joker | 97ee6ce417a5aa0c0264056e7073407e97738b55645bfb03cf2e2ae34173a2c2

Analysis

max time kernel
167s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2022 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97ee6ce417a5aa0c0264056e7073407e97738b55645bfb03cf2e2ae34173a2c2.exe
Size

54KB
MD5

0a3815fa462d80e8520ba9c617bbd285
SHA1

4b6832eaa7e7c55877188b04efafc88bc1922279
SHA256

97ee6ce417a5aa0c0264056e7073407e97738b55645bfb03cf2e2ae34173a2c2
SHA512

f4dd2e7024504b8475557fdd313b4c2815f9c0f1dfd21308ed1314b8267d7f261eca589692cdb69405d110ff4838dc565b584cc9883ea58f5aee78ca5853f8e0
SSDEEP

768:sVKm4GV4ujtuYgFC5IjezJckOyLb172+oEFZ0TORX3iSHWIwjkdLv/kcH5hUDrpg:sQKV1MyVckOG12TGX1HxwjkVnDhI+HL

Score

10^/10

joker evasion infostealer persistence trojan

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker
Executes dropped EXE 1 IoCs

Processes:

inl4A35.tmp

pid process

4088 inl4A35.tmp
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

4620 attrib.exe
4472 attrib.exe

pid	process
4088	inl4A35.tmp

pid	process
4620	attrib.exe
4472	attrib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

97ee6ce417a5aa0c0264056e7073407e97738b55645bfb03cf2e2ae34173a2c2.exeinl4A35.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	97ee6ce417a5aa0c0264056e7073407e97738b55645bfb03cf2e2ae34173a2c2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	inl4A35.tmp

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hsdfasd = "\"C:\\Users\\Admin\\AppData\\Roaming\\redload\\tmp.\\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}\" hh.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

File opened (read-only) \??\D: cmd.exe
Drops file in Program Files directory 2 IoCs

Processes:

cmd.exe

description ioc process

File created C:\PROGRA~1\INTERN~1\ieframe.dll cmd.exe
File opened for modification C:\PROGRA~1\INTERN~1\ieframe.dll cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened (read-only)	\??\D:	cmd.exe

description	ioc	process
File created	C:\PROGRA~1\INTERN~1\ieframe.dll	cmd.exe
File opened for modification	C:\PROGRA~1\INTERN~1\ieframe.dll	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

runonce.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe

Modifies Internet Explorer settings 1 TTPs 22 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEreg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\cnkankan.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{8C2FEC1A-431D-11ED-B696-D2D0017C8629} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?S"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?S"	reg.exe

Modifies registry class 9 IoCs

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command\ = "wscript -e:vbs \"C:\\Users\\Admin\\AppData\\Roaming\\redload\\3.bat\""	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\IsShortCut	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)	reg.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

97ee6ce417a5aa0c0264056e7073407e97738b55645bfb03cf2e2ae34173a2c2.exeinl4A35.tmp

description	pid	process
Token: SeIncBasePriorityPrivilege	736	97ee6ce417a5aa0c0264056e7073407e97738b55645bfb03cf2e2ae34173a2c2.exe
Token: SeIncBasePriorityPrivilege	4088	inl4A35.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

4032 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

4032 iexplore.exe
4032 iexplore.exe
4856 IEXPLORE.EXE
4856 IEXPLORE.EXE

pid	process
4032	iexplore.exe

pid	process
4032	iexplore.exe
4032	iexplore.exe
4856	IEXPLORE.EXE
4856	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

97ee6ce417a5aa0c0264056e7073407e97738b55645bfb03cf2e2ae34173a2c2.execmd.execmd.exerundll32.exerunonce.execmd.exeiexplore.exeinl4A35.tmp

