joker | 6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2022 23:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe
Size

129KB
MD5

9ae1ad04a9594aa569f1f98f763afe80
SHA1

e8cb98b4c964903028d246fd39de4d3aee2050e2
SHA256

6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091
SHA512

363b92efb34ebfe85a0d018bf9f8d4d3bc604693d013a9c60f2acdeddab043a9d952477fc721c795df8a79df0799bdafae498bead37a5cdcedfb2c435f3b6308
SSDEEP

3072:k1i/NU8bOMYcYYcmy51VRgiFCpCIXUWOLTsEsigcL3P6xxc1gs5YmMOMYcYY51i/:Ci/NjO5xbg/CSUFLTwMjs6y3Oai/NDt

Score

10^/10

joker infostealer persistence trojan

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}\StubPath = "C:\\system.exe"	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\qx.bat	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe
File created	C:\WINDOWS\SysWOW64\ie.bat	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\windows.exe	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe
File opened for modification	C:\WINDOWS\windows.exe	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe
File opened for modification	C:\WINDOWS\windows.exe	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 59 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\ymtuku.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2608829491"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30991191"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\ymtuku.com\Total = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2608829491"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2645549618"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30991191"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DOMStorage\ymtuku.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.ymtuku.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000883ed98174fc174d8e18111dae0d9120000000000200000000001066000000010000200000002614c9ae4d7d422c2f9ce344a1b2b77e2fa26435c7474fe7ec9e9fa10a96c6ac000000000e80000000020000200000007f656a31d66b2661b0edbc4accb425940f105bbac9af990e544eecea876c328e20000000ca9aee5856c25cf4845054dcae96047d4fb41b0b36ded9bcd48ebc34e07fd6d740000000dc9e2adff41dd05c56ea3dab9bd2b97667c7d7149713ee9c47a7231d3d10817c4365c50b3ac035d122e26956878b57d79d9b01a28e65fac8a22c558c295ea4c3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\154.203.173.142\Total = "63"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90e89da157e3d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C6D0E483-4F4A-11ED-AECB-FA09CB65A760} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.ymtuku.com\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\154.203.173.142\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30991191"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\ymtuku.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0908fa157e3d801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372906788"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DOMStorage\154.203.173.142	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000883ed98174fc174d8e18111dae0d912000000000020000000000106600000001000020000000f900b06f38fff3bc274a71eca625acc39e05f3bb92157ffdbeac175616f2a4cd000000000e800000000200002000000068cc2abb7ddfee6ffa38bdb509a986277a9a80c3b2e3b5a338f279df0d10e70920000000dd5b76d05bc0899cf4dec372b6b53024a9def3bbf93162116e2f08cb66a1550c4000000031b3e4675d283f173fcd105b6fc8892f8ce150be533cd4a48f5ea0b01487dc7e24d4c505506c19d1b6383c70cec56392c184352809d9a0ad8b00df113d1e0bd2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "126"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\154.203.173.142\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://dhku.com"	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1512	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe
1512	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe
1512	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe
1512	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe
1512	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe
1512	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe
1512	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe
1512	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe
1512	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe
1512	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4288	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4288	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1512	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe
4288	iexplore.exe
4288	iexplore.exe
3224	IEXPLORE.EXE
3224	IEXPLORE.EXE
3224	IEXPLORE.EXE
3224	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 4288	1512	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	80
PID 1512 wrote to memory of 4288	1512	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	80
PID 4288 wrote to memory of 3224	4288	iexplore.exe	81
PID 4288 wrote to memory of 3224	4288	iexplore.exe	81
PID 4288 wrote to memory of 3224	4288	iexplore.exe	81
PID 1512 wrote to memory of 5016	1512	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	82
PID 1512 wrote to memory of 5016	1512	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	82
PID 1512 wrote to memory of 5016	1512	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	82
PID 5016 wrote to memory of 4352	5016	cmd.exe	84
PID 5016 wrote to memory of 4352	5016	cmd.exe	84
PID 5016 wrote to memory of 4352	5016	cmd.exe	84
PID 1512 wrote to memory of 4340	1512	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	85
PID 1512 wrote to memory of 4340	1512	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	85
PID 1512 wrote to memory of 4340	1512	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	85
PID 4340 wrote to memory of 1848	4340	cmd.exe	87
PID 4340 wrote to memory of 1848	4340	cmd.exe	87
PID 4340 wrote to memory of 1848	4340	cmd.exe	87
PID 1512 wrote to memory of 1548	1512	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	88
PID 1512 wrote to memory of 1548	1512	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	88
PID 1512 wrote to memory of 1548	1512	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	88
PID 1548 wrote to memory of 860	1548	cmd.exe	90
PID 1548 wrote to memory of 860	1548	cmd.exe	90
PID 1548 wrote to memory of 860	1548	cmd.exe	90
PID 1512 wrote to memory of 1976	1512	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	91
PID 1512 wrote to memory of 1976	1512	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	91
PID 1512 wrote to memory of 1976	1512	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	91
PID 1976 wrote to memory of 3592	1976	cmd.exe	93
PID 1976 wrote to memory of 3592	1976	cmd.exe	93
PID 1976 wrote to memory of 3592	1976	cmd.exe	93
PID 1512 wrote to memory of 4792	1512	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	94
PID 1512 wrote to memory of 4792	1512	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	94
PID 1512 wrote to memory of 4792	1512	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	94
PID 4792 wrote to memory of 4748	4792	cmd.exe	96
PID 4792 wrote to memory of 4748	4792	cmd.exe	96
PID 4792 wrote to memory of 4748	4792	cmd.exe	96
PID 1512 wrote to memory of 5092	1512	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	97
PID 1512 wrote to memory of 5092	1512	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	97
PID 1512 wrote to memory of 5092	1512	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	97
PID 5092 wrote to memory of 3416	5092	cmd.exe	99
PID 5092 wrote to memory of 3416	5092	cmd.exe	99
PID 5092 wrote to memory of 3416	5092	cmd.exe	99
PID 1512 wrote to memory of 4956	1512	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	100
PID 1512 wrote to memory of 4956	1512	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	100
PID 1512 wrote to memory of 4956	1512	6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe	100
PID 4956 wrote to memory of 2644	4956	cmd.exe	102
PID 4956 wrote to memory of 2644	4956	cmd.exe	102
PID 4956 wrote to memory of 2644	4956	cmd.exe	102

