 50 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
    stealer
  • Modifies registry class 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 59 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\d4ca78167a5ab2e4f32adad0e970b5d650e5ea89dc705eedc6d83a71c453db03.exe
    "C:\Users\Admin\AppData\Local\Temp\d4ca78167a5ab2e4f32adad0e970b5d650e5ea89dc705eedc6d83a71c453db03.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1752
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\start_max_bat.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1708
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\redload\1.bat
        3⤵
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:4264
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?S"" /f
          4⤵
          • Modifies Internet Explorer settings
          • Modifies Internet Explorer start page
          PID:2768
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?S"" /f
          4⤵
          • Modifies Internet Explorer settings
          • Modifies Internet Explorer start page
          PID:4112
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?S"" /f
          4⤵
            PID:1520
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f
            4⤵
            • Modifies registry class
            PID:4124
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\redload\3.bat""" /f
            4⤵
            • Modifies registry class
            PID:228
          • C:\Windows\SysWOW64\attrib.exe
            attrib +s +h C:\Users\Admin\AppData\Roaming\redload\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}
            4⤵
            • Sets file to hidden
            • Views/modifies file attributes
            PID:2124
          • C:\Windows\SysWOW64\attrib.exe
            attrib +s +h C:\Users\Admin\AppData\Roaming\redload\tmp
            4⤵
            • Sets file to hidden
            • Views/modifies file attributes
            PID:3220
          • C:\Windows\SysWOW64\rundll32.exe
            rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\redload\2.inf
            4⤵
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:1212
            • C:\Windows\SysWOW64\runonce.exe
              "C:\Windows\system32\runonce.exe" -r
              5⤵
              • Checks processor information in registry
              • Suspicious use of WriteProcessMemory
              PID:4992
              • C:\Windows\SysWOW64\grpconv.exe
                "C:\Windows\System32\grpconv.exe" -o
                6⤵
                  PID:5076
            • C:\Windows\SysWOW64\rundll32.exe
              rundll32 D:\VolumeDH\inj.dat,MainLoad
              4⤵
                PID:728
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\redload\2.bat
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:4448
                • C:\PROGRA~1\INTERN~1\iexplore.exe
                  C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://www.cnkankan.com/?82133
                  5⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:2992
                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2992 CREDAT:17410 /prefetch:2
                    6⤵
                    • Modifies Internet Explorer settings
                    • Suspicious use of SetWindowsHookEx
                    PID:3552
                • C:\Windows\SysWOW64\rundll32.exe
                  rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\redload\1.inf
                  5⤵
                    PID:4512
            • C:\Users\Admin\AppData\Local\Temp\inlEF34.tmp
              C:\Users\Admin\AppData\Local\Temp\inlEF34.tmp
              2⤵
              • Executes dropped EXE
              • Checks computer location settings
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4872
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inlEF34.tmp > nul
                3⤵
                  PID:1072
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\D4CA78~1.EXE > nul
                2⤵
                  PID:4536

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\PROGRA~1\INTERN~1\IEFRAME.dll
                Filesize

                5.8MB

                MD5

                50c4869874f2e659afac55ce4fc129a7

                SHA1

                d83a6b42b847a9527c621ef251bdbdef4b9fec11

                SHA256

                6c3bd61ca89c17c6787cdc89e4a6a6491989f0088811f3af7ffa63f2af74ba49

                SHA512

                3600db6ac661b41c01cabb8702ab150327b76959086955248ca8516d2dd8dc4bab6325f760aba6e11e7ce35df39ab7d428107811c15603d75790494e3472088c

                Download Submit

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                Filesize

                471B

                MD5

                afc3e2584b32e1e7c23c33e9534089a5

                SHA1

                ea4e2266d010c300621d2287ea60fe3e9a9ee753

                SHA256

                61597f5f937da250a5ed7b4b82867bebc546a5a35c0029982a003b1e9cbd2e7e

                SHA512

                f0e0d20b15bc390292baf0d93d982315afc466ccd2d4e48152ed65af97aed573d5b9e65b2b50925cbcd2e736955dfec4f63de5739cdb1499eb2db5dfc3cc4fe6

