joker | 6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091

Analysis

max time kernel
144s
max time network
145s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
18-10-2022 23:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe
Size

129KB
MD5

9ae1ad04a9594aa569f1f98f763afe80
SHA1

e8cb98b4c964903028d246fd39de4d3aee2050e2
SHA256

6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091
SHA512

363b92efb34ebfe85a0d018bf9f8d4d3bc604693d013a9c60f2acdeddab043a9d952477fc721c795df8a79df0799bdafae498bead37a5cdcedfb2c435f3b6308
SSDEEP

3072:k1i/NU8bOMYcYYcmy51VRgiFCpCIXUWOLTsEsigcL3P6xxc1gs5YmMOMYcYY51i/:Ci/NjO5xbg/CSUFLTwMjs6y3Oai/NDt

Score

10^/10

joker infostealer persistence trojan

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}\StubPath = "C:\\system.exe"	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\ie.bat	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe
File created	C:\WINDOWS\SysWOW64\qx.bat	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\windows.exe	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe
File opened for modification	C:\WINDOWS\windows.exe	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe
File opened for modification	C:\WINDOWS\windows.exe	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 55 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000efdf788caf3418c83f668c478de8d1c8411bc31ce450dbde02a4d02b872f7364000000000e80000000020000200000003b3934bcb7d27a1afa6cb15fed80bbe966039018735c7f5462d08a2583289d2290000000d17a7906a7b44d599015f11e19f65180d3e7af13bbe8772c990ea55bf205074de96212b4d82c429e84898b55496279a38e54000d44f3ea5dea2a30ed9273d1f7558888dfb73aa7cac6fe240f3dce612e467b2f9f337418677e12fa29f2ad76eddd01076c3dbbc7add51c8f193d6f3e91fbe0534f28805752b32930a771cbd3ceb3d7b34393f7ad33cd20939feddc9d93400000005441e80d3dd1ce295757684b10e952ed163d3ea0cb6ae8aa9d16064e8bf4fcb3a40f8999335d576693b42dfe1e05d09e1c40a754c1d8355708f006988f1cf4fd	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\154.203.173.142\Total = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\ymtuku.com\Total = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.ymtuku.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.ymtuku.com\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\ymtuku.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\154.203.173.142\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "126"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\154.203.173.142	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000b8cb7f01fdf7a50b8f6b76059e39785738dffbfbb1f4809c119284b4a9ec1214000000000e800000000200002000000012b58005aac7abf8c7d965f59c444e2208f5f202d6af8f2d927f683727bbc4f82000000054de4aa79bda9f9322e85fbc112b756ab789d6159f02f7d874038567e043be7840000000c3fa9468d8496f46c2cdfc53633952df41058baf0b8157c3692277d3f23a173ce83f0410ecbcefa753df4329234392132ef8d153f10819d9c719fdf86aff7316	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372899584"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\ymtuku.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\154.203.173.142\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0a440e346e3d801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{026ED9B1-4F3A-11ED-BAA3-DE6E3020A1A7} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://dhku.com"	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1168	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe
1168	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe
1168	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe
1168	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe
1168	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
952	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1168	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe
952	iexplore.exe
952	iexplore.exe
640	IEXPLORE.EXE
640	IEXPLORE.EXE
640	IEXPLORE.EXE
640	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 952	1168	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	27
PID 1168 wrote to memory of 952	1168	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	27
PID 1168 wrote to memory of 952	1168	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	27
PID 1168 wrote to memory of 952	1168	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	27
PID 952 wrote to memory of 640	952	iexplore.exe	29
PID 952 wrote to memory of 640	952	iexplore.exe	29
PID 952 wrote to memory of 640	952	iexplore.exe	29
PID 952 wrote to memory of 640	952	iexplore.exe	29
PID 1168 wrote to memory of 1680	1168	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	30
PID 1168 wrote to memory of 1680	1168	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	30
PID 1168 wrote to memory of 1680	1168	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	30
PID 1168 wrote to memory of 1680	1168	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	30
PID 1680 wrote to memory of 1808	1680	cmd.exe	32
PID 1680 wrote to memory of 1808	1680	cmd.exe	32
PID 1680 wrote to memory of 1808	1680	cmd.exe	32
PID 1680 wrote to memory of 1808	1680	cmd.exe	32
PID 1168 wrote to memory of 1876	1168	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	33
PID 1168 wrote to memory of 1876	1168	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	33
PID 1168 wrote to memory of 1876	1168	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	33
PID 1168 wrote to memory of 1876	1168	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	33
PID 1876 wrote to memory of 840	1876	cmd.exe	35
PID 1876 wrote to memory of 840	1876	cmd.exe	35
PID 1876 wrote to memory of 840	1876	cmd.exe	35
PID 1876 wrote to memory of 840	1876	cmd.exe	35
PID 1168 wrote to memory of 2024	1168	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	36
PID 1168 wrote to memory of 2024	1168	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	36
PID 1168 wrote to memory of 2024	1168	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	36
PID 1168 wrote to memory of 2024	1168	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	36
PID 2024 wrote to memory of 1768	2024	cmd.exe	38
PID 2024 wrote to memory of 1768	2024	cmd.exe	38
PID 2024 wrote to memory of 1768	2024	cmd.exe	38
PID 2024 wrote to memory of 1768	2024	cmd.exe	38
PID 1168 wrote to memory of 1896	1168	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	39
PID 1168 wrote to memory of 1896	1168	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	39
PID 1168 wrote to memory of 1896	1168	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	39
PID 1168 wrote to memory of 1896	1168	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	39
PID 1896 wrote to memory of 1916	1896	cmd.exe	41
PID 1896 wrote to memory of 1916	1896	cmd.exe	41
PID 1896 wrote to memory of 1916	1896	cmd.exe	41
PID 1896 wrote to memory of 1916	1896	cmd.exe	41
PID 1168 wrote to memory of 1928	1168	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	42
PID 1168 wrote to memory of 1928	1168	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	42
PID 1168 wrote to memory of 1928	1168	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	42
PID 1168 wrote to memory of 1928	1168	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	42
PID 1928 wrote to memory of 1904	1928	cmd.exe	44
PID 1928 wrote to memory of 1904	1928	cmd.exe	44
PID 1928 wrote to memory of 1904	1928	cmd.exe	44
PID 1928 wrote to memory of 1904	1928	cmd.exe	44
PID 1168 wrote to memory of 1212	1168	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	45
PID 1168 wrote to memory of 1212	1168	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	45
PID 1168 wrote to memory of 1212	1168	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	45
PID 1168 wrote to memory of 1212	1168	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	45
PID 1212 wrote to memory of 1368	1212	cmd.exe	47
PID 1212 wrote to memory of 1368	1212	cmd.exe	47
PID 1212 wrote to memory of 1368	1212	cmd.exe	47
PID 1212 wrote to memory of 1368	1212	cmd.exe	47
PID 1168 wrote to memory of 1720	1168	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	48
PID 1168 wrote to memory of 1720	1168	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	48
PID 1168 wrote to memory of 1720	1168	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	48
PID 1168 wrote to memory of 1720	1168	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	48
PID 1720 wrote to memory of 1348	1720	cmd.exe	50
PID 1720 wrote to memory of 1348	1720	cmd.exe	50
PID 1720 wrote to memory of 1348	1720	cmd.exe	50
PID 1720 wrote to memory of 1348	1720	cmd.exe	50