Views/modifies file attributes 1 TTPs 7 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
4352	attrib.exe
1848	attrib.exe
860	attrib.exe
3592	attrib.exe
4748	attrib.exe
3416	attrib.exe
2644	attrib.exe

C:\Users\Admin\AppData\Local\Temp\6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe
"C:\Users\Admin\AppData\Local\Temp\6c0d975b4cf537783d5e146d0046be48fc2858c4535645547e7ac7e472e98091.exe"
1⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4288
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4288 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3224
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5016
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
    3⤵
    - Views/modifies file attributes
    PID:4352
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4340
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
    3⤵
    - Views/modifies file attributes
    PID:1848
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
    3⤵
    - Views/modifies file attributes
    PID:860
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
    3⤵
    - Views/modifies file attributes
    PID:3592
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4792
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
    3⤵
    - Views/modifies file attributes
    PID:4748
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5092
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\WINDOWS\windows.exe"
    3⤵
    - Drops file in Windows directory
    - Views/modifies file attributes
    PID:3416
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "c:\system.exe"
    3⤵
    - Views/modifies file attributes
    PID:2644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
460fe13d503bfbb113c3ecee607f5a31

SHA1
52df07ae073bae09b9093fe2c60ccbe7e8dc47cd

SHA256
dfd7a4b3a98874808e3623cf75216dacd47b4389916e0faad7e0ed289743ce0b

SHA512
383f29a13884ec9268eaba1ee47bb73243ec7f4eabdaacaa77bdb2de2b0cde5f000b7ea527179c75cfa30666a06a9333268e06b4cfbef91f4d2b82c119818d23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
0d031ce34eda04f2a30fbd42937a9de5

SHA1
0a806a36612af1f65d6e7fb5b249c28407541991

SHA256
0548d9ab364c79068658e02bc6137bdb8fa1628846bd8ef71007d4561f298efd

SHA512
b43d61e99d763c7401b7eb55e79d61ffc151ae5a81b2bec244441cade77344767854a83f873ca54f68493e087670795d8541bfa0d0e6fb4b597ebaea3dfe5372

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\z2evvp3\imagestore.dat

Filesize
1KB

MD5
4ac6a91eb29b66b38823fed0418b3066

SHA1
9e1dc6f1a54dff67cb3c95dd92c8cda14621d2a7

SHA256
3f0c1af79b2d4ac5f5a91c920052f0b8d792257063b2d6961c809671d90f38ac

SHA512
69a456df228598d757b9e2365217f8425f36b8a78127bcef472a47d9168dd49eb7b9b6ce4ade026e724089eb91486679cae8af202e05202c5b518c5a149d4211

Download Submit
C:\WINDOWS\windows.exe

Filesize
129KB

MD5
95311eee61722a51a9ade95c7a562bb0

SHA1
38c2509c3da0a0590235dc742acf5cc6df7d5a41

SHA256
c4631712837ae9c47c817fce4e55260f660c2f71e330b9da47c1b7d264b18c94

SHA512
1e4750961a2b9eece892aeb0adea99e72123264c8707a3dfd2447414189b2a99ae8e8b7ddc2b8f0c62fbd9aa51a15d1c29a9fe50bde64deed5ebf4cd31ae1537

Download Submit
C:\system.exe

Filesize
129KB

MD5
dc6abd24888345c47f9e7e04b2b695e8

SHA1
120ef5b1562bcd5d14666e45d5b33d075b117656

SHA256
f226cd465163410ddab3980b8ff1053035858c3a7df717878b4e972afecf0631

SHA512
bede3d4b5dd2328248cf77a0b85886976d92097298200234c9486a75b3ff6569d0302861601749a417324b8c326b4e136890a98e5f922867580f8d7c93012746

Download Submit