                Download Submit

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                Filesize

                404B

                MD5

                d179199bb4dfe465766971fdb97d2bb3

                SHA1

                e9f00b1c751ae159e0da5a427a0d466b8b58da25

                SHA256

                31729baf2dc354a778087fd651a383937b46be41108e748e0a338553f6971103

                SHA512

                cb277572ee82121084869fc20ec1bf848762245811f16a5eafbf7a81b1b6ae6153ea7799ca3e982b6bb3969b8932f8e0bb59a9e9495a31977cc6ce36e9b8438b

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\dqptnfu\imagestore.dat
                Filesize

                1KB

                MD5

                c8a91c637070c72298702f03d79800fe

                SHA1

                fc822939c477aedf969707e1fd44ef6ba0487d34

                SHA256

                11658576f3753587609faee69fb7aa3959282d9de7c93ee1313bd473c5cf7808

                SHA512

                1ed688aff8482a2ad916063e2b5a17750b43d8a6505af580486c26f7ccdf99b8f6f64c8daafc43426c88406cb1ada579bb0e5e92bb22c48cce2c7d24558878d5

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp
                Filesize

                791B

                MD5

                1706b41fd446b5718a8419c0fcb35d55

                SHA1

                d9bb8df22acdc60c754ac14982cf795df3b1b815

                SHA256

                5c6d11ac3f220f8286455764ab2581dcb6554692d3b9974b097364d77edb3943

                SHA512

                68c9f6170ecdfcc79fc63cb646901d2ac52a915620b159047b2c93761c261897eb5ecc15065635105637a61a840d393104c15ea8268897fb8bb2fbc1a56c626e

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\inlEF34.tmp
                Filesize

                57.2MB

                MD5

                c9995667e5e9bf095e74e5223e298016

                SHA1

                844f98cbbcb1628e34b942a989bc51ad9b99d1a3

                SHA256

                88135304485655805f971c4a70738f25993a708b49ef68031d82b72fe1f2cca0

                SHA512

                8a7a554321d5bb5cd5fd77c92acf74b511958ecf5ac688e6b2c754d2fbf8b7b24cd20f39cd5e140db21be8a9031bab3df51ceb5211a8856b04c1d5db4e0c26cf

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\inlEF34.tmp
                Filesize

                57.2MB

                MD5

                c9995667e5e9bf095e74e5223e298016

                SHA1

                844f98cbbcb1628e34b942a989bc51ad9b99d1a3

                SHA256

                88135304485655805f971c4a70738f25993a708b49ef68031d82b72fe1f2cca0

                SHA512

                8a7a554321d5bb5cd5fd77c92acf74b511958ecf5ac688e6b2c754d2fbf8b7b24cd20f39cd5e140db21be8a9031bab3df51ceb5211a8856b04c1d5db4e0c26cf

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\start_max_bat.bat
                Filesize

                54B

                MD5

                504490369970f1c0eb580afbcdf91618

                SHA1

                b52f65cd538e6c998b2c7e3167f9c8e8fa6c7971

                SHA256

                a13a0579286521f0d7cb55fc7d28c6d33f14c0573e9e69f7584fa4008a8e7d43

                SHA512

                5495ce79abf0fc4ffbfaf9aefa484145f4e0d3e8457be0e2e4dfb1284fb5413016f2d9867e2386db5c4f7b51863bfffeae8ea6bd879053fdf6a928ab2a0857ad

                Download Submit

              • C:\Users\Admin\AppData\Roaming\redload\1.bat
                Filesize

                3KB

                MD5

                493c22f6b15f9766ae7c23794fc77da0

                SHA1

                43723ba660dbc1486f717441b58298d33b9f2048

                SHA256

                478b8c2f0dc23db49d62f987ca5e01afde54d7abff647894ad2e38f9d7fde182

                SHA512

                662644aeef7666b23b90b6ce08ea8271a7cb7379bad6920434d045fdcbbcd48b4bbb65620ac4a5c347e376ecf2ff60e115b869c74a28ca7776cf6fc83b01df34

                Download Submit

              • C:\Users\Admin\AppData\Roaming\redload\1.inf
                Filesize

                410B

                MD5

                66a1f0147fed7ddd19e9bb7ff93705c5

                SHA1

                9d803c81ea2195617379b880b227892ba30b0bf6

                SHA256

                4f45ce85e221352f7fe26e04968c7f7267dc24b55cf2b72b929b4c90e48cb764

                SHA512

                cfe51756ddec75d240249980a4d27870d15983add25058e4d0da4d8a3ea11384d4d228d6cbc95091f91e516e1ab4dfb1e315941dbd95bf717d4b31936311d597

