joker | 9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c

Analysis

max time kernel
151s
max time network
197s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11-10-2022 16:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe
Size

3.1MB
MD5

183bf634bdb36bceb661422de360d97f
SHA1

8c05614d2e439326c510a53e914dc1a74f88d784
SHA256

9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c
SHA512

1c339f002db014c45892cf4fb8caea281d82d0239ebe8821c63595e34914c3b7fef1ba997c6908eb9aedb548ecf48d1837248c1515a7704c69fd61e541504c8e
SSDEEP

98304:iSBQIZcKt0VRxE3zMSsEcRPRbDjjpF1MFowrK7j:3B3+3Ss/dvjpF2owij

Score

10^/10

joker infostealer trojan upx

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Executes dropped EXE 3 IoCs

pid	Process
1944	洛克東哥辅助7.7_正式版.exe
2668	empty.exe
4024	empty.exe

UPX packed file 32 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1072-58-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/files/0x0008000000015622-59.dat	upx
behavioral1/files/0x0008000000015622-62.dat	upx
behavioral1/files/0x0008000000015622-60.dat	upx
behavioral1/memory/1944-67-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1944-68-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1944-72-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1944-74-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1944-78-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1944-82-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1944-84-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1944-88-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1944-90-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1944-92-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1944-94-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1944-86-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1944-97-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1944-80-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1944-76-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1944-70-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1944-100-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1944-66-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1944-102-0x0000000000400000-0x0000000000C6C000-memory.dmp	upx
behavioral1/memory/1944-104-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1944-106-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1944-108-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1944-112-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1944-110-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1072-113-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/1944-137-0x0000000000400000-0x0000000000C6C000-memory.dmp	upx
behavioral1/memory/1944-138-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1072-145-0x0000000000400000-0x00000000004B5000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1072	9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe
1072	9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\b:	9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe
File opened (read-only)	\??\e:	9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe
File opened (read-only)	\??\q:	9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe
File opened (read-only)	\??\v:	9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe
File opened (read-only)	\??\n:	9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe
File opened (read-only)	\??\p:	9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe
File opened (read-only)	\??\r:	9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe
File opened (read-only)	\??\u:	9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe
File opened (read-only)	\??\x:	9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe
File opened (read-only)	\??\g:	9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe
File opened (read-only)	\??\i:	9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe
File opened (read-only)	\??\y:	9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe
File opened (read-only)	\??\z:	9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe
File opened (read-only)	\??\l:	9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe
File opened (read-only)	\??\m:	9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe
File opened (read-only)	\??\o:	9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe
File opened (read-only)	\??\a:	9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe
File opened (read-only)	\??\f:	9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe
File opened (read-only)	\??\h:	9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe
File opened (read-only)	\??\j:	9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe
File opened (read-only)	\??\k:	9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe
File opened (read-only)	\??\s:	9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe
File opened (read-only)	\??\t:	9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe
File opened (read-only)	\??\w:	9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1072-58-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral1/memory/1072-113-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral1/memory/1072-145-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\洛克東哥辅助7.7_正式版.exe	9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe
File opened for modification	C:\Program Files (x86)\洛克東哥辅助7.7_正式版.exe	9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\empty.exe	洛克東哥辅助7.7_正式版.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\34wg.com\Total = "63"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf00000000020000000000106600000001000020000000f3c7cf1bffa647c7a79e98a259558d2038c4f9ed5d2172eed2bc41444a179364000000000e80000000020000200000000bb02468dc66d6a6ea1507e918a8d1526d7492c99a5a2f694a2dcae8a59f54d620000000dcb72b81cbb37dfceabf2430282313249262d63c43f653f392dcca1257368c3440000000ff5b8c487ab97ed29bb9d40331444ef015dc871d9228bd2a39602b6857fd40753872a704f5b40b55864b5bdfcabee1986572fa860057d9af2af848e6f0cd4130	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.34wg.com\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372300806"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf00000000020000000000106600000001000020000000cc0cea645ed542a355a2ae91e2b50c63e5f27bf78e1e448a42464857bd7a716d000000000e8000000002000020000000d885d7a8e2851b19cabaf4f0787e459fd4ff818e469c5e12b1ebdedbf8a6bddb900000000a31a51584dd52a0742db16e8527729052792ce29799abc9f419add350f1b098eb45362bfb5a9527a0ade9f5606ef11715687eb460966b11cbaca8cfd78e16e67d52e3d878495049fc3c027ecd2fea357b5d873370e7e5e2f4cd7cc1305554bd05422ada5b5fe06aa145e20917561d5f0738d3e1baf96ea2b7eed5219036445ad30464f6afca98e354f012912f122558400000006afc9eb4e4c5ab2a652c088d314da4da8eccc07346d706322e3bb1d7a0958b548b1161a36e7d51cc53f8507704f1308840d7e0a8a0dbbdc9d867f26040222a2b	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\34wg.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D792D831-49C7-11ED-AE30-7E4CDA66D2DC} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\34wg.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D7937471-49C7-11ED-AE30-7E4CDA66D2DC} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10ad96c9d4ddd801	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.ku122.com"	9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2668	empty.exe
Token: 33	2668	empty.exe
Token: SeIncBasePriorityPrivilege	2668	empty.exe
Token: SeDebugPrivilege	4024	empty.exe
Token: 33	4024	empty.exe
Token: SeIncBasePriorityPrivilege	4024	empty.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1072	9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe
1072	9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe
1072	9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe
1364	IEXPLORE.EXE
1900	IEXPLORE.EXE

