Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    128s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    11/10/2022, 04:53

General

  • Target

    f1ce34baa43a7950678365bf0e0251838d59d4c26949a6aed0077ce70cdb3b44.exe

  • Size

    168KB

  • MD5

    67446906452ded1c031508cc2a6668cc

  • SHA1

    b069f859d7d2bd074e9f82fbaeb4278cf9e6db80

  • SHA256

    f1ce34baa43a7950678365bf0e0251838d59d4c26949a6aed0077ce70cdb3b44

  • SHA512

    226a0176c1916bc0c14beb4ca1fccbdbf80dbe63b2abb6d35c4b3dfb2a519b5381065a3a856a209f66601a14843216eba951e2d1b8cc25d01b06c9bf0a7c18e9

  • SSDEEP

    1536:/HobQTnkkpRNGojAbnXlkjZ2G+7E0BnOZ2JKcGO3Ekm+7UsNhv2dnc+C:vOYkkJGoEbXldHE5Aw+

Malware Config

Signatures

  • joker

    Joker is an Android malware that targets billing and SMS fraud.

  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Adds Run key to start application 2 TTPs 3 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 41 IoCs
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
  • Modifies registry class 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f1ce34baa43a7950678365bf0e0251838d59d4c26949a6aed0077ce70cdb3b44.exe
    "C:\Users\Admin\AppData\Local\Temp\f1ce34baa43a7950678365bf0e0251838d59d4c26949a6aed0077ce70cdb3b44.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\teacher2011_check.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1804
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\1.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1504
        • C:\PROGRA~1\INTERN~1\iexplore.exe
          C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWw.cnkankan.com/?71628
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:572
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:572 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1760
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\1.inf
          4⤵
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          PID:1328
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\2.bat
          4⤵
          • Drops file in Program Files directory
          • Suspicious use of WriteProcessMemory
          PID:1384
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?i"" /f
            5⤵
            • Modifies Internet Explorer settings
            • Modifies Internet Explorer start page
            PID:680
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?i"" /f
            5⤵
            • Modifies Internet Explorer settings
            • Modifies Internet Explorer start page
            PID:1976
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Software\tmp" /v "key" /d ""http://www.71628.com/?i"" /f
            5⤵
              PID:1808
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f
              5⤵
              • Modifies registry class
              PID:1732
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\PPLive\3.bat""" /f
              5⤵
              • Modifies registry class
              PID:1000
            • C:\Windows\SysWOW64\attrib.exe
              attrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}
              5⤵
              • Sets file to hidden
              • Views/modifies file attributes
              PID:1612
            • C:\Windows\SysWOW64\attrib.exe
              attrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp
              5⤵
              • Sets file to hidden
              • Views/modifies file attributes
              PID:1624
            • C:\Windows\SysWOW64\rundll32.exe
              rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\2.inf
              5⤵
              • Adds Run key to start application
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              PID:344
              • C:\Windows\SysWOW64\runonce.exe
                "C:\Windows\system32\runonce.exe" -r
                6⤵
                • Checks processor information in registry
                PID:2004
                • C:\Windows\SysWOW64\grpconv.exe
                  "C:\Windows\System32\grpconv.exe" -o
                  7⤵
                    PID:1052
              • C:\Windows\SysWOW64\rundll32.exe
                rundll32 D:\VolumeDH\inj.dat,MainLoad
                5⤵
                  PID:1788
          • C:\Users\Admin\AppData\Local\Temp\inlB08D.tmp
            C:\Users\Admin\AppData\Local\Temp\inlB08D.tmp
            2⤵
              PID:2484
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\F1CE34~1.EXE > nul
              2⤵
                PID:2712

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\inlB08D.tmp

              Filesize

              106.5MB

              MD5

              a8ee828a02d774b362127ef25423d776

              SHA1

              a7c38c42f26d7ebfbeb4aff50c99270ea6b1bbcd

              SHA256

              05a5fe1d22be0d74ff9db61bb95a89a0c5cd6a60c586d8dbccb2eb983c575d58

              SHA512

              05a5e6974026b3fb84cc6b71904c886df4982c449aeff13f7417a3fdec074cb0e5d59a0a700e65de85e23abdd60dfe5bdbe55fedc253771a4949505c3fc62af1

            • C:\Users\Admin\AppData\Local\Temp\teacher2011_check.bat

              Filesize

              53B

              MD5

              23962a245f75fe25510051582203aff1

              SHA1

              20832a3a1179bb2730194d2f7738d41d5d669a43

              SHA256

              1abcea214b9b2bd76cc04be07ae2d4d70371e6ca443d99f4f1327afe7a5fc647

              SHA512

              dc36b64f2dbb710652900a31295c148760b0c44eae13515aa29613916c9dffe3d8e55ba61568f7c27b43bf0c341f7dcd4b9c721f81627fc6bb915b15c358fe80

            • C:\Users\Admin\AppData\Local\Temp\winrar_config.tmp

              Filesize

              660B

              MD5

              d980f89e4088711df685a0aa09e8f5a7

              SHA1

              dde805f4fa5e016e122e4240e20ff844113717d7

              SHA256

              28f62bd59962d06d903ea079466c66985caa306251717235a0d470a1b0f62d09

              SHA512

              fa2a669d846081d71dcada405d3c4bdb92229ba2b4a9f8fd4e461d7c4d51012d3d3b893466f814c8178b9980119703d1a3f7eafeff281a2eb75465e504df9ee9

            • C:\Users\Admin\AppData\Roaming\PPLive\1.bat

              Filesize

              3KB

              MD5

              286fe459674aef6eee17f6ac79a15fdb

              SHA1

              233dc43099c575a67b05fc1076e676324fd6e63d

              SHA256

              872cc596dc1fe6d5a131129bd84c2a76d6874e9c57ab2cd792d4d12b6f014fd2

              SHA512

              c9acc4a134001da76e7ae6aa5ae65ce58501942dfc1f80959ae4db27c06010db753c9d115eedbe0b2b0e30dd5c4dcd1d32816493b053c65cee81d3a343c87314

            • C:\Users\Admin\AppData\Roaming\PPLive\1.inf

              Filesize

              492B

              MD5

              34c14b8530e1094e792527f7a474fe77

              SHA1

              f71c4e9091140256b34c18220d1dd1efab1f301d

              SHA256

              fe0dfb3458bfe2a3632d365e00765fa10f14d62e7dfa8b70a055c7eb9fdb6713

              SHA512

              25bb09b526e1e9f5c6052f1f7c36b37c956c1b5649936af8df3abfcf120c931f3d2603e17a061cb99d8c8074bfb1973a5423cce89762fca53cd46aeb3e8944a2

            • C:\Users\Admin\AppData\Roaming\PPLive\2.bat

              Filesize

              3KB

              MD5

              d4917ae9072a10d8e12ef3b282b25b3b

              SHA1

              bd9ec6c6395997525ec7c15ecca2f115573cc14c

              SHA256

              6f7649988962c61ac7644262ee6082ef352bbb00cb155a3f4ef0467fbdf1c67b

              SHA512

              c6ed3119e008191ad56050f6b72a2d64e908c57e80fd0c252b8b1947cf091644c83b6bc16c56d6e2153579eb3e8711c8cd608977426a0906d56a7713bfca309d

            • C:\Users\Admin\AppData\Roaming\PPLive\2.inf

              Filesize

              247B

              MD5

              ca436f6f187bc049f9271ecdcbf348fa

              SHA1

              bf8a548071cfc150f7affb802538edf03d281106

              SHA256

              6cdfa9b7f0e1e4ee16bc8ce5d7448d47ea8866c1f55f3e56be5c2a4d183ca534

              SHA512

              d19e20aabddad6b0284f8c1d473e9180f30b49d4d8b54f26e7c8630228e16b1f6ba04023c5e8b1993d8a10d97adcfff683b216f79b9981bf16181641aebdd591

            • C:\Users\Admin\AppData\Roaming\PPLive\4.bat

              Filesize

              12.3MB

              MD5

              23a074aca211a90285c544d345489b89

              SHA1

              227ec4e8fe905dbd645856c73b6f19b0acd7f25f

              SHA256

              3ef43ea40595cdef1ee45f673c2361b7bad98638364cf3d07fbaebd4ae2ba274

              SHA512

              93401a34d28a1313976a5831106cdcf6305a0ed3648964cf3212476d8bcf054dfab4220b4d2130bb30f206253d561e062ba67e2a4658d5c9ab88f30a9d7eb923

            • \Users\Admin\AppData\Local\Temp\inlB08D.tmp

              Filesize

              108.2MB

              MD5

              a9e0bb59ef482c356a0b4c24acd85d6d

              SHA1

              f2df0175e91f64a48c81bd0bcbbc74a775b3e510

              SHA256

              0601aaa8fa5449fad9821dc2c325e857d4e6701d437dd6ce9b908e9376e1422f

              SHA512

              4d3b3d7d6db07f431eadfc2ea8923c7aa93ff48df0dd43ca01a05f78812282a9a7354f0ea3cca35d595a35bb4622ed51975dc3c061b40eaa07af05af8f1b1906

            • \Users\Admin\AppData\Local\Temp\inlB08D.tmp

              Filesize

              88.3MB

              MD5

              417fd0b68d16272a36393831685be97e

              SHA1

              a9455ab121e8bd05716fbfb118308f0ff38063dc

              SHA256

              6cfc9fe8bc3cc0976f02e4edffbc0bd157af123ea32d6a8dc7712437008968fe

              SHA512

              39a66afac47c1a2514ae99e6a43292ca8b9858deff55d452d5d4e5e7d62eda4e84f4e57c208c6e9962cf652f8d181472ca1f5496cdbab53d4c9f60515d34ff08

            • memory/572-62-0x0000000000570000-0x0000000000580000-memory.dmp

              Filesize

              64KB

            • memory/572-61-0x000007FEFB6A1000-0x000007FEFB6A3000-memory.dmp

              Filesize

              8KB

            • memory/1688-55-0x0000000000400000-0x000000000042A000-memory.dmp

              Filesize

              168KB

            • memory/1688-54-0x0000000075601000-0x0000000075603000-memory.dmp

              Filesize

              8KB

            • memory/1688-92-0x0000000000400000-0x000000000042A000-memory.dmp

              Filesize

              168KB