                Download Submit

              • C:\Users\Admin\AppData\Roaming\redload\2.bat
                Filesize

                3KB

                MD5

                5ea8e400d1f6ea0deb83ace9c6905dc0

                SHA1

                3d15c081f2f7f71457897153c41e71a488a5a798

                SHA256

                324a39a9c4cd4b085bd684bebacc2e1a711253557c031927cdf60b2cd4d18fde

                SHA512

                1fae275277dff9f4755795d7bd520c691633e9a08c0e0b9c4f54a41984578142783553cfe7d0f785fd1e5855518bf5fc0211d49a975a27dd8b1b779cb7cbd45f

                Download Submit

              • C:\Users\Admin\AppData\Roaming\redload\2.inf
                Filesize

                248B

                MD5

                2197ffb407fb3b2250045c084f73b70a

                SHA1

                3d0efbacba73ac5e8d77f0d25d63fc424511bcf6

                SHA256

                a1a42f5a41ce65135b1ad525eabc04cce89ee07d2f51d06e5e1dea6047081591

                SHA512

                b35a99e144da3f02de71158f58a6b937435d1bce941126a554783c667654b880527b11ba8a5c0fcf093ce28863ea4f5e60f73f8f973a727f177d584d2e9c80fe

                Download Submit

              • C:\Users\Admin\AppData\Roaming\redload\4.bat
                Filesize

                5.8MB

                MD5

                50c4869874f2e659afac55ce4fc129a7

                SHA1

                d83a6b42b847a9527c621ef251bdbdef4b9fec11

                SHA256

                6c3bd61ca89c17c6787cdc89e4a6a6491989f0088811f3af7ffa63f2af74ba49

                SHA512

                3600db6ac661b41c01cabb8702ab150327b76959086955248ca8516d2dd8dc4bab6325f760aba6e11e7ce35df39ab7d428107811c15603d75790494e3472088c

