joker | 96d540b005a73f325946caf663bcaa9019f1a87b5217333e0608a1aa79ed84c2

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11-10-2022 17:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96d540b005a73f325946caf663bcaa9019f1a87b5217333e0608a1aa79ed84c2.exe
Size

662KB
MD5

d42a68673a0159cf44884e5f8d0dc0f3
SHA1

c673c7283f9590b57e4107f4092bb7d6bc3dbd84
SHA256

96d540b005a73f325946caf663bcaa9019f1a87b5217333e0608a1aa79ed84c2
SHA512

cacea8e9a16fc57d40aaa56f4951cd137e6300de50f03ffeacac259f92c3d10da68050d7b87b10af92e530d0788b748272a9e947b15123556494b6b7d29cb4e2
SSDEEP

12288:Z0L+fPVW03VATD5MNEbevxuV0N6WqbzLNYQsh2yqlAyN1llV:6AEvUEbtVQ6W/QV

Score

10^/10

joker infostealer trojan

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Executes dropped EXE 1 IoCs

pid	Process
1908	96d540b005a73f325946caf663bcaa9019f1a87b5217333e0608a1aa79ed84c2.dmy

Loads dropped DLL 2 IoCs

pid	Process
1112	96d540b005a73f325946caf663bcaa9019f1a87b5217333e0608a1aa79ed84c2.exe
1908	96d540b005a73f325946caf663bcaa9019f1a87b5217333e0608a1aa79ed84c2.dmy

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 42 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\tocabala.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf000000000200000000001066000000010000200000006db15ee423e625ea637065efca0bc8553d04121bf5169db61a63340df8b5bdf5000000000e8000000002000020000000d933694d24d226818f5dd811cd7beef71ba42c074f8bf2dc5191b939b70ac9df20000000ad3c8fd6e7f8dbd5abe269144a99edccd825e89cdf9079d62bbc1862001533f540000000038499166b09f52ee36610059cb32a98217d4c2b1447b4094b3c80039163ea1adf74ed794f19add684cc32b28aac7845fa0a32e2865523313bed7f614f8573d5	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0d0dcfba3ddd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372279854"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf000000000200000000001066000000010000200000003083a84292a01ec7fa4f0efc53f69424110fb272b4e827c086b2a0c0fe2a10f5000000000e80000000020000200000005eced076ee7f2b1ff4d18ea4e835e209295c49a1f67fcfdc49528d3a3e34524790000000c8f046b62c4877debf8117809951f183c0a96ac397051dcae3a3a56e57abb22805bdfc56477f04e6150be4b3314675c7cdd5445996bf0d1d7e69b94efd2338eafed0c5816a6ab5ce857810894b5dd4211b3043da886a98bd6a2e17f54c41177d4f4d0f96714fad5b399926e273e606a7a5ac427a9a3d80f22be845e49b23e3094f2b69c83d78f38076be9c2c8ccf94b140000000613412f0f9bb3c0cdc8420352d5855d5fb7aba79598eae94bd2a936629eec0776641556db62df635abdee1be02d56d98208f72c3e1d538178c1d37fcb3907e8d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\tocabala.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	96d540b005a73f325946caf663bcaa9019f1a87b5217333e0608a1aa79ed84c2.dmy
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{16DA1DE1-4997-11ED-8716-EAF6071D98F9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	96d540b005a73f325946caf663bcaa9019f1a87b5217333e0608a1aa79ed84c2.dmy
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	96d540b005a73f325946caf663bcaa9019f1a87b5217333e0608a1aa79ed84c2.dmy
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	96d540b005a73f325946caf663bcaa9019f1a87b5217333e0608a1aa79ed84c2.dmy
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	96d540b005a73f325946caf663bcaa9019f1a87b5217333e0608a1aa79ed84c2.dmy
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	96d540b005a73f325946caf663bcaa9019f1a87b5217333e0608a1aa79ed84c2.dmy
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	96d540b005a73f325946caf663bcaa9019f1a87b5217333e0608a1aa79ed84c2.dmy
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	96d540b005a73f325946caf663bcaa9019f1a87b5217333e0608a1aa79ed84c2.dmy
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	96d540b005a73f325946caf663bcaa9019f1a87b5217333e0608a1aa79ed84c2.dmy

