joker | 200a33f3776fbe48ce1565851d06e6e8e1462f91e88d3326581e1b4327613bce

Analysis

max time kernel
147s
max time network
138s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04-10-2022 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

214772eef96c87f6e04c9447384a31e5.exe
Size

124KB
MD5

214772eef96c87f6e04c9447384a31e5
SHA1

a2bf5350b6a36c71d0b9e350e3cea34d285b293a
SHA256

200a33f3776fbe48ce1565851d06e6e8e1462f91e88d3326581e1b4327613bce
SHA512

4fddcc0509e8060263360515b94a116f908407be0ea7e66abfc4b9a3aab310264aaad0ded68921fa1731242f0975941643f8de521b9877f9c5ab921bf85cf096
SSDEEP

3072:q1i/NU8bOMYcYYcmy5cU+gTn6HOjDhWrzvvQwlgOks5YmMOMYcYY51i/NU8F:Ui/NjO5YBgegD0PHzSv3Oai/NN

Score

10^/10

joker infostealer persistence trojan

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}	214772eef96c87f6e04c9447384a31e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}\StubPath = "C:\\system.exe"	214772eef96c87f6e04c9447384a31e5.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\ie.bat	214772eef96c87f6e04c9447384a31e5.exe
File created	C:\WINDOWS\SysWOW64\qx.bat	214772eef96c87f6e04c9447384a31e5.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\windows.exe	214772eef96c87f6e04c9447384a31e5.exe
File opened for modification	C:\WINDOWS\windows.exe	214772eef96c87f6e04c9447384a31e5.exe
File opened for modification	C:\WINDOWS\windows.exe	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\154.203.154.173\Total = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4093D4D1-442B-11ED-8B83-6A6CB2F85B9F} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c0000000002000000000010660000000100002000000080d4844cb9639bdf63444a42b2ca2aa8e03a060400f0ec46639ed750a9481066000000000e8000000002000020000000410f77396c7c76c9bf8ddca42e673855209bfd066eba83e14fb0f3592baf9bf5900000001e3d073cd2ecced97c02fe796beeaa1575af8b2806ef6137f37964710da8ddb374b481c55edf77c0696fbd967fc4f07d2af790ca166eabcdbaf9ca9c2c9a8f0f4948ed1742a358f614b5f4dbf4cab08990e61a24e31efa42bd033ced1dd829c6a763f1c939dcadb945947c4791e3135f359434f128143e51ff58810a4bc54bac351281d41cef4abc728d006d3f9be0a8400000007338e1231020625e82d3d7af1d2b72fce8925e2d09e87dabcf964409a9dd83987ab5b72a7aeb683a6dc8558d4664db5282440a11891198a626132e9ed12062ec	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c00000000020000000000106600000001000020000000a400bfa004c014b4030d37d674c97d3309f3cff767028e71ec881c5f26cdc895000000000e80000000020000200000008c8d49ad7593c303b6bfc14a6a55d28f886679d38fdeb4ecbc1d2c743bc12b1e20000000dfc553e3710960ef73e786ac37753d51f4f92026c998d1377f06c398d2b174c2400000008a7bd6f90d304b0b0b5a1bcebc5806ad72975a3ef26c4d1a02a09717281b0a54ff6020ce16cb811fd3af752b9582e1c55f60ffc1f4a80a43ee33b9af7e0032e1	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371683790"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.ymtuku.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\154.203.154.173\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c01bb92038d8d801	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	214772eef96c87f6e04c9447384a31e5.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\ymtuku.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\ymtuku.com\Total = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\154.203.154.173\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\154.203.154.173	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://dhku.com"	214772eef96c87f6e04c9447384a31e5.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1612	214772eef96c87f6e04c9447384a31e5.exe
1612	214772eef96c87f6e04c9447384a31e5.exe
1612	214772eef96c87f6e04c9447384a31e5.exe
1612	214772eef96c87f6e04c9447384a31e5.exe
1612	214772eef96c87f6e04c9447384a31e5.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
836	iexplore.exe
1812	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1612	214772eef96c87f6e04c9447384a31e5.exe
1812	IEXPLORE.EXE
1812	IEXPLORE.EXE
836	iexplore.exe
836	iexplore.exe
1772	IEXPLORE.EXE
2044	IEXPLORE.EXE
1772	IEXPLORE.EXE
2044	IEXPLORE.EXE
2044	IEXPLORE.EXE
