Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    146s
  • max time network
    172s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    04/10/2022, 19:25

General

  • Target

    f075c52ce064768d7567c841f269712b.exe

  • Size

    137KB

  • MD5

    f075c52ce064768d7567c841f269712b

  • SHA1

    993d250b26e4660b93ba8e29af6cc9a46420e772

  • SHA256

    65e48138eeec15a0fad5c341f62ecc31552c01db04db0fd2e8c39ac3e45fcff7

  • SHA512

    59813726e98b1d889759e28391b9d82a596a9a37ba98f5e2fd9ddce7dcf15ed8d8a72037d01531a26d496fa891b0f67b3d0880f6fec09aa8f0c74488a45bda22

  • SSDEEP

    3072:71i/NU8bOMYcYYcmy5d048g3nan3vx9kGSYng7+s5YmMOMYcYY51i/NU81:Zi/NjO5x0Xg+UGSYnuy3Oai/Nd

Malware Config

Signatures

  • joker

    Joker is an Android malware that targets billing and SMS fraud.

  • Executes dropped EXE 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
  • Deletes itself 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 55 IoCs
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f075c52ce064768d7567c841f269712b.exe
    "C:\Users\Admin\AppData\Local\Temp\f075c52ce064768d7567c841f269712b.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1016
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /im KSafeTray.exe /f
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1980
    • C:\WINDOWS\sys.exe
      "C:\WINDOWS\sys.exe"
      2⤵
      • Executes dropped EXE
      • Modifies Installed Components in the registry
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1692
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /im KSafeTray.exe /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1516
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:960
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:960 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:844
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:580
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
          4⤵
          • Views/modifies file attributes
          PID:1356
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1156
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
          4⤵
          • Views/modifies file attributes
          PID:1816
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1320
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
          4⤵
          • Views/modifies file attributes
          PID:632
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1624
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
          4⤵
          • Views/modifies file attributes
          PID:1336
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1552
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
          4⤵
          • Views/modifies file attributes
          PID:924
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\sys.exe"
        3⤵
          PID:1784
          • C:\Windows\SysWOW64\attrib.exe
            attrib +h "C:\WINDOWS\sys.exe"
            4⤵
            • Drops file in Windows directory
            • Views/modifies file attributes
            PID:1740
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c attrib +h "c:\sys.exe"
          3⤵
            PID:1876
            • C:\Windows\SysWOW64\attrib.exe
              attrib +h "c:\sys.exe"
              4⤵
              • Views/modifies file attributes
              PID:1980
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c del f075c52ce064768d7567c841f269712b.exe
          2⤵
          • Deletes itself
          PID:1488

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F

        Filesize

        7KB

        MD5

        706d6538fd37693ad6e2784b2ea35218

        SHA1

        cabb2d92135c4f7c1e7a55053b0257495fab966c

        SHA256

        3be2af083ffd1e6bf9762687183226aa01ec65b391afdfae8ecdafc247f5c77e

        SHA512

        9c293e3c391918eba162a791c5e77d8c101bc30954de9fc19c1b3604ece3f293e7e26539626a20e15983b847ca2adb571b48ff2742b6617ebed9cf20faf496fe

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

        Filesize

        60KB

        MD5

        d15aaa7c9be910a9898260767e2490e1

        SHA1

        2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388

        SHA256

        f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e

        SHA512

        7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8F

        Filesize

        226B

        MD5

        fc5b2795e5ebd67e5536d407dcac9fb0

        SHA1

        5ce2449b50f2a8ad2a44d525bd874edffb7e700c

        SHA256

        178bb5dbb52ffafa0ba2f511c977aff253b635d69aadae1c17fe2c427214fcc7

        SHA512

        0634d4bd616e21e3cbbf12a603d235d949279dfe5416a9205d559c2d9701f34aad1ed77789abbc4efe5bc0a72c96f3684db1211d0b219256e93f420baebe8de3

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        96300e0bd1d7f08376a84d8c7a321f5a