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1112	96d540b005a73f325946caf663bcaa9019f1a87b5217333e0608a1aa79ed84c2.exe
1908	96d540b005a73f325946caf663bcaa9019f1a87b5217333e0608a1aa79ed84c2.dmy

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1504	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1112	96d540b005a73f325946caf663bcaa9019f1a87b5217333e0608a1aa79ed84c2.exe
1112	96d540b005a73f325946caf663bcaa9019f1a87b5217333e0608a1aa79ed84c2.exe
1112	96d540b005a73f325946caf663bcaa9019f1a87b5217333e0608a1aa79ed84c2.exe
1112	96d540b005a73f325946caf663bcaa9019f1a87b5217333e0608a1aa79ed84c2.exe
1908	96d540b005a73f325946caf663bcaa9019f1a87b5217333e0608a1aa79ed84c2.dmy
1908	96d540b005a73f325946caf663bcaa9019f1a87b5217333e0608a1aa79ed84c2.dmy
1908	96d540b005a73f325946caf663bcaa9019f1a87b5217333e0608a1aa79ed84c2.dmy
1908	96d540b005a73f325946caf663bcaa9019f1a87b5217333e0608a1aa79ed84c2.dmy
1504	iexplore.exe
1504	iexplore.exe
1216	IEXPLORE.EXE
1216	IEXPLORE.EXE
1216	IEXPLORE.EXE
1216	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 1908	1112	96d540b005a73f325946caf663bcaa9019f1a87b5217333e0608a1aa79ed84c2.exe	28
PID 1112 wrote to memory of 1908	1112	96d540b005a73f325946caf663bcaa9019f1a87b5217333e0608a1aa79ed84c2.exe	28
PID 1112 wrote to memory of 1908	1112	96d540b005a73f325946caf663bcaa9019f1a87b5217333e0608a1aa79ed84c2.exe	28
PID 1112 wrote to memory of 1908	1112	96d540b005a73f325946caf663bcaa9019f1a87b5217333e0608a1aa79ed84c2.exe	28
PID 1908 wrote to memory of 1504	1908	96d540b005a73f325946caf663bcaa9019f1a87b5217333e0608a1aa79ed84c2.dmy	31
PID 1908 wrote to memory of 1504	1908	96d540b005a73f325946caf663bcaa9019f1a87b5217333e0608a1aa79ed84c2.dmy	31
PID 1908 wrote to memory of 1504	1908	96d540b005a73f325946caf663bcaa9019f1a87b5217333e0608a1aa79ed84c2.dmy	31
PID 1908 wrote to memory of 1504	1908	96d540b005a73f325946caf663bcaa9019f1a87b5217333e0608a1aa79ed84c2.dmy	31
PID 1504 wrote to memory of 1216	1504	iexplore.exe	32
PID 1504 wrote to memory of 1216	1504	iexplore.exe	32
PID 1504 wrote to memory of 1216	1504	iexplore.exe	32
PID 1504 wrote to memory of 1216	1504	iexplore.exe	32

C:\Users\Admin\AppData\Local\Temp\96d540b005a73f325946caf663bcaa9019f1a87b5217333e0608a1aa79ed84c2.exe
"C:\Users\Admin\AppData\Local\Temp\96d540b005a73f325946caf663bcaa9019f1a87b5217333e0608a1aa79ed84c2.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Users\Admin\AppData\Local\Temp\96d540b005a73f325946caf663bcaa9019f1a87b5217333e0608a1aa79ed84c2.dmy
  C:\Users\Admin\AppData\Local\Temp\96d540b005a73f325946caf663bcaa9019f1a87b5217333e0608a1aa79ed84c2.dmy
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://www.tocabala.com/thread-250-1-1.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1504
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1504 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_34D61B4A2A4AE0D3DDAB879224BCA77B

Filesize
2KB

MD5
b34fcfd4bd3059952c10ff9b1e8f0bde

SHA1
68ee422bb74f0255a85b697d45f7bff3cdcf3c0c

SHA256
79589da398956346f56741a87045e117c240e8f1641a901f9163291a483a7973

SHA512
2cde60d891de4134a916f828b71b54956ef37c8aca503ffa363b4e80d5818472412db0f87cfdf654724f05be52b7db203e9c685844b3a1446459a8d556344185