2044	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 1812	1612	214772eef96c87f6e04c9447384a31e5.exe	26
PID 1612 wrote to memory of 1812	1612	214772eef96c87f6e04c9447384a31e5.exe	26
PID 1612 wrote to memory of 1812	1612	214772eef96c87f6e04c9447384a31e5.exe	26
PID 1612 wrote to memory of 1812	1612	214772eef96c87f6e04c9447384a31e5.exe	26
PID 1612 wrote to memory of 836	1612	214772eef96c87f6e04c9447384a31e5.exe	28
PID 1612 wrote to memory of 836	1612	214772eef96c87f6e04c9447384a31e5.exe	28
PID 1612 wrote to memory of 836	1612	214772eef96c87f6e04c9447384a31e5.exe	28
PID 1612 wrote to memory of 836	1612	214772eef96c87f6e04c9447384a31e5.exe	28
PID 836 wrote to memory of 2044	836	iexplore.exe	29
PID 1812 wrote to memory of 1772	1812	IEXPLORE.EXE	30
PID 836 wrote to memory of 2044	836	iexplore.exe	29
PID 836 wrote to memory of 2044	836	iexplore.exe	29
PID 836 wrote to memory of 2044	836	iexplore.exe	29
PID 1812 wrote to memory of 1772	1812	IEXPLORE.EXE	30
PID 1812 wrote to memory of 1772	1812	IEXPLORE.EXE	30
PID 1812 wrote to memory of 1772	1812	IEXPLORE.EXE	30
PID 1612 wrote to memory of 1280	1612	214772eef96c87f6e04c9447384a31e5.exe	31
PID 1612 wrote to memory of 1280	1612	214772eef96c87f6e04c9447384a31e5.exe	31
PID 1612 wrote to memory of 1280	1612	214772eef96c87f6e04c9447384a31e5.exe	31
PID 1612 wrote to memory of 1280	1612	214772eef96c87f6e04c9447384a31e5.exe	31
PID 1280 wrote to memory of 928	1280	cmd.exe	33
PID 1280 wrote to memory of 928	1280	cmd.exe	33
PID 1280 wrote to memory of 928	1280	cmd.exe	33
PID 1280 wrote to memory of 928	1280	cmd.exe	33
PID 1612 wrote to memory of 1732	1612	214772eef96c87f6e04c9447384a31e5.exe	34
PID 1612 wrote to memory of 1732	1612	214772eef96c87f6e04c9447384a31e5.exe	34
PID 1612 wrote to memory of 1732	1612	214772eef96c87f6e04c9447384a31e5.exe	34
PID 1612 wrote to memory of 1732	1612	214772eef96c87f6e04c9447384a31e5.exe	34
PID 1732 wrote to memory of 1988	1732	cmd.exe	36
PID 1732 wrote to memory of 1988	1732	cmd.exe	36
PID 1732 wrote to memory of 1988	1732	cmd.exe	36
PID 1732 wrote to memory of 1988	1732	cmd.exe	36
PID 1612 wrote to memory of 2012	1612	214772eef96c87f6e04c9447384a31e5.exe	37
PID 1612 wrote to memory of 2012	1612	214772eef96c87f6e04c9447384a31e5.exe	37
PID 1612 wrote to memory of 2012	1612	214772eef96c87f6e04c9447384a31e5.exe	37
PID 1612 wrote to memory of 2012	1612	214772eef96c87f6e04c9447384a31e5.exe	37
PID 2012 wrote to memory of 1436	2012	cmd.exe	39
PID 2012 wrote to memory of 1436	2012	cmd.exe	39
PID 2012 wrote to memory of 1436	2012	cmd.exe	39
PID 2012 wrote to memory of 1436	2012	cmd.exe	39
PID 1612 wrote to memory of 820	1612	214772eef96c87f6e04c9447384a31e5.exe	40
PID 1612 wrote to memory of 820	1612	214772eef96c87f6e04c9447384a31e5.exe	40
PID 1612 wrote to memory of 820	1612	214772eef96c87f6e04c9447384a31e5.exe	40
PID 1612 wrote to memory of 820	1612	214772eef96c87f6e04c9447384a31e5.exe	40
PID 820 wrote to memory of 1480	820	cmd.exe	42
PID 820 wrote to memory of 1480	820	cmd.exe	42
PID 820 wrote to memory of 1480	820	cmd.exe	42
PID 820 wrote to memory of 1480	820	cmd.exe	42
PID 1612 wrote to memory of 1192	1612	214772eef96c87f6e04c9447384a31e5.exe	43
PID 1612 wrote to memory of 1192	1612	214772eef96c87f6e04c9447384a31e5.exe	43
PID 1612 wrote to memory of 1192	1612	214772eef96c87f6e04c9447384a31e5.exe	43
PID 1612 wrote to memory of 1192	1612	214772eef96c87f6e04c9447384a31e5.exe	43
PID 1192 wrote to memory of 764	1192	cmd.exe	45
PID 1192 wrote to memory of 764	1192	cmd.exe	45
PID 1192 wrote to memory of 764	1192	cmd.exe	45
PID 1192 wrote to memory of 764	1192	cmd.exe	45
PID 1612 wrote to memory of 1456	1612	214772eef96c87f6e04c9447384a31e5.exe	46
PID 1612 wrote to memory of 1456	1612	214772eef96c87f6e04c9447384a31e5.exe	46
PID 1612 wrote to memory of 1456	1612	214772eef96c87f6e04c9447384a31e5.exe	46
PID 1612 wrote to memory of 1456	1612	214772eef96c87f6e04c9447384a31e5.exe	46
PID 1456 wrote to memory of 1140	1456	cmd.exe	48
PID 1456 wrote to memory of 1140	1456	cmd.exe	48
PID 1456 wrote to memory of 1140	1456	cmd.exe	48
PID 1456 wrote to memory of 1140	1456	cmd.exe	48