Views/modifies file attributes 1 TTPs 7 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1808	attrib.exe
840	attrib.exe
1768	attrib.exe
1916	attrib.exe
1904	attrib.exe
1368	attrib.exe
1348	attrib.exe

C:\Users\Admin\AppData\Local\Temp\6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe
"C:\Users\Admin\AppData\Local\Temp\6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:952 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:640
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
    3⤵
    - Views/modifies file attributes
    PID:1808
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
    3⤵
    - Views/modifies file attributes
    PID:840
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
    3⤵
    - Views/modifies file attributes
    PID:1768
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
    3⤵
    - Views/modifies file attributes
    PID:1916
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
    3⤵
    - Views/modifies file attributes
    PID:1904
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1212
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\WINDOWS\windows.exe"
    3⤵
    - Drops file in Windows directory
    - Views/modifies file attributes
    PID:1368
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "c:\system.exe"
    3⤵
    - Views/modifies file attributes
    PID:1348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
d15aaa7c9be910a9898260767e2490e1

SHA1
2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388

SHA256
f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e

SHA512
7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
28eeb32075aca8a3878f9e890f729e6c

SHA1
bff915bff5aaab402f35b974f7e43714c883cdb8

SHA256
17a9537dcbf50c47d60734c6b6c7500781367350e7f9ca1ba66139d5a6a8757c

SHA512
ea252ae1adca3889155e42a9f769543a61ed2fe7836345c03a43e52fdf361979bf5a54539ac42ecd1592f4677b4adc6ddadc4d6697b8b797ab3d3705c5f9e3a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\309axvf\imagestore.dat

Filesize
5KB

MD5
fe67ac06d83881792997ed39af0890ae

SHA1
96b7bb8810aff9969927c93e0b13c8ec37906441

SHA256
2a3a996d00158d03017d1d11ce99cb71a18056ea34ce6a6c15af3835497f0c88

SHA512
5f7472a1c8593cf6b6d1fbc3c8fcb07f4f1e0106fb3729e55bd07208c8df4e67bb7069170e7652f1517fde1583b525f537f0be59e4f7f25ef80ee5bd6ced3c04

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YYCGVV7A.txt

Filesize
608B

MD5
661a13c2562ec7ed628fb4fe752af04d

SHA1
799d7c46bde72cb6a32f40da25ca1af01a09e1a4

SHA256
7e9f3d497199787b87c0ca20e228afb64fd8f34e4a599caab94fa36f914cfd1c

SHA512
5d9286ef76ca8171f65848f78422623db6510e59d7f5c22739b66cd7f2344c36e520468c487483f55d0eca3552ea94102f7573200dbc0bdd7b239a7ba6c0f482

Download Submit
C:\WINDOWS\windows.exe

Filesize
129KB

MD5
b4e7f98512dba31b62637150bb4650ef

SHA1
3590fe66729b89b38b7256f39324cc886f3eb17b

SHA256
e5a05d98c6880725fa82157376ed7aa9250f3a2f49bd60e5a188b07ff1b33e51

SHA512
477fae682fd1fe012616bc6bca6c28466c24bd308545241ebc8a6e003ca7c05806ba62cee122b7aec12bb0d0a1d88498da7ef64ca0c5e898a55f99545ecbbe7a

Download Submit
C:\system.exe

Filesize
129KB

MD5
de4ff326df0a2184001d159a2f787301

SHA1
b6af2bcfd2f9000be9fe82ec2996ab544cb73789

SHA256
6533c4f47f7872667fb873f6e49c11633964fd424882ed1940db0f4efd39d5ed

SHA512
3f51453441b16c088d7a4322515e9cadfe9b8880c1d85bb89c5192472407bd15d260d610cd040a0be952d8a41739738f9d3f1ffc88839ec473cc768b73425037

Download Submit
memory/1168-56-0x00000000760E1000-0x00000000760E3000-memory.dmp

Filesize
8KB

Download