description	pid	process	target process
PID 736 wrote to memory of 4628	736	97ee6ce417a5aa0c0264056e7073407e97738b55645bfb03cf2e2ae34173a2c2.exe	cmd.exe
PID 736 wrote to memory of 4628	736	97ee6ce417a5aa0c0264056e7073407e97738b55645bfb03cf2e2ae34173a2c2.exe	cmd.exe
PID 736 wrote to memory of 4628	736	97ee6ce417a5aa0c0264056e7073407e97738b55645bfb03cf2e2ae34173a2c2.exe	cmd.exe
PID 4628 wrote to memory of 2968	4628	cmd.exe	cmd.exe
PID 4628 wrote to memory of 2968	4628	cmd.exe	cmd.exe
PID 4628 wrote to memory of 2968	4628	cmd.exe	cmd.exe
PID 2968 wrote to memory of 8	2968	cmd.exe	reg.exe
PID 2968 wrote to memory of 8	2968	cmd.exe	reg.exe
PID 2968 wrote to memory of 8	2968	cmd.exe	reg.exe
PID 2968 wrote to memory of 4432	2968	cmd.exe	reg.exe
PID 2968 wrote to memory of 4432	2968	cmd.exe	reg.exe
PID 2968 wrote to memory of 4432	2968	cmd.exe	reg.exe
PID 2968 wrote to memory of 2548	2968	cmd.exe	reg.exe
PID 2968 wrote to memory of 2548	2968	cmd.exe	reg.exe
PID 2968 wrote to memory of 2548	2968	cmd.exe	reg.exe
PID 2968 wrote to memory of 1852	2968	cmd.exe	reg.exe
PID 2968 wrote to memory of 1852	2968	cmd.exe	reg.exe
PID 2968 wrote to memory of 1852	2968	cmd.exe	reg.exe
PID 2968 wrote to memory of 2296	2968	cmd.exe	reg.exe
PID 2968 wrote to memory of 2296	2968	cmd.exe	reg.exe
PID 2968 wrote to memory of 2296	2968	cmd.exe	reg.exe
PID 2968 wrote to memory of 4620	2968	cmd.exe	attrib.exe
PID 2968 wrote to memory of 4620	2968	cmd.exe	attrib.exe
PID 2968 wrote to memory of 4620	2968	cmd.exe	attrib.exe
PID 2968 wrote to memory of 4472	2968	cmd.exe	attrib.exe
PID 2968 wrote to memory of 4472	2968	cmd.exe	attrib.exe
PID 2968 wrote to memory of 4472	2968	cmd.exe	attrib.exe
PID 2968 wrote to memory of 4348	2968	cmd.exe	rundll32.exe
PID 2968 wrote to memory of 4348	2968	cmd.exe	rundll32.exe
PID 2968 wrote to memory of 4348	2968	cmd.exe	rundll32.exe
PID 2968 wrote to memory of 3988	2968	cmd.exe	rundll32.exe
PID 2968 wrote to memory of 3988	2968	cmd.exe	rundll32.exe
PID 2968 wrote to memory of 3988	2968	cmd.exe	rundll32.exe
PID 4348 wrote to memory of 4904	4348	rundll32.exe	runonce.exe
PID 4348 wrote to memory of 4904	4348	rundll32.exe	runonce.exe
PID 4348 wrote to memory of 4904	4348	rundll32.exe	runonce.exe
PID 736 wrote to memory of 4088	736	97ee6ce417a5aa0c0264056e7073407e97738b55645bfb03cf2e2ae34173a2c2.exe	inl4A35.tmp
PID 736 wrote to memory of 4088	736	97ee6ce417a5aa0c0264056e7073407e97738b55645bfb03cf2e2ae34173a2c2.exe	inl4A35.tmp
PID 736 wrote to memory of 4088	736	97ee6ce417a5aa0c0264056e7073407e97738b55645bfb03cf2e2ae34173a2c2.exe	inl4A35.tmp
PID 4904 wrote to memory of 4256	4904	runonce.exe	grpconv.exe
PID 4904 wrote to memory of 4256	4904	runonce.exe	grpconv.exe
PID 4904 wrote to memory of 4256	4904	runonce.exe	grpconv.exe
PID 2968 wrote to memory of 4316	2968	cmd.exe	cmd.exe
PID 2968 wrote to memory of 4316	2968	cmd.exe	cmd.exe
PID 2968 wrote to memory of 4316	2968	cmd.exe	cmd.exe
PID 4316 wrote to memory of 4032	4316	cmd.exe	iexplore.exe
PID 4316 wrote to memory of 4032	4316	cmd.exe	iexplore.exe
PID 4316 wrote to memory of 2724	4316	cmd.exe	rundll32.exe
PID 4316 wrote to memory of 2724	4316	cmd.exe	rundll32.exe
PID 4316 wrote to memory of 2724	4316	cmd.exe	rundll32.exe
PID 736 wrote to memory of 4160	736	97ee6ce417a5aa0c0264056e7073407e97738b55645bfb03cf2e2ae34173a2c2.exe	cmd.exe
PID 736 wrote to memory of 4160	736	97ee6ce417a5aa0c0264056e7073407e97738b55645bfb03cf2e2ae34173a2c2.exe	cmd.exe
PID 736 wrote to memory of 4160	736	97ee6ce417a5aa0c0264056e7073407e97738b55645bfb03cf2e2ae34173a2c2.exe	cmd.exe
PID 4032 wrote to memory of 4856	4032	iexplore.exe	IEXPLORE.EXE
PID 4032 wrote to memory of 4856	4032	iexplore.exe	IEXPLORE.EXE
PID 4032 wrote to memory of 4856	4032	iexplore.exe	IEXPLORE.EXE
PID 4088 wrote to memory of 3700	4088	inl4A35.tmp	cmd.exe
PID 4088 wrote to memory of 3700	4088	inl4A35.tmp	cmd.exe
PID 4088 wrote to memory of 3700	4088	inl4A35.tmp	cmd.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