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1072	9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe
1072	9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe
1072	9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
1900	IEXPLORE.EXE
1900	IEXPLORE.EXE
1364	IEXPLORE.EXE
1364	IEXPLORE.EXE
816	IEXPLORE.EXE
816	IEXPLORE.EXE
1520	IEXPLORE.EXE
1520	IEXPLORE.EXE
1944	洛克東哥辅助7.7_正式版.exe
1944	洛克東哥辅助7.7_正式版.exe
1944	洛克東哥辅助7.7_正式版.exe
816	IEXPLORE.EXE
816	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 664	1072	9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe	27
PID 1072 wrote to memory of 664	1072	9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe	27
PID 1072 wrote to memory of 664	1072	9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe	27
PID 1072 wrote to memory of 664	1072	9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe	27
PID 1072 wrote to memory of 1952	1072	9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe	28
PID 1072 wrote to memory of 1952	1072	9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe	28
PID 1072 wrote to memory of 1952	1072	9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe	28
PID 1072 wrote to memory of 1952	1072	9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe	28
PID 664 wrote to memory of 1364	664	iexplore.exe	30
PID 664 wrote to memory of 1364	664	iexplore.exe	30
PID 664 wrote to memory of 1364	664	iexplore.exe	30
PID 664 wrote to memory of 1364	664	iexplore.exe	30
PID 1952 wrote to memory of 1900	1952	iexplore.exe	29
PID 1952 wrote to memory of 1900	1952	iexplore.exe	29
PID 1952 wrote to memory of 1900	1952	iexplore.exe	29
PID 1952 wrote to memory of 1900	1952	iexplore.exe	29
PID 1072 wrote to memory of 1944	1072	9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe	31
PID 1072 wrote to memory of 1944	1072	9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe	31
PID 1072 wrote to memory of 1944	1072	9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe	31
PID 1072 wrote to memory of 1944	1072	9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe	31
PID 1900 wrote to memory of 1520	1900	IEXPLORE.EXE	34
PID 1900 wrote to memory of 1520	1900	IEXPLORE.EXE	34
PID 1900 wrote to memory of 1520	1900	IEXPLORE.EXE	34
PID 1900 wrote to memory of 1520	1900	IEXPLORE.EXE	34
PID 1364 wrote to memory of 816	1364	IEXPLORE.EXE	33
PID 1364 wrote to memory of 816	1364	IEXPLORE.EXE	33
PID 1364 wrote to memory of 816	1364	IEXPLORE.EXE	33
PID 1364 wrote to memory of 816	1364	IEXPLORE.EXE	33
PID 1944 wrote to memory of 2668	1944	洛克東哥辅助7.7_正式版.exe	36
PID 1944 wrote to memory of 2668	1944	洛克東哥辅助7.7_正式版.exe	36
PID 1944 wrote to memory of 2668	1944	洛克東哥辅助7.7_正式版.exe	36
PID 1944 wrote to memory of 2668	1944	洛克東哥辅助7.7_正式版.exe	36
PID 1944 wrote to memory of 4024	1944	洛克東哥辅助7.7_正式版.exe	39
PID 1944 wrote to memory of 4024	1944	洛克東哥辅助7.7_正式版.exe	39
PID 1944 wrote to memory of 4024	1944	洛克東哥辅助7.7_正式版.exe	39
PID 1944 wrote to memory of 4024	1944	洛克東哥辅助7.7_正式版.exe	39