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
d15aaa7c9be910a9898260767e2490e1

SHA1
2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388

SHA256
f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e

SHA512
7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
0698dbc93ba7b6bef73ba316695f8317

SHA1
a444078ff1eb7c88f52cb4e324365926b491ed47

SHA256
263292040d77903899257c1d21201dc64d6f8d6b5a1d945cd5b28d0124d7906c

SHA512
ebacaa7009aebb88199cd70fd0bb3afe69ed300318cb633edd1c0404e42aef829617f589bcbad6cb7ab4bd0a8ae87f7df1435c786184ecc5de61c8fc6950a900

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C5B1F6CF4A47750C9CA624A892D7823E

Filesize
728B

MD5
2c6d5d373c91fc4cb18958e7d1c8141c

SHA1
ca394947c161fde6f50edf2fc0792c9d9f00e58d

SHA256
8bcea716eff0b86bbe298894116497e6187e6f9da883a7b019341875be5d792b

SHA512
820b4d6986b4433d8daa2c62e71894d2144ed8c0c43d61fbbd360df11fc0b0ec6a93e0d82d6434f21467315b52ca326fed75c6e66d4be5d68465a2c478041686

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_34D61B4A2A4AE0D3DDAB879224BCA77B

Filesize
488B

MD5
ca5f872e3f811a57a0327ba91aef7ad1

SHA1
a02b016a8d3e7e0d638bfa7130649f4de9cd8a62

SHA256
87b97dae62424a61eee5ad9a6f7c80cbeca819e22c6b1fa6e6be67cd03fe2acb

SHA512
9b40c93a9e7a83492f7845580ac61c8815a65faf26f6470c2ecea9bb0529eac086dba303633e4cdca15c74e51861f6775f994de32e2742af36258479e29a74dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ffac83a5acbbdf696935140e63eb2ba4

SHA1
ceba1f304273eba4da3e9cc6de54520912f7b215

SHA256
ffb482d2e90b9e16497a728942e521887ffdcebd1a83f683d3d1412bfd84daea

SHA512
51282ac401f5d02adf4b033ad3b35ae1969696f6fa4a865467bef366c6176b5d9df3ea844787c45cc569dc517c766a804a2f77c8d169f7b99fa0ac4e049b1021

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
63c60012689a6180b0e625ac5bfd39fd

SHA1
15d0221ce6501a4a53464e7207682a91f6c2e8c3

SHA256
aca95f9abec2c0bde29f65f45f8dbf389ccdb066ee8a47108d121e7d4317178d

SHA512
dc168b70022f406f383966035cefe9bd30ae2da238442f9961574e507d824916308781bc4504750927937744b4196fc75405c8c7def92c2b7590d47408d6f4ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
febbad7c4b1668b9b6d83bf208815df6

SHA1
9ddf893a58fa02c04a5a8b21a13c38e545777f56

SHA256
b4f2d288fb716320cae6090ed9bd5b8de8af7d0d435a2762909e3f4fab17181c

SHA512
d38be5a4b5cef940e957c4072ce9929c32942a2c7a8c78982266cff3118a2ca697a1489ac85c3398a304b253d9999280b188dad97c712f9a0b6502a28f6cd80d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C5B1F6CF4A47750C9CA624A892D7823E

Filesize
504B

MD5
8e2ace97c80903660c3949a742f83483

SHA1
8c1b2f1417611a20e36b5ffb2f1252bc1423fea9

SHA256
63c22954a88744c323f08138fa097cdfa97b52eaa0910e9557d7a97e65a0cb77

SHA512
8fc2ce93e1ce24c11f30c4074f1aeedef7efa2d9ebbdc95e50f0897dae24357888d75dba8240913e20ed34624288864936280b6887379c080e776518373e8cb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\lwrmjt1\imagestore.dat

Filesize
7KB

MD5
ae19da20963109d739803f4fee40b3bc

SHA1
b6432212f9b9088a60bdf00c7913a188572e38a4

SHA256
1a15c3e367a955cde97aef76c0b966d09fe8abfdb732ef432e05c3f47b585150

SHA512
e425560861c89715d5dd9a0b50165a8c238dc1b2c614e8428f55a0a705236d1f4721e453ff8d89b2867d1d020e5a6e86e9ecf635ba83dacc0cd9842f432e31c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\96d540b005a73f325946caf663bcaa9019f1a87b5217333e0608a1aa79ed84c2.dmy