                Download Submit

              • memory/1752-216-0x0000000000400000-0x0000000000428000-memory.dmp

                Filesize

                160KB

                Download

              • memory/1752-132-0x0000000000400000-0x0000000000428000-memory.dmp

                Filesize

                160KB

                Download

              • memory/2992-172-0x00007FF8F3D80000-0x00007FF8F3DEE000-memory.dmp

                Filesize

                440KB

                Download

              • memory/2992-190-0x00007FF8F3D80000-0x00007FF8F3DEE000-memory.dmp

                Filesize

                440KB

                Download

              • memory/2992-223-0x00007FF8F3D80000-0x00007FF8F3DEE000-memory.dmp

                Filesize

                440KB

                Download

              • memory/2992-222-0x00007FF8F3D80000-0x00007FF8F3DEE000-memory.dmp

                Filesize

                440KB

                Download

              • memory/2992-217-0x00007FF8F3D80000-0x00007FF8F3DEE000-memory.dmp

                Filesize

                440KB

                Download

              • memory/2992-159-0x00007FF8F3D80000-0x00007FF8F3DEE000-memory.dmp

                Filesize

                440KB

                Download

              • memory/2992-161-0x00007FF8F3D80000-0x00007FF8F3DEE000-memory.dmp

                Filesize

                440KB

                Download

              • memory/2992-163-0x00007FF8F3D80000-0x00007FF8F3DEE000-memory.dmp

                Filesize

                440KB

                Download

              • memory/2992-164-0x00007FF8F3D80000-0x00007FF8F3DEE000-memory.dmp

                Filesize

                440KB

                Download

              • memory/2992-165-0x00007FF8F3D80000-0x00007FF8F3DEE000-memory.dmp

                Filesize

                440KB

                Download

              • memory/2992-166-0x00007FF8F3D80000-0x00007FF8F3DEE000-memory.dmp

                Filesize

                440KB

                Download

              • memory/2992-167-0x00007FF8F3D80000-0x00007FF8F3DEE000-memory.dmp

                Filesize

                440KB

                Download

              • memory/2992-168-0x00007FF8F3D80000-0x00007FF8F3DEE000-memory.dmp

                Filesize

                440KB

                Download

              • memory/2992-169-0x00007FF8F3D80000-0x00007FF8F3DEE000-memory.dmp

                Filesize

                440KB

                Download

              • memory/2992-170-0x00007FF8F3D80000-0x00007FF8F3DEE000-memory.dmp

                Filesize

                440KB

                Download

              • memory/2992-214-0x00007FF8F3D80000-0x00007FF8F3DEE000-memory.dmp

                Filesize

                440KB

                Download

              • memory/2992-173-0x00007FF8F3D80000-0x00007FF8F3DEE000-memory.dmp

                Filesize

                440KB

                Download

              • memory/2992-175-0x00007FF8F3D80000-0x00007FF8F3DEE000-memory.dmp

                Filesize

                440KB

                Download

              • memory/2992-176-0x00007FF8F3D80000-0x00007FF8F3DEE000-memory.dmp

                Filesize

                440KB

                Download

              • memory/2992-177-0x00007FF8F3D80000-0x00007FF8F3DEE000-memory.dmp

                Filesize

                440KB

                Download

              • memory/2992-181-0x00007FF8F3D80000-0x00007FF8F3DEE000-memory.dmp

                Filesize

                440KB

                Download

              • memory/2992-184-0x00007FF8F3D80000-0x00007FF8F3DEE000-memory.dmp

                Filesize

                440KB

                Download

              • memory/2992-182-0x00007FF8F3D80000-0x00007FF8F3DEE000-memory.dmp

                Filesize

                440KB

                Download

              • memory/2992-186-0x00007FF8F3D80000-0x00007FF8F3DEE000-memory.dmp

                Filesize

                440KB

                Download

              • memory/2992-188-0x00007FF8F3D80000-0x00007FF8F3DEE000-memory.dmp

                Filesize

                440KB

                Download

              • memory/2992-189-0x00007FF8F3D80000-0x00007FF8F3DEE000-memory.dmp

                Filesize

                440KB

                Download

              • memory/2992-187-0x00007FF8F3D80000-0x00007FF8F3DEE000-memory.dmp

                Filesize

                440KB

                Download

              • memory/2992-179-0x00007FF8F3D80000-0x00007FF8F3DEE000-memory.dmp

                Filesize

                440KB

                Download

              • memory/2992-178-0x00007FF8F3D80000-0x00007FF8F3DEE000-memory.dmp

                Filesize

                440KB

                Download

              • memory/2992-191-0x00007FF8F3D80000-0x00007FF8F3DEE000-memory.dmp

                Filesize

                440KB

                Download

              • memory/2992-192-0x00007FF8F3D80000-0x00007FF8F3DEE000-memory.dmp

                Filesize

                440KB

                Download

              • memory/2992-193-0x00007FF8F3D80000-0x00007FF8F3DEE000-memory.dmp

                Filesize

                440KB

                Download

              • memory/2992-194-0x00007FF8F3D80000-0x00007FF8F3DEE000-memory.dmp

                Filesize

                440KB

                Download

              • memory/2992-198-0x00007FF8F3D80000-0x00007FF8F3DEE000-memory.dmp

                Filesize

                440KB

                Download

              • memory/2992-199-0x00007FF8F3D80000-0x00007FF8F3DEE000-memory.dmp

                Filesize

                440KB

                Download

              • memory/2992-200-0x00007FF8F3D80000-0x00007FF8F3DEE000-memory.dmp

                Filesize

                440KB

                Download

              • memory/2992-201-0x00007FF8F3D80000-0x00007FF8F3DEE000-memory.dmp

                Filesize

                440KB

                Download

              • memory/2992-202-0x00007FF8F3D80000-0x00007FF8F3DEE000-memory.dmp

                Filesize

                440KB

                Download

              • memory/2992-207-0x00007FF8F3D80000-0x00007FF8F3DEE000-memory.dmp

                Filesize

                440KB

                Download

              • memory/2992-208-0x00007FF8F3D80000-0x00007FF8F3DEE000-memory.dmp

                Filesize

                440KB

                Download

              • memory/2992-209-0x00007FF8F3D80000-0x00007FF8F3DEE000-memory.dmp

                Filesize

                440KB

                Download

              • memory/2992-211-0x00007FF8F3D80000-0x00007FF8F3DEE000-memory.dmp

                Filesize

                440KB

                Download

              • memory/2992-210-0x00007FF8F3D80000-0x00007FF8F3DEE000-memory.dmp

                Filesize

                440KB

                Download

              • memory/2992-212-0x00007FF8F3D80000-0x00007FF8F3DEE000-memory.dmp

                Filesize

                440KB

                Download