Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    171s
  • max time network
    191s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2022, 05:44

General

  • Target

    eafb6150fa7e32b9ae3dc21a5fd4380aac47b138cc7a20b90563bfd453087189.exe

  • Size

    888KB

  • MD5

    4bcd8e4740affc500a1e8f00f9eee5b5

  • SHA1

    93a090f54dafc5b6fff781dfe9e3541b7bf44e34

  • SHA256

    eafb6150fa7e32b9ae3dc21a5fd4380aac47b138cc7a20b90563bfd453087189

  • SHA512

    ccf40d1bf56e38ee06120a7ec05cddc090457bfbf3e41723a4c5bb3508298062c991a2023f6f4332bb683b90f38e53d352ddee784e99c3654120935f44a89054

  • SSDEEP

    12288:Kt+qz3VfRq7IuZtQXmwiF30jRRZoP5dL00q2ioBaNGiHsZ5lYi:bKwZta3iF30lRmPEX/NGesNY

Malware Config

Signatures

  • joker

    Joker is an Android malware that targets billing and SMS fraud.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eafb6150fa7e32b9ae3dc21a5fd4380aac47b138cc7a20b90563bfd453087189.exe
    "C:\Users\Admin\AppData\Local\Temp\eafb6150fa7e32b9ae3dc21a5fd4380aac47b138cc7a20b90563bfd453087189.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4656
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" www.cfwg520.com
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3168
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3168 CREDAT:17410 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:4348

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

    Filesize

    471B

    MD5

    afc3e2584b32e1e7c23c33e9534089a5

    SHA1

    ea4e2266d010c300621d2287ea60fe3e9a9ee753

    SHA256

    61597f5f937da250a5ed7b4b82867bebc546a5a35c0029982a003b1e9cbd2e7e

    SHA512

    f0e0d20b15bc390292baf0d93d982315afc466ccd2d4e48152ed65af97aed573d5b9e65b2b50925cbcd2e736955dfec4f63de5739cdb1499eb2db5dfc3cc4fe6

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

    Filesize

    404B

    MD5

    e1747da1b80881e2ba0a7cf2aac5bfc3

    SHA1

    c6343e5891eea9bebb9a1fc047ae7e5ac688e005

    SHA256

    08728105a278ff919fe51b352f86559afa51963750386a6a4ed6ebf46bdc1181

    SHA512

    2ce4531c33883571c2a279739d33b6a76b378170fae28e2f95772ddb6d808ba86cd754ff14866e5a2dce87962566c26cf73e22c6f9526034634373638d85780a

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\dqptnfu\imagestore.dat

    Filesize

    1KB

    MD5

    6bffd87a4b5fb301bf2b3d326ac7844c

    SHA1

    bae15c510c5900f1d72ba0074be9cbcf6bb2748d

    SHA256

    d5cde4a4796ade1e26de559fa82af053261b6056fe0f8c239a50b9654f6f7cda

    SHA512

    4887f262bb4e236f7a0bf6e434ddb080e8ea2e4ad50fed277c91a9cd3ed481c2bba8e6c468729bab333392ead58335d50f484c3e9bc22f45167dc8e9a1636f21

  • memory/4656-132-0x0000000000400000-0x00000000004F7000-memory.dmp

    Filesize

    988KB

  • memory/4656-135-0x0000000000400000-0x00000000004F7000-memory.dmp

    Filesize

    988KB