4620 attrib.exe
4472 attrib.exe

pid	process
4620	attrib.exe
4472	attrib.exe

C:\Users\Admin\AppData\Local\Temp\97ee6ce417a5aa0c0264056e7073407e97738b55645bfb03cf2e2ae34173a2c2.exe
"C:\Users\Admin\AppData\Local\Temp\97ee6ce417a5aa0c0264056e7073407e97738b55645bfb03cf2e2ae34173a2c2.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\start_max_bat.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\redload\1.bat
3⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2968

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?S"" /f
4⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
PID:8

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?S"" /f
4⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
PID:4432

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?S"" /f
4⤵
PID:2548

C:\Windows\SysWOW64\reg.exe
reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f
4⤵
- Modifies registry class
PID:1852

C:\Windows\SysWOW64\reg.exe
reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\redload\3.bat""" /f
4⤵
- Modifies registry class
PID:2296

C:\Windows\SysWOW64\attrib.exe
attrib +s +h C:\Users\Admin\AppData\Roaming\redload\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}
4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4620

C:\Windows\SysWOW64\attrib.exe
attrib +s +h C:\Users\Admin\AppData\Roaming\redload\tmp
4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4472

C:\Windows\SysWOW64\rundll32.exe
rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\redload\2.inf
4⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4348

C:\Windows\SysWOW64\runonce.exe
"C:\Windows\system32\runonce.exe" -r
5⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4904

C:\Windows\SysWOW64\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
6⤵
PID:4256

C:\Windows\SysWOW64\rundll32.exe
rundll32 D:\VolumeDH\inj.dat,MainLoad
4⤵
PID:3988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\redload\2.bat
4⤵
- Suspicious use of WriteProcessMemory
PID:4316

C:\PROGRA~1\INTERN~1\iexplore.exe
C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://www.cnkankan.com/?82133
5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4032

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4032 CREDAT:17410 /prefetch:2
6⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4856

C:\Windows\SysWOW64\rundll32.exe
rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\redload\1.inf
5⤵
PID:2724

C:\Users\Admin\AppData\Local\Temp\inl4A35.tmp
C:\Users\Admin\AppData\Local\Temp\inl4A35.tmp
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4088

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inl4A35.tmp > nul
3⤵
PID:3700

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\97EE6C~1.EXE > nul
2⤵
PID:4160

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\INTERN~1\IEFRAME.dll
Filesize
5.8MB

MD5
1784315aac121731745b2843ea994ba3

SHA1
c9d3d0d5458562ed4e305205979c0ffe09862cc7

SHA256
936c6727dc6876d78338b1809e111de5ea0119ff8988c4ec0ece3b9b02f6b5fa

SHA512
c88c73ac3297b923f755296e8802528182b4c26b41481fd1f008c49c33bc7fa645c6395700dbc5d5f405938ddc3922b2c4eda193725bca7cd843bdf18391b588

