Analysis
-
max time kernel
145s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
13-10-2022 06:46
Behavioral task
behavioral1
Sample
9cc2fced488e3aac830bc430763b16746631b32314a44a66cdfcc5be4ba91b12.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
9cc2fced488e3aac830bc430763b16746631b32314a44a66cdfcc5be4ba91b12.exe
Resource
win10v2004-20220812-en
General
-
Target
9cc2fced488e3aac830bc430763b16746631b32314a44a66cdfcc5be4ba91b12.exe
-
Size
5.9MB
-
MD5
8c07d7d88f92b85c4d0c85cf391ca568
-
SHA1
43be5440ff01b2f14b8a631ed75520d1825882d3
-
SHA256
9cc2fced488e3aac830bc430763b16746631b32314a44a66cdfcc5be4ba91b12
-
SHA512
05d68c246be2ff85172faaf926be4d727405b33610ca82fb7b44da752daf97396b8e72137e1bf8c7fc96000bcd33381ed2e965a02c592115ff9284859b7d3b9f
-
SSDEEP
49152:848YhxAx/OoOlL2bZ9v4cCiOaNnjS64uyjyP8Ix+B2hQf6Bk562RJvanw:wYhW94lCKSNnjS6Y3Ix+hyKv
Malware Config
Signatures
-
joker
Joker is an Android malware that targets billing and SMS fraud.
-
Loads dropped DLL 1 IoCs
pid Process 4056 9cc2fced488e3aac830bc430763b16746631b32314a44a66cdfcc5be4ba91b12.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\b8eabc6b-65d3-43eb-b955-5a90cb5bb894.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221013084716.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1640 msedge.exe 1640 msedge.exe 1320 msedge.exe 1320 msedge.exe 5036 identity_helper.exe 5036 identity_helper.exe 5604 msedge.exe 5604 msedge.exe 5604 msedge.exe 5604 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 2652 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2652 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4056 wrote to memory of 1320 4056 9cc2fced488e3aac830bc430763b16746631b32314a44a66cdfcc5be4ba91b12.exe 87 PID 4056 wrote to memory of 1320 4056 9cc2fced488e3aac830bc430763b16746631b32314a44a66cdfcc5be4ba91b12.exe 87 PID 1320 wrote to memory of 4256 1320 msedge.exe 88 PID 1320 wrote to memory of 4256 1320 msedge.exe 88 PID 1320 wrote to memory of 4472 1320 msedge.exe 92 PID 1320 wrote to memory of 4472 1320 msedge.exe 92 PID 1320 wrote to memory of 4472 1320 msedge.exe 92 PID 1320 wrote to memory of 4472 1320 msedge.exe 92 PID 1320 wrote to memory of 4472 1320 msedge.exe 92 PID 1320 wrote to memory of 4472 1320 msedge.exe 92 PID 1320 wrote to memory of 4472 1320 msedge.exe 92 PID 1320 wrote to memory of 4472 1320 msedge.exe 92 PID 1320 wrote to memory of 4472 1320 msedge.exe 92 PID 1320 wrote to memory of 4472 1320 msedge.exe 92 PID 1320 wrote to memory of 4472 1320 msedge.exe 92 PID 1320 wrote to memory of 4472 1320 msedge.exe 92 PID 1320 wrote to memory of 4472 1320 msedge.exe 92 PID 1320 wrote to memory of 4472 1320 msedge.exe 92 PID 1320 wrote to memory of 4472 1320 msedge.exe 92 PID 1320 wrote to memory of 4472 1320 msedge.exe 92 PID 1320 wrote to memory of 4472 1320 msedge.exe 92 PID 1320 wrote to memory of 4472 1320 msedge.exe 92 PID 1320 wrote to memory of 4472 1320 msedge.exe 92 PID 1320 wrote to memory of 4472 1320 msedge.exe 92 PID 1320 wrote to memory of 4472 1320 msedge.exe 92 PID 1320 wrote to memory of 4472 1320 msedge.exe 92 PID 1320 wrote to memory of 4472 1320 msedge.exe 92 PID 1320 wrote to memory of 4472 1320 msedge.exe 92 PID 1320 wrote to memory of 4472 1320 msedge.exe 92 PID 1320 wrote to memory of 4472 1320 msedge.exe 92 PID 1320 wrote to memory of 4472 1320 msedge.exe 92 PID 1320 wrote to memory of 4472 1320 msedge.exe 92 PID 1320 wrote to memory of 4472 1320 msedge.exe 92 PID 1320 wrote to memory of 4472 1320 msedge.exe 92 PID 1320 wrote to memory of 4472 1320 msedge.exe 92 PID 1320 wrote to memory of 4472 1320 msedge.exe 92 PID 1320 wrote to memory of 4472 1320 msedge.exe 92 PID 1320 wrote to memory of 4472 1320 msedge.exe 92 PID 1320 wrote to memory of 4472 1320 msedge.exe 92 PID 1320 wrote to memory of 4472 1320 msedge.exe 92 PID 1320 wrote to memory of 4472 1320 msedge.exe 92 PID 1320 wrote to memory of 4472 1320 msedge.exe 92 PID 1320 wrote to memory of 4472 1320 msedge.exe 92 PID 1320 wrote to memory of 4472 1320 msedge.exe 92 PID 1320 wrote to memory of 1640 1320 msedge.exe 93 PID 1320 wrote to memory of 1640 1320 msedge.exe 93 PID 1320 wrote to memory of 3420 1320 msedge.exe 94 PID 1320 wrote to memory of 3420 1320 msedge.exe 94 PID 1320 wrote to memory of 3420 1320 msedge.exe 94 PID 1320 wrote to memory of 3420 1320 msedge.exe 94 PID 1320 wrote to memory of 3420 1320 msedge.exe 94 PID 1320 wrote to memory of 3420 1320 msedge.exe 94 PID 1320 wrote to memory of 3420 1320 msedge.exe 94 PID 1320 wrote to memory of 3420 1320 msedge.exe 94 PID 1320 wrote to memory of 3420 1320 msedge.exe 94 PID 1320 wrote to memory of 3420 1320 msedge.exe 94 PID 1320 wrote to memory of 3420 1320 msedge.exe 94 PID 1320 wrote to memory of 3420 1320 msedge.exe 94 PID 1320 wrote to memory of 3420 1320 msedge.exe 94 PID 1320 wrote to memory of 3420 1320 msedge.exe 94 PID 1320 wrote to memory of 3420 1320 msedge.exe 94 PID 1320 wrote to memory of 3420 1320 msedge.exe 94 PID 1320 wrote to memory of 3420 1320 msedge.exe 94 PID 1320 wrote to memory of 3420 1320 msedge.