Filesize
662KB

MD5
d42a68673a0159cf44884e5f8d0dc0f3

SHA1
c673c7283f9590b57e4107f4092bb7d6bc3dbd84

SHA256
96d540b005a73f325946caf663bcaa9019f1a87b5217333e0608a1aa79ed84c2

SHA512
cacea8e9a16fc57d40aaa56f4951cd137e6300de50f03ffeacac259f92c3d10da68050d7b87b10af92e530d0788b748272a9e947b15123556494b6b7d29cb4e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\96d540b005a73f325946caf663bcaa9019f1a87b5217333e0608a1aa79ed84c2.dmy

Filesize
662KB

MD5
d42a68673a0159cf44884e5f8d0dc0f3

SHA1
c673c7283f9590b57e4107f4092bb7d6bc3dbd84

SHA256
96d540b005a73f325946caf663bcaa9019f1a87b5217333e0608a1aa79ed84c2

SHA512
cacea8e9a16fc57d40aaa56f4951cd137e6300de50f03ffeacac259f92c3d10da68050d7b87b10af92e530d0788b748272a9e947b15123556494b6b7d29cb4e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\P5MLJRPS.txt

Filesize
295B

MD5
f079efb13cdf7fe10f0b26025cfb06d6

SHA1
594d342ed52034481d93d102ff5b70086b570ffb

SHA256
0c87228e356ce6cabf6ca1ba08f8f22a58688577fe66aa6362829095c8a93a79

SHA512
d786987cd04fc7efd6b11bfb4114a2335e35bb8951be112c339fe8dbe84bab679a8e849b2c0db1228b2103a5a56fc1043008c458e83673ab024edac1821ec77d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YQYOHABO.txt

Filesize
598B

MD5
6ce519149f45ac24c61033c4a929ccc9

SHA1
ca08d03a7a6a7fbafd6059ebe1ec943298a3c37c

SHA256
256a02c68fffc762b82438f62fde3650696180d71912d0247d1d8df2ed2ca562

SHA512
d24f780949a3cb2b92b341801910a01e8768a67c3dc2cc904a684db01d6e021bbec80bf28b82edd083c3b77cb7c6a2ee549f012106af3796088c181e81578a99

Download Submit
\Users\Admin\AppData\Local\Temp\96d540b005a73f325946caf663bcaa9019f1a87b5217333e0608a1aa79ed84c2.dmy

Filesize
662KB

MD5
d42a68673a0159cf44884e5f8d0dc0f3

SHA1
c673c7283f9590b57e4107f4092bb7d6bc3dbd84

SHA256
96d540b005a73f325946caf663bcaa9019f1a87b5217333e0608a1aa79ed84c2

SHA512
cacea8e9a16fc57d40aaa56f4951cd137e6300de50f03ffeacac259f92c3d10da68050d7b87b10af92e530d0788b748272a9e947b15123556494b6b7d29cb4e2

Download Submit
\Users\Admin\AppData\Local\Temp\ziplib.dll

Filesize
453KB

MD5
6df0ed0afe162198116be68aba60e0c4

SHA1
bd0ca25ff4e495717be7345933aaa90755e5a6ca

SHA256
14172cccc2b24d7b490b6038c9493e64d5cab4afeee62014710dfad546eec9dc

SHA512
6696ec1e2261e44e1259609f74e95c205165048d94e581f44b09b87fc70e89b2eaeecd09b7de9cb9735dab0b9d90dd4ff7b5ac07e4b5bd8e5f502e71bbfdb757

Download Submit
memory/1112-60-0x0000000000400000-0x00000000005BC000-memory.dmp

Filesize
1.7MB

Download
memory/1112-54-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download
memory/1112-55-0x0000000000400000-0x00000000005BC000-memory.dmp

Filesize
1.7MB

Download
memory/1908-66-0x0000000000400000-0x00000000005BC000-memory.dmp

Filesize
1.7MB

Download
memory/1908-63-0x0000000004A50000-0x0000000004AC7000-memory.dmp

Filesize
476KB

Download
memory/1908-61-0x0000000000400000-0x00000000005BC000-memory.dmp

Filesize
1.7MB

Download