Views/modifies file attributes 1 TTPs 7 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1436	attrib.exe
1480	attrib.exe
764	attrib.exe
1140	attrib.exe
1576	attrib.exe
928	attrib.exe
1988	attrib.exe

C:\Users\Admin\AppData\Local\Temp\214772eef96c87f6e04c9447384a31e5.exe
"C:\Users\Admin\AppData\Local\Temp\214772eef96c87f6e04c9447384a31e5.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.212ok.com/Gbook.asp?qita
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1812 CREDAT:275459 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1772
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:836
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:836 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2044
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
    3⤵
    - Views/modifies file attributes
    PID:928
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
    3⤵
    - Views/modifies file attributes
    PID:1988
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
    3⤵
    - Views/modifies file attributes
    PID:1436
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:820
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
    3⤵
    - Views/modifies file attributes
    PID:1480
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1192
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
    3⤵
    - Views/modifies file attributes
    PID:764
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\WINDOWS\windows.exe"
    3⤵
    - Drops file in Windows directory
    - Views/modifies file attributes
    PID:1140
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"
  2⤵
  PID:1068
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "c:\system.exe"
    3⤵
    - Views/modifies file attributes
    PID:1576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
d15aaa7c9be910a9898260767e2490e1

SHA1
2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388

SHA256
f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e

SHA512
7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fcd7b0218d6a835038d33ca7e8204a47

SHA1
64ab9feedf6adaabceaf54ea03d424e03d4d8ac6

SHA256
1853451ab79122e0a987b72f9d5407eabfb30d9bd68b9016ad619882424c4b24

SHA512
2b4938d5100184cb4cc96f9378af84d12dad5d574075ac95a0974d21ae65cb7a0de705b807af53cd9241482438ea9aa0b79e6f37f98b1f0d743140e8924482ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4093D4D1-442B-11ED-8B83-6A6CB2F85B9F}.dat

Filesize
5KB

MD5
5746734ae9049d0246f9a089c690255d

SHA1
1644e6ad636af8bd6e7fadff6f8f2feaacb2a79a

SHA256
208e89be9a1839ff4f209bf2fd63d4391cfd3748044be503c2932afc7dfa997e

SHA512
0ed0bf2aab2c1e5eddc688cb6411132c8598d5cd2febfa1d0d95e5c2e4d0f64e65572f8962d4e3c6629d73b163905af9703f05e41c2fb3ac4b2ee2747cfb60a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{43EF2530-442B-11ED-8B83-6A6CB2F85B9F}.dat

Filesize
4KB

MD5
2956a887e14eef15bc026d0fd76bfa97

SHA1
9092958c52a71a65bd7794269176dd9e51a37d48

SHA256
6a14fe87b72f38b87ce8495aa5e891fea03b4ab9d555300900b0ebb2da565010

SHA512
e24eb825e1c49e36d9a0ded4b170a1e882731ef75bb012970716f652b31f097f1625890e92b6064f727b301fb4ed519dcfc82ca37232169e7fe897187c1c8007

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\1evexod\imagestore.dat

Filesize
5KB

MD5
6784b6ac7ae8dd89c171af4aabe8226c

SHA1
a37e3465f595ceafd6ebcae2d338af3278ecde73

SHA256
78a7fe3528bc9d178d142bc4a0cf1d62ca04916880f1d25334902df285a8177c

SHA512
9153ba5078305f1789c005ce8613e91fce0d007cc8dea6271d9a6d8f0a9bcec08d648e658aa0e29d8e7218d541c543b1e5cf48df7f4f1adda5af3411cf917919

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\L1WOHTGL.txt

Filesize
595B

MD5
9354babc08847c65f912bfaac4bca534

SHA1
4d5b3335c6df14e4f60ff328a103b70ad870753e

SHA256
3ab97134932e5a13aec124bcd52bb11684445dbce7a43a6e63db877fbe908ae7

SHA512
11cd0dec90220c8e3336d365be7641c5d6aedbe76ff0bb8d139009e08ec8ab77d332f58c74263cb2eb9ff08be998fdb221581e23f357bbb6e6bec9df080e8d4d

Download Submit
C:\WINDOWS\windows.exe

Filesize
124KB

MD5
85bba1a7be3accbb5ac0a4747cadb0a1

SHA1
e63395f07db80b278bf1637558f9e347d52cd179

SHA256
d84886a4950803f6ab4240ee1e400f831ff899cfcbc088ebb5d4483dbc61de14

SHA512
d27482d0218f4eeb2c3ea4d63773772b65b2848577a56131789df76b29002367f711337ae0870323589662fc292f2adc856b620abdf8890509b029c9ffd6a1c8

Download Submit
C:\system.exe

Filesize
124KB

MD5
252fc72971aa01a1baeebe1ce500140e

SHA1
651edd60bd2740b0555783f69558856aae991d28

SHA256
ed4dc19d96e1e9612b074f4675aa5f129b9c9dbf4e07a791d568f81982f83f16

SHA512
c9862eba1644ba4bffb10e85b59ffb90c17c4f8d7ad3069ac84f69dcfc983a66166a28b25b77b0c031ce3e82bccadefc8d5f2d0a374190e8809787605e80bd4d

Download Submit
memory/1612-56-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download