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp
Filesize
791B

MD5
1706b41fd446b5718a8419c0fcb35d55

SHA1
d9bb8df22acdc60c754ac14982cf795df3b1b815

SHA256
5c6d11ac3f220f8286455764ab2581dcb6554692d3b9974b097364d77edb3943

SHA512
68c9f6170ecdfcc79fc63cb646901d2ac52a915620b159047b2c93761c261897eb5ecc15065635105637a61a840d393104c15ea8268897fb8bb2fbc1a56c626e

Download Submit
C:\Users\Admin\AppData\Local\Temp\inl4A35.tmp
Filesize
57.2MB

MD5
886ffcb541b7481232038fe0a3b7a14a

SHA1
27c2db270d151199a2efc1f98cced28cff982413

SHA256
f1fb1ab19b73f54f1324e6ca29ed14b1f6b7128805045fab305d7e6e785f8d91

SHA512
c60ec45e3525c46c36d19ce6faba478bd329e15844ae2933104f6963a03d65e6dea6fa51e7d793623078fec95034b62628b44c2c7b28c347cd97eab74da93326

Download Submit
C:\Users\Admin\AppData\Local\Temp\inl4A35.tmp
Filesize
57.2MB

MD5
886ffcb541b7481232038fe0a3b7a14a

SHA1
27c2db270d151199a2efc1f98cced28cff982413

SHA256
f1fb1ab19b73f54f1324e6ca29ed14b1f6b7128805045fab305d7e6e785f8d91

SHA512
c60ec45e3525c46c36d19ce6faba478bd329e15844ae2933104f6963a03d65e6dea6fa51e7d793623078fec95034b62628b44c2c7b28c347cd97eab74da93326

Download Submit
C:\Users\Admin\AppData\Local\Temp\start_max_bat.bat
Filesize
54B

MD5
504490369970f1c0eb580afbcdf91618

SHA1
b52f65cd538e6c998b2c7e3167f9c8e8fa6c7971

SHA256
a13a0579286521f0d7cb55fc7d28c6d33f14c0573e9e69f7584fa4008a8e7d43

SHA512
5495ce79abf0fc4ffbfaf9aefa484145f4e0d3e8457be0e2e4dfb1284fb5413016f2d9867e2386db5c4f7b51863bfffeae8ea6bd879053fdf6a928ab2a0857ad

Download Submit
C:\Users\Admin\AppData\Roaming\redload\1.bat
Filesize
3KB

MD5
493c22f6b15f9766ae7c23794fc77da0

SHA1
43723ba660dbc1486f717441b58298d33b9f2048

SHA256
478b8c2f0dc23db49d62f987ca5e01afde54d7abff647894ad2e38f9d7fde182

SHA512
662644aeef7666b23b90b6ce08ea8271a7cb7379bad6920434d045fdcbbcd48b4bbb65620ac4a5c347e376ecf2ff60e115b869c74a28ca7776cf6fc83b01df34

Download Submit
C:\Users\Admin\AppData\Roaming\redload\1.inf
Filesize
410B

MD5
66a1f0147fed7ddd19e9bb7ff93705c5

SHA1
9d803c81ea2195617379b880b227892ba30b0bf6

SHA256
4f45ce85e221352f7fe26e04968c7f7267dc24b55cf2b72b929b4c90e48cb764

SHA512
cfe51756ddec75d240249980a4d27870d15983add25058e4d0da4d8a3ea11384d4d228d6cbc95091f91e516e1ab4dfb1e315941dbd95bf717d4b31936311d597

Download Submit
C:\Users\Admin\AppData\Roaming\redload\2.bat
Filesize
3KB

MD5
5b958bc8141741054eba3a5327a8030b

SHA1
df1ef3d7a8db900893ba7acadedc08fdc3952fe3

SHA256
39dfb6fc2c4001ad32ae6c6852088e48da34f870c08e1bb664f6761bc0cbe410

SHA512
ac5651425bbc0b8256aca3000a59d50961bb36eff8b7ed2657e6d311b7ac7ef9ead8c86b04cd957770a23de471f9eb4c178824c8d96620bcb5f69eb96fb92aa6

Download Submit
C:\Users\Admin\AppData\Roaming\redload\2.inf
Filesize
248B

MD5
2197ffb407fb3b2250045c084f73b70a

SHA1
3d0efbacba73ac5e8d77f0d25d63fc424511bcf6

SHA256
a1a42f5a41ce65135b1ad525eabc04cce89ee07d2f51d06e5e1dea6047081591

SHA512
b35a99e144da3f02de71158f58a6b937435d1bce941126a554783c667654b880527b11ba8a5c0fcf093ce28863ea4f5e60f73f8f973a727f177d584d2e9c80fe