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\9cc2fced488e3aac830bc430763b16746631b32314a44a66cdfcc5be4ba91b12.exe"C:\Users\Admin\AppData\Local\Temp\9cc2fced488e3aac830bc430763b16746631b32314a44a66cdfcc5be4ba91b12.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://ossshiping123.oss-cn-hangzhou.aliyuncs.com/aaaa.mp42⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe366846f8,0x7ffe36684708,0x7ffe366847183⤵PID:4256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1480,8034488843571542551,5204552335662712972,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:23⤵PID:4472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1480,8034488843571542551,5204552335662712972,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:1640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1480,8034488843571542551,5204552335662712972,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:83⤵PID:3420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1480,8034488843571542551,5204552335662712972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:13⤵PID:2376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1480,8034488843571542551,5204552335662712972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3876 /prefetch:13⤵PID:4604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,8034488843571542551,5204552335662712972,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5256 /prefetch:83⤵PID:1132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,8034488843571542551,5204552335662712972,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5232 /prefetch:83⤵PID:688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1480,8034488843571542551,5204552335662712972,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:13⤵PID:1080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1480,8034488843571542551,5204552335662712972,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:13⤵PID:1928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1480,8034488843571542551,5204552335662712972,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5676 /prefetch:83⤵PID:388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1480,8034488843571542551,5204552335662712972,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6168 /prefetch:83⤵PID:3204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
PID:4036 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff635fd5460,0x7ff635fd5470,0x7ff635fd54804⤵PID:4824
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1480,8034488843571542551,5204552335662712972,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6168 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:5036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,8034488843571542551,5204552335662712972,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5080 /prefetch:83⤵PID:5348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,8034488843571542551,5204552335662712972,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6936 /prefetch:83⤵PID:5408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,8034488843571542551,5204552335662712972,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6972 /prefetch:83⤵PID:5460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,8034488843571542551,5204552335662712972,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6880 /prefetch:83⤵PID:5548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1480,8034488843571542551,5204552335662712972,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6220 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:5604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,8034488843571542551,5204552335662712972,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1968 /prefetch:83⤵PID:5712
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4596
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2e8 0x2ec1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2652
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.9MB
MD57422f1cba901c10e936badb5e5f90e2e
SHA13d61fd41c9dece546e7912a8645f9ef3b0b99ae8
SHA256235018968d33557a791dfca6a0433e5750dfe220cbc07906aa0c7e9facced6be
SHA5123cee6835e863a7d451dd368cac434afd8b6cd93454f9cdde56919dc9a243e999e01bf345eff57b8a5d1e545b876c12b9f13cd7ea40a9ebd9a4fe4c205099fecf