C:\Users\Admin\AppData\Local\Temp\9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe
"C:\Users\Admin\AppData\Local\Temp\9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Program Files (x86)\Intern~1\iexplore.exe
  "C:\Program Files (x86)\Intern~1\iexplore.exe" http://www.baiasp.com
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:664
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.baiasp.com
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1364
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1364 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:816
- C:\Program Files (x86)\Intern~1\iexplore.exe
  "C:\Program Files (x86)\Intern~1\iexplore.exe" http://www.34wg.com
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.34wg.com
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1900
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1900 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1520
- C:\Program Files (x86)\洛克東哥辅助7.7_正式版.exe
  "C:\Program Files (x86)\洛克東哥辅助7.7_正式版.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Windows\empty.exe
    C:\Windows\empty.exe 1944
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2668
- - C:\Windows\empty.exe
    C:\Windows\empty.exe 1944
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\洛克東哥辅助7.7_正式版.exe

Filesize
2.7MB

MD5
42095e7e99e37459044a7917768e85c3

SHA1
4634983451f51215fe21e783545671fede8973c8

SHA256
2c1688cff603e444e62d46feb9e574fa69c030baf363d56a1e0158d950011fdb

SHA512
a4ed61cfdd9033011f672791ccd5322e2f7025e659c4572a664a2e196ea34f220890b6a10b3f6da37d597a3b8e432f374621b8478b72bbdce1373f9e7341d9a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
d15aaa7c9be910a9898260767e2490e1

SHA1
2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388

SHA256
f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e

SHA512
7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b155c226422cfee771aaeb4bc5f499f

SHA1
7732ed54de6df191c4b6c7ccd54625bbe978b18c

SHA256
01a0c58a3750d35777bdf2646b2fc4c01c469f450dc1f0e4839b077425be8894

SHA512
5448ee2433cfcdf39350c7e64a4684a2470ade31d23acde9f678d4025dbddd481545ee58fb5668690f77178eee1f0df39540f45f8c67d1673b58e213f70b1175

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df108932f275f61ac00dfe66cbb55724

SHA1
316fa78978ec1cffb7ba5f06a3e16ccab621e676

SHA256
f4c60c083c25af929c128099db4c5fee7727f0db15d36638db8f292e19bc6ffb

SHA512
8cc3d57c073197036d9039ae4b1f6b273c74e532a2a933439e23ef046a5f23acba7c1a181c4ca80b8f56565d2d95b37e9e4d5412888d9409c5b3d94b163c678c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
cd64fc87d6516c048a3b284a61228500

SHA1
2a289238fafa40d31aa9678ec9bd08a4db1317c0

SHA256
2a84057e1b24b1c13c2520c124e2d4cc9ecb819fe614af7dc931b565d6c1b52a

SHA512
14493bc96927788060c2875250567909768c94643024239bba4cfb7d0e070da0c9bc709810de9ee0e2a6d2d5b67d5c4a29550e1c063186c384b2223d3eff8afb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D792D831-49C7-11ED-AE30-7E4CDA66D2DC}.dat

Filesize
3KB

MD5
46125dd86b5da1d2562654d27d65cf4a

SHA1
2ac6fc13e25424bbc961a2a29442f19486034628

SHA256
d9ecc646804e53777f4a4550f413ea18bbc10b066118999795895301e51eb644

SHA512
f5239e1cc8522bf6e65db1428d71822ea82d0d29ae93dc3e5fa432ef4c2e7214ad5beb163976629edfc257a565689f1da5f23ae5a099047bc75193cde808dfbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D7937471-49C7-11ED-AE30-7E4CDA66D2DC}.dat

Filesize
5KB

MD5
f23ff1f9edb6bb4de1bccf79ab9d25ad

SHA1
e3eedbe662f23fa87dd6a50ec620860f923b1ac9

SHA256
15e62f46756181a7fb194c58e1d70badd1708a33dcc3470a8e119822727372ff

SHA512
f34aaaab636bc662f5ed15ff598ce74311c7daa0f26015dc1b9a28b727d2986f0b4d9550c56707658fe576767ab2eaf93d2ac5b2e24c4f594c5b94b863046fbd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\9VFTBNGR.txt

Filesize
608B

MD5
39390dcaf4720e6653a5fcd215bf2b88

SHA1
a7b1353cc7b07b52b27e292538a159381e491b4e

SHA256
e38ee603b9223e4940e713c96e2810940d50dbae6ac2f6cc6820c315a25c466c

SHA512
3fd63c9e75a3815bae3897c7044f84649cb68843fa89045501b842e3edfd954f8e5af1d31fff931545f77e5cd0e5bd5f63fb5b58d1afec6d4251ae91ff00e2c8

Download Submit
C:\Windows\empty.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
C:\Windows\empty.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
\Program Files (x86)\洛克東哥辅助7.7_正式版.exe

Filesize
2.7MB

MD5
42095e7e99e37459044a7917768e85c3

SHA1
4634983451f51215fe21e783545671fede8973c8

SHA256
2c1688cff603e444e62d46feb9e574fa69c030baf363d56a1e0158d950011fdb

SHA512
a4ed61cfdd9033011f672791ccd5322e2f7025e659c4572a664a2e196ea34f220890b6a10b3f6da37d597a3b8e432f374621b8478b72bbdce1373f9e7341d9a8

Download Submit
\Program Files (x86)\洛克東哥辅助7.7_正式版.exe

Filesize
2.7MB

MD5
42095e7e99e37459044a7917768e85c3

SHA1
4634983451f51215fe21e783545671fede8973c8

SHA256
2c1688cff603e444e62d46feb9e574fa69c030baf363d56a1e0158d950011fdb

SHA512
a4ed61cfdd9033011f672791ccd5322e2f7025e659c4572a664a2e196ea34f220890b6a10b3f6da37d597a3b8e432f374621b8478b72bbdce1373f9e7341d9a8

Download Submit
memory/1072-58-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1072-99-0x0000000003980000-0x00000000041EC000-memory.dmp

Filesize
8.4MB

Download
memory/1072-145-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1072-114-0x0000000003980000-0x00000000041EC000-memory.dmp

Filesize
8.4MB

Download
memory/1072-113-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1072-54-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download
memory/1072-95-0x0000000003980000-0x00000000041EC000-memory.dmp

Filesize
8.4MB

Download
memory/1944-76-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1944-137-0x0000000000400000-0x0000000000C6C000-memory.dmp

Filesize
8.4MB

Download
memory/1944-97-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1944-80-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1944-94-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1944-92-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1944-70-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1944-100-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1944-66-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1944-102-0x0000000000400000-0x0000000000C6C000-memory.dmp

Filesize
8.4MB

Download
memory/1944-104-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1944-106-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1944-108-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1944-112-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1944-110-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1944-90-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1944-88-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1944-84-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1944-127-0x0000000002B50000-0x0000000002C50000-memory.dmp

Filesize
1024KB

Download
memory/1944-131-0x0000000002B50000-0x0000000002C50000-memory.dmp

Filesize
1024KB

Download
memory/1944-133-0x0000000002B50000-0x0000000002C50000-memory.dmp

Filesize
1024KB

Download
memory/1944-125-0x0000000002B50000-0x0000000002C50000-memory.dmp

Filesize
1024KB

Download
memory/1944-67-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1944-82-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1944-86-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1944-138-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1944-78-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1944-74-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1944-72-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1944-68-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads