joker | f1ce34baa43a7950678365bf0e0251838d59d4c26949a6aed0077ce70cdb3b44

Analysis

max time kernel
128s
max time network
156s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1ce34baa43a7950678365bf0e0251838d59d4c26949a6aed0077ce70cdb3b44.exe
Size

168KB
MD5

67446906452ded1c031508cc2a6668cc
SHA1

b069f859d7d2bd074e9f82fbaeb4278cf9e6db80
SHA256

f1ce34baa43a7950678365bf0e0251838d59d4c26949a6aed0077ce70cdb3b44
SHA512

226a0176c1916bc0c14beb4ca1fccbdbf80dbe63b2abb6d35c4b3dfb2a519b5381065a3a856a209f66601a14843216eba951e2d1b8cc25d01b06c9bf0a7c18e9
SSDEEP

1536:/HobQTnkkpRNGojAbnXlkjZ2G+7E0BnOZ2JKcGO3Ekm+7UsNhv2dnc+C:vOYkkJGoEbXldHE5Aw+

Score

10^/10

joker evasion infostealer persistence trojan

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
1612	attrib.exe
1624	attrib.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hsdfasd = "\"C:\\Users\\Admin\\AppData\\Roaming\\PPLive\\tmp.\\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}\" hh.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~1\INTERN~1\ieframe.dll	cmd.exe
File opened for modification	C:\PROGRA~1\INTERN~1\ieframe.dll	cmd.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	rundll32.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com\ = "126"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\Total = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\cnkankan.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "126"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B0354381-4941-11ED-99B1-EA25B6F29539} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\Total = "126"	IEXPLORE.EXE