Download Submit
C:\Users\Admin\AppData\Roaming\redload\4.bat
Filesize
5.8MB

MD5
1784315aac121731745b2843ea994ba3

SHA1
c9d3d0d5458562ed4e305205979c0ffe09862cc7

SHA256
936c6727dc6876d78338b1809e111de5ea0119ff8988c4ec0ece3b9b02f6b5fa

SHA512
c88c73ac3297b923f755296e8802528182b4c26b41481fd1f008c49c33bc7fa645c6395700dbc5d5f405938ddc3922b2c4eda193725bca7cd843bdf18391b588

Download Submit
memory/8-140-0x0000000000000000-mapping.dmp

Download
memory/736-133-0x0000000000580000-0x0000000000583000-memory.dmp

Filesize
12KB

Download
memory/736-132-0x0000000000B40000-0x0000000000B65000-memory.dmp

Filesize
148KB

Download
memory/736-134-0x0000000000580000-0x0000000000583000-memory.dmp

Filesize
12KB

Download
memory/736-164-0x0000000000B40000-0x0000000000B65000-memory.dmp

Filesize
148KB

Download
memory/736-135-0x0000000000B40000-0x0000000000B65000-memory.dmp

Filesize
148KB

Download
memory/1852-144-0x0000000000000000-mapping.dmp

Download
memory/2296-145-0x0000000000000000-mapping.dmp

Download
memory/2548-142-0x0000000000000000-mapping.dmp

Download
memory/2724-160-0x0000000000000000-mapping.dmp

Download
memory/2968-138-0x0000000000000000-mapping.dmp

Download
memory/3700-231-0x0000000000000000-mapping.dmp

Download
memory/3988-149-0x0000000000000000-mapping.dmp

Download
memory/4032-195-0x00007FFC87C50000-0x00007FFC87CBE000-memory.dmp

Filesize
440KB

Download
memory/4032-186-0x00007FFC87C50000-0x00007FFC87CBE000-memory.dmp

Filesize
440KB

Download
memory/4032-226-0x00007FFC87C50000-0x00007FFC87CBE000-memory.dmp

Filesize
440KB

Download
memory/4032-225-0x00007FFC87C50000-0x00007FFC87CBE000-memory.dmp

Filesize
440KB

Download
memory/4032-159-0x0000000000000000-mapping.dmp

Download
memory/4032-220-0x00007FFC87C50000-0x00007FFC87CBE000-memory.dmp

Filesize
440KB

Download
memory/4032-219-0x00007FFC87C50000-0x00007FFC87CBE000-memory.dmp

Filesize
440KB

Download
memory/4032-217-0x00007FFC87C50000-0x00007FFC87CBE000-memory.dmp

Filesize
440KB

Download
memory/4032-216-0x00007FFC87C50000-0x00007FFC87CBE000-memory.dmp

Filesize
440KB

Download
memory/4032-215-0x00007FFC87C50000-0x00007FFC87CBE000-memory.dmp

Filesize
440KB

Download
memory/4032-165-0x00007FFC87C50000-0x00007FFC87CBE000-memory.dmp

Filesize
440KB

Download
memory/4032-166-0x00007FFC87C50000-0x00007FFC87CBE000-memory.dmp

Filesize
440KB

Download
memory/4032-168-0x00007FFC87C50000-0x00007FFC87CBE000-memory.dmp

Filesize
440KB

Download
memory/4032-169-0x00007FFC87C50000-0x00007FFC87CBE000-memory.dmp

Filesize
440KB

Download
memory/4032-170-0x00007FFC87C50000-0x00007FFC87CBE000-memory.dmp

Filesize
440KB

Download
memory/4032-171-0x00007FFC87C50000-0x00007FFC87CBE000-memory.dmp

Filesize
440KB

Download
memory/4032-172-0x00007FFC87C50000-0x00007FFC87CBE000-memory.dmp

Filesize
440KB

Download
memory/4032-173-0x00007FFC87C50000-0x00007FFC87CBE000-memory.dmp

Filesize
440KB

Download
memory/4032-174-0x00007FFC87C50000-0x00007FFC87CBE000-memory.dmp

Filesize
440KB

Download
memory/4032-175-0x00007FFC87C50000-0x00007FFC87CBE000-memory.dmp

Filesize
440KB

Download
memory/4032-176-0x00007FFC87C50000-0x00007FFC87CBE000-memory.dmp

Filesize
440KB

Download
memory/4032-177-0x00007FFC87C50000-0x00007FFC87CBE000-memory.dmp

Filesize
440KB

Download
memory/4032-179-0x00007FFC87C50000-0x00007FFC87CBE000-memory.dmp

Filesize
440KB

Download
memory/4032-181-0x00007FFC87C50000-0x00007FFC87CBE000-memory.dmp

Filesize
440KB

Download
memory/4032-182-0x00007FFC87C50000-0x00007FFC87CBE000-memory.dmp

Filesize
440KB

Download
memory/4032-183-0x00007FFC87C50000-0x00007FFC87CBE000-memory.dmp

Filesize
440KB

Download
memory/4032-185-0x00007FFC87C50000-0x00007FFC87CBE000-memory.dmp

Filesize
440KB

Download
memory/4032-214-0x00007FFC87C50000-0x00007FFC87CBE000-memory.dmp

Filesize
440KB

Download
memory/4032-187-0x00007FFC87C50000-0x00007FFC87CBE000-memory.dmp

Filesize
440KB

Download
memory/4032-189-0x00007FFC87C50000-0x00007FFC87CBE000-memory.dmp

Filesize
440KB

Download
memory/4032-191-0x00007FFC87C50000-0x00007FFC87CBE000-memory.dmp

Filesize
440KB

Download
memory/4032-193-0x00007FFC87C50000-0x00007FFC87CBE000-memory.dmp

Filesize
440KB

Download
memory/4032-192-0x00007FFC87C50000-0x00007FFC87CBE000-memory.dmp

Filesize
440KB

Download
memory/4032-194-0x00007FFC87C50000-0x00007FFC87CBE000-memory.dmp

Filesize
440KB

Download
memory/4032-213-0x00007FFC87C50000-0x00007FFC87CBE000-memory.dmp

Filesize
440KB

Download
memory/4032-196-0x00007FFC87C50000-0x00007FFC87CBE000-memory.dmp

Filesize
440KB

Download
memory/4032-197-0x00007FFC87C50000-0x00007FFC87CBE000-memory.dmp

Filesize
440KB

Download
memory/4032-198-0x00007FFC87C50000-0x00007FFC87CBE000-memory.dmp

Filesize
440KB

Download
memory/4032-199-0x00007FFC87C50000-0x00007FFC87CBE000-memory.dmp

Filesize
440KB

Download
memory/4032-203-0x00007FFC87C50000-0x00007FFC87CBE000-memory.dmp

Filesize
440KB

Download
memory/4032-204-0x00007FFC87C50000-0x00007FFC87CBE000-memory.dmp

Filesize
440KB

Download
memory/4032-205-0x00007FFC87C50000-0x00007FFC87CBE000-memory.dmp

Filesize
440KB

Download
memory/4032-206-0x00007FFC87C50000-0x00007FFC87CBE000-memory.dmp

Filesize
440KB

Download
memory/4032-207-0x00007FFC87C50000-0x00007FFC87CBE000-memory.dmp

Filesize
440KB

Download
memory/4032-208-0x00007FFC87C50000-0x00007FFC87CBE000-memory.dmp

Filesize
440KB

Download
memory/4088-152-0x0000000000000000-mapping.dmp

Download
memory/4160-163-0x0000000000000000-mapping.dmp

Download
memory/4256-156-0x0000000000000000-mapping.dmp

Download
memory/4316-157-0x0000000000000000-mapping.dmp

Download
memory/4348-148-0x0000000000000000-mapping.dmp

Download
memory/4432-141-0x0000000000000000-mapping.dmp

Download
memory/4472-147-0x0000000000000000-mapping.dmp

Download
memory/4620-146-0x0000000000000000-mapping.dmp

Download
memory/4628-136-0x0000000000000000-mapping.dmp

Download
memory/4904-151-0x0000000000000000-mapping.dmp

Download