        SHA1

        7c3d8392cecca173552dc4dffaaf55669dafb9b2

        SHA256

        9a3c76bf4c83c1b8f8fde886db0a6d31c237cc4e69aaa26632c907d171523a6f

        SHA512

        12e1bb4c6c55de572559ea8ea7611ff5a5e88a0ef77ddd2d6c04a78c328d047aac975c77690e506e2cbda09027ff5902d8ed624bfb5309e935bf039c259b5ed6

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\lwrmjt1\imagestore.dat

        Filesize

        5KB

        MD5

        1a0398e77f4c2d30dc75536472e0f380

        SHA1

        aaab27718cd4ea2cf6bf9eb8b9088cfbc0284d7c

        SHA256

        6443f532d01f5a28f2bb187d1832680283825c4364a8963cc302516f5465d8ea

        SHA512

        7547977c171c69dbe96fee2a4501ce3ce8a9d8f3d382bf8bb98f490f92eed88cf622145325914b4fee1fb5b2dbf443a03504ba09315dcd3b33cee0b2d1206e05

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\NMANVNOK.txt

        Filesize

        607B

        MD5

        e47b794e6a9239edd63f3ec9fb3cc970

        SHA1

        e09deb085260f68a3fad895185d10b37b41bc40f

        SHA256

        d6ad497738b8355cee131587eee17d8800644472cffd529f8e3678c843c8cd32

        SHA512

        9fc4f9131151de02d567a34742b2710a0b25b44d6b79de711fab43097973d3e20c3f9437007fa7d24822507bb4e9bc2053018d5801ed43f78ffdc198266b1fd0

      • C:\WINDOWS\sys.exe

        Filesize

        137KB

        MD5

        c24b64147ddfa8536580ef82dc13cfc1

        SHA1

        a77805a700e730bf9e4a5ee9b39de1ec07986cdd

        SHA256

        f622e7d384ff7a2fe66101994da031831091e51095d0ad3dccf9f24af983b143

        SHA512

        44d30591dc99da40d23aa1f2bc6db3008b746b1d95c38021968527b6fd7d46c4e43e0d0fd26437ea1f531b7eb6ed17c88c6f64e863968a4f6dcaeabdf32c0bf9

      • C:\Windows\sys.exe

        Filesize

        137KB

        MD5

        c24b64147ddfa8536580ef82dc13cfc1

        SHA1

        a77805a700e730bf9e4a5ee9b39de1ec07986cdd

        SHA256

        f622e7d384ff7a2fe66101994da031831091e51095d0ad3dccf9f24af983b143

        SHA512

        44d30591dc99da40d23aa1f2bc6db3008b746b1d95c38021968527b6fd7d46c4e43e0d0fd26437ea1f531b7eb6ed17c88c6f64e863968a4f6dcaeabdf32c0bf9

      • C:\sys.exe

        Filesize

        137KB

        MD5

        00e31e7309dc92da5d1a17af220cac68

        SHA1

        438d6007c8d3b388ca5a917c452c5bc5bdb1bd90

        SHA256

        8330e20d5737b07ccab75b68adc4fa7bc5a3f446e08e90b6c57a909a747c3dbb

        SHA512

        1df30ce005f6d8960692f72953388036c57658adc85661fa7652cdb3c6f2bea186ed8abc6820a5ba1a4248278ca62000f61b20adeff4ecfaface2cf1d55a81b8

      • \??\c:\sys.exe

        Filesize

        137KB

        MD5

        c24b64147ddfa8536580ef82dc13cfc1

        SHA1

        a77805a700e730bf9e4a5ee9b39de1ec07986cdd

        SHA256

        f622e7d384ff7a2fe66101994da031831091e51095d0ad3dccf9f24af983b143

        SHA512

        44d30591dc99da40d23aa1f2bc6db3008b746b1d95c38021968527b6fd7d46c4e43e0d0fd26437ea1f531b7eb6ed17c88c6f64e863968a4f6dcaeabdf32c0bf9

      • memory/1016-57-0x00000000764D1000-0x00000000764D3000-memory.dmp

        Filesize

        8KB