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.71628.com/?i"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.71628.com/?i"	reg.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\IsShortCut	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command\ = "wscript -e:vbs \"C:\\Users\\Admin\\AppData\\Roaming\\PPLive\\3.bat\""	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell	reg.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeRestorePrivilege	1328	rundll32.exe
Token: SeRestorePrivilege	1328	rundll32.exe
Token: SeRestorePrivilege	1328	rundll32.exe
Token: SeRestorePrivilege	1328	rundll32.exe
Token: SeRestorePrivilege	1328	rundll32.exe
Token: SeRestorePrivilege	1328	rundll32.exe
Token: SeRestorePrivilege	1328	rundll32.exe
Token: SeRestorePrivilege	344	rundll32.exe
Token: SeRestorePrivilege	344	rundll32.exe
Token: SeRestorePrivilege	344	rundll32.exe
Token: SeRestorePrivilege	344	rundll32.exe
Token: SeRestorePrivilege	344	rundll32.exe
Token: SeRestorePrivilege	344	rundll32.exe
Token: SeRestorePrivilege	344	rundll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
572	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
572	iexplore.exe
572	iexplore.exe
1760	IEXPLORE.EXE
1760	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 1804	1688	f1ce34baa43a7950678365bf0e0251838d59d4c26949a6aed0077ce70cdb3b44.exe	30
PID 1688 wrote to memory of 1804	1688	f1ce34baa43a7950678365bf0e0251838d59d4c26949a6aed0077ce70cdb3b44.exe	30
PID 1688 wrote to memory of 1804	1688	f1ce34baa43a7950678365bf0e0251838d59d4c26949a6aed0077ce70cdb3b44.exe	30
PID 1688 wrote to memory of 1804	1688	f1ce34baa43a7950678365bf0e0251838d59d4c26949a6aed0077ce70cdb3b44.exe	30
PID 1804 wrote to memory of 1504	1804	cmd.exe	32
PID 1804 wrote to memory of 1504	1804	cmd.exe	32
PID 1804 wrote to memory of 1504	1804	cmd.exe	32
PID 1804 wrote to memory of 1504	1804	cmd.exe	32
PID 1504 wrote to memory of 572	1504	cmd.exe	34
PID 1504 wrote to memory of 572	1504	cmd.exe	34
PID 1504 wrote to memory of 572	1504	cmd.exe	34
PID 1504 wrote to memory of 572	1504	cmd.exe	34
PID 1504 wrote to memory of 1328	1504	cmd.exe	35
PID 1504 wrote to memory of 1328	1504	cmd.exe	35
PID 1504 wrote to memory of 1328	1504	cmd.exe	35
PID 1504 wrote to memory of 1328	1504	cmd.exe	35
PID 1504 wrote to memory of 1328	1504	cmd.exe	35
PID 1504 wrote to memory of 1328	1504	cmd.exe	35
PID 1504 wrote to memory of 1328	1504	cmd.exe	35
PID 1504 wrote to memory of 1384	1504	cmd.exe	37
PID 1504 wrote to memory of 1384	1504	cmd.exe	37
PID 1504 wrote to memory of 1384	1504	cmd.exe	37
PID 1504 wrote to memory of 1384	1504	cmd.exe	37
PID 572 wrote to memory of 1760	572	iexplore.exe	36
PID 572 wrote to memory of 1760	572	iexplore.exe	36
PID 572 wrote to memory of 1760	572	iexplore.exe	36
PID 572 wrote to memory of 1760	572	iexplore.exe	36
PID 1384 wrote to memory of 680	1384	cmd.exe	39
PID 1384 wrote to memory of 680	1384	cmd.exe	39
PID 1384 wrote to memory of 680	1384	cmd.exe	39
PID 1384 wrote to memory of 680	1384	cmd.exe	39
PID 1384 wrote to memory of 1976	1384	cmd.exe	40
PID 1384 wrote to memory of 1976	1384	cmd.exe	40
PID 1384 wrote to memory of 1976	1384	cmd.exe	40
PID 1384 wrote to memory of 1976	1384	cmd.exe	40
PID 1384 wrote to memory of 1808	1384	cmd.exe	41
PID 1384 wrote to memory of 1808	1384	cmd.exe	41
PID 1384 wrote to memory of 1808	1384	cmd.exe	41
PID 1384 wrote to memory of 1808	1384	cmd.exe	41
PID 1384 wrote to memory of 1732	1384	cmd.exe	42
PID 1384 wrote to memory of 1732	1384	cmd.exe	42
PID 1384 wrote to memory of 1732	1384	cmd.exe	42
PID 1384 wrote to memory of 1732	1384	cmd.exe	42
PID 1384 wrote to memory of 1000	1384	cmd.exe	43
PID 1384 wrote to memory of 1000	1384	cmd.exe	43
PID 1384 wrote to memory of 1000	1384	cmd.exe	43
PID 1384 wrote to memory of 1000	1384	cmd.exe	43
PID 1384 wrote to memory of 1612	1384	cmd.exe	44
PID 1384 wrote to memory of 1612	1384	cmd.exe	44
PID 1384 wrote to memory of 1612	1384	cmd.exe	44
PID 1384 wrote to memory of 1612	1384	cmd.exe	44
PID 1384 wrote to memory of 1624	1384	cmd.exe	45
PID 1384 wrote to memory of 1624	1384	cmd.exe	45
PID 1384 wrote to memory of 1624	1384	cmd.exe	45
PID 1384 wrote to memory of 1624	1384	cmd.exe	45
PID 1384 wrote to memory of 344	1384	cmd.exe	46
PID 1384 wrote to memory of 344	1384	cmd.exe	46
PID 1384 wrote to memory of 344	1384	cmd.exe	46
PID 1384 wrote to memory of 344	1384	cmd.exe	46
PID 1384 wrote to memory of 344	1384	cmd.exe	46
PID 1384 wrote to memory of 344	1384	cmd.exe	46
PID 1384 wrote to memory of 344	1384	cmd.exe	46
PID 1384 wrote to memory of 1788	1384	cmd.exe	47
PID 1384 wrote to memory of 1788	1384	cmd.exe	47

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1612	attrib.exe
1624	attrib.exe

C:\Users\Admin\AppData\Local\Temp\f1ce34baa43a7950678365bf0e0251838d59d4c26949a6aed0077ce70cdb3b44.exe
"C:\Users\Admin\AppData\Local\Temp\f1ce34baa43a7950678365bf0e0251838d59d4c26949a6aed0077ce70cdb3b44.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\teacher2011_check.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\1.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1504
  - - C:\PROGRA~1\INTERN~1\iexplore.exe
      C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWw.cnkankan.com/?71628
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:572
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:572 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1760
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\1.inf
      4⤵
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      PID:1328
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\2.bat
      4⤵
      Drops file in Program Files directory
      Suspicious use of WriteProcessMemory
      PID:1384
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?i"" /f
        5⤵
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        
        PID:680
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?i"" /f
        5⤵
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        
        PID:1976
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\tmp" /v "key" /d ""http://www.71628.com/?i"" /f
        5⤵
        
        PID:1808
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f
        5⤵
        Modifies registry class
        
        PID:1732
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\PPLive\3.bat""" /f
        5⤵
        Modifies registry class
        
        PID:1000
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1612
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1624
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\2.inf
        5⤵
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:344
      - C:\Windows\SysWOW64\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        6⤵
        Checks processor information in registry
        
        PID:2004
        
        C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        7⤵
        
        PID:1052
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 D:\VolumeDH\inj.dat,MainLoad
        5⤵
        
        PID:1788
- C:\Users\Admin\AppData\Local\Temp\inlB08D.tmp
  C:\Users\Admin\AppData\Local\Temp\inlB08D.tmp
  2⤵
  PID:2484
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\F1CE34~1.EXE > nul
  2⤵
  PID:2712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\inlB08D.tmp

Filesize
106.5MB

MD5
a8ee828a02d774b362127ef25423d776

SHA1
a7c38c42f26d7ebfbeb4aff50c99270ea6b1bbcd

SHA256
05a5fe1d22be0d74ff9db61bb95a89a0c5cd6a60c586d8dbccb2eb983c575d58

SHA512
05a5e6974026b3fb84cc6b71904c886df4982c449aeff13f7417a3fdec074cb0e5d59a0a700e65de85e23abdd60dfe5bdbe55fedc253771a4949505c3fc62af1

Download Submit
C:\Users\Admin\AppData\Local\Temp\teacher2011_check.bat

Filesize
53B

MD5
23962a245f75fe25510051582203aff1

SHA1
20832a3a1179bb2730194d2f7738d41d5d669a43

SHA256
1abcea214b9b2bd76cc04be07ae2d4d70371e6ca443d99f4f1327afe7a5fc647

SHA512
dc36b64f2dbb710652900a31295c148760b0c44eae13515aa29613916c9dffe3d8e55ba61568f7c27b43bf0c341f7dcd4b9c721f81627fc6bb915b15c358fe80

Download Submit
C:\Users\Admin\AppData\Local\Temp\winrar_config.tmp

Filesize
660B

MD5
d980f89e4088711df685a0aa09e8f5a7

SHA1
dde805f4fa5e016e122e4240e20ff844113717d7

SHA256
28f62bd59962d06d903ea079466c66985caa306251717235a0d470a1b0f62d09

SHA512
fa2a669d846081d71dcada405d3c4bdb92229ba2b4a9f8fd4e461d7c4d51012d3d3b893466f814c8178b9980119703d1a3f7eafeff281a2eb75465e504df9ee9

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\1.bat

Filesize
3KB

MD5
286fe459674aef6eee17f6ac79a15fdb

SHA1
233dc43099c575a67b05fc1076e676324fd6e63d

SHA256
872cc596dc1fe6d5a131129bd84c2a76d6874e9c57ab2cd792d4d12b6f014fd2

SHA512
c9acc4a134001da76e7ae6aa5ae65ce58501942dfc1f80959ae4db27c06010db753c9d115eedbe0b2b0e30dd5c4dcd1d32816493b053c65cee81d3a343c87314

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\1.inf

Filesize
492B

MD5
34c14b8530e1094e792527f7a474fe77

SHA1
f71c4e9091140256b34c18220d1dd1efab1f301d

SHA256
fe0dfb3458bfe2a3632d365e00765fa10f14d62e7dfa8b70a055c7eb9fdb6713

SHA512
25bb09b526e1e9f5c6052f1f7c36b37c956c1b5649936af8df3abfcf120c931f3d2603e17a061cb99d8c8074bfb1973a5423cce89762fca53cd46aeb3e8944a2

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\2.bat

Filesize
3KB

MD5
d4917ae9072a10d8e12ef3b282b25b3b

SHA1
bd9ec6c6395997525ec7c15ecca2f115573cc14c

SHA256
6f7649988962c61ac7644262ee6082ef352bbb00cb155a3f4ef0467fbdf1c67b

SHA512
c6ed3119e008191ad56050f6b72a2d64e908c57e80fd0c252b8b1947cf091644c83b6bc16c56d6e2153579eb3e8711c8cd608977426a0906d56a7713bfca309d

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\2.inf

Filesize
247B

MD5
ca436f6f187bc049f9271ecdcbf348fa

SHA1
bf8a548071cfc150f7affb802538edf03d281106

SHA256
6cdfa9b7f0e1e4ee16bc8ce5d7448d47ea8866c1f55f3e56be5c2a4d183ca534

SHA512
d19e20aabddad6b0284f8c1d473e9180f30b49d4d8b54f26e7c8630228e16b1f6ba04023c5e8b1993d8a10d97adcfff683b216f79b9981bf16181641aebdd591

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\4.bat

Filesize
12.3MB

MD5
23a074aca211a90285c544d345489b89

SHA1
227ec4e8fe905dbd645856c73b6f19b0acd7f25f

SHA256
3ef43ea40595cdef1ee45f673c2361b7bad98638364cf3d07fbaebd4ae2ba274

SHA512
93401a34d28a1313976a5831106cdcf6305a0ed3648964cf3212476d8bcf054dfab4220b4d2130bb30f206253d561e062ba67e2a4658d5c9ab88f30a9d7eb923

Download Submit
\Users\Admin\AppData\Local\Temp\inlB08D.tmp

Filesize
108.2MB

MD5
a9e0bb59ef482c356a0b4c24acd85d6d

SHA1
f2df0175e91f64a48c81bd0bcbbc74a775b3e510

SHA256
0601aaa8fa5449fad9821dc2c325e857d4e6701d437dd6ce9b908e9376e1422f

SHA512
4d3b3d7d6db07f431eadfc2ea8923c7aa93ff48df0dd43ca01a05f78812282a9a7354f0ea3cca35d595a35bb4622ed51975dc3c061b40eaa07af05af8f1b1906

Download Submit
\Users\Admin\AppData\Local\Temp\inlB08D.tmp

Filesize
88.3MB

MD5
417fd0b68d16272a36393831685be97e

SHA1
a9455ab121e8bd05716fbfb118308f0ff38063dc

SHA256
6cfc9fe8bc3cc0976f02e4edffbc0bd157af123ea32d6a8dc7712437008968fe

SHA512
39a66afac47c1a2514ae99e6a43292ca8b9858deff55d452d5d4e5e7d62eda4e84f4e57c208c6e9962cf652f8d181472ca1f5496cdbab53d4c9f60515d34ff08

Download Submit
memory/572-62-0x0000000000570000-0x0000000000580000-memory.dmp

Filesize
64KB

Download
memory/572-61-0x000007FEFB6A1000-0x000007FEFB6A3000-memory.dmp

Filesize
8KB

Download
memory/1688-55-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1688-54-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1688-92-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads