joker | 7997a273dfec79d0db8c47b9a1c4e1e30c8eb341e2dfe12147e9145f0f5f8dd5

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-10-2022 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7997a273dfec79d0db8c47b9a1c4e1e30c8eb341e2dfe12147e9145f0f5f8dd5.exe
Size

96KB
MD5

a18fc4fd364633a455ea3e50b0efb305
SHA1

899964b9c3566239ba8f822bfe597cbc3121f586
SHA256

7997a273dfec79d0db8c47b9a1c4e1e30c8eb341e2dfe12147e9145f0f5f8dd5
SHA512

494ed7bd6118f6f0cb8d7f8351f94ccbadd1e7287a0b936ed2d5e39b3f8613cf7c0f43de3f4fdf7ead1aba3da45b02ee5c1149e58a4ca97bbd408267c951b5c8
SSDEEP

768:ty837t4FkXJREBku3/nK5xa/24/ki8qkM7B1YlhrIWYHLxqu+TPW1Kljl9nnyQOc:l4PSuPKTBZrO/A5Qr+TOn+eWQ8qM+m

Score

10^/10

joker evasion infostealer persistence trojan

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Executes dropped EXE 1 IoCs

pid	Process
1524	inlE32E.tmp

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
956	attrib.exe
4328	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7997a273dfec79d0db8c47b9a1c4e1e30c8eb341e2dfe12147e9145f0f5f8dd5.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\fsahdsf = "\"C:\\Users\\Admin\\AppData\\Roaming\\lua\\tmp.\\a.{D71C5380-D2A0-CD69-E3EE-E1002B3A309E}\" hh.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
4244	tasklist.exe

Modifies Internet Explorer settings 1 TTPs 59 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30991302"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3913242578"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.henniu2222.site\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3913242578"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0f77cf4c6e3d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3912461700"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com\ = "126"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\Total = "126"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\henniu2222.site	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "126"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b14216000000000200000000001066000000010000200000008fda60259d8e654c956eab881387d190b9b92a2dca1a80ae1f4d89127fb11f32000000000e800000000200002000000068ced194249b7c60cd63147bebe7faf7f7d112c10c2993f886eeec11a44110a7200000003320dfdec94ce44c9ed44d5de4e73c3876ef76a7b8b92e328f4483463303796240000000ffb99d62c6ec53a04447ecde733eebd6f6b0058f91437709bb6b82e47076caf7566d53ac507c24d11934a82609243851f6cf42d72e9d31b5ed13f5fccc241258	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.henniu2222.site	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00566cf4c6e3d801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\henniu2222.site\Total = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3912461700"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\Total = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\henniu2222.site\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30991302"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b1421600000000020000000000106600000001000020000000aacbe5c01eca8b0f95589fa890e92cf9fc161b4953ceffbd46006a1d820062ff000000000e800000000200002000000090a952032949fae9ca4061616b6abcd7bcb9895b3bb821d08da68670cdb1fc0d20000000b0d49d90b9bbd0d15c2c8bc478e904f45fa1598abf7899f25547153bdb5e760e40000000a66f936c29f39cd8a38fa3bbfa284d2be28836b77771bab8b1512681d2c6a697d711e675c3ad807f79ba9bec06c6f8b410c92488d941b428cf843f3267ec7d1a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{12B3D1A9-4FBA-11ED-B696-D2371B4A40BE} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "189"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30991302"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\cnkankan.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30991302"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?S"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?S"	reg.exe

Modifies registry class 13 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htafile\NeverShowExt	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htafile\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D71C5380-D2A0-CD69-E3EE-E1002B3A309E}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D71C5380-D2A0-CD69-E3EE-E1002B3A309E}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D71C5380-D2A0-CD69-E3EE-E1002B3A309E}\Shell	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D71C5380-D2A0-CD69-E3EE-E1002B3A309E}\Shell\open(&H)\Command\ = "wscript -e:vbs \"C:\\Users\\Admin\\AppData\\Roaming\\lua\\3.bat\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htafile\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D71C5380-D2A0-CD69-E3EE-E1002B3A309E}\IsShortCut	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D71C5380-D2A0-CD69-E3EE-E1002B3A309E}\Shell\open(&H)\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D71C5380-D2A0-CD69-E3EE-E1002B3A309E}\Shell\open(&H)	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htafile	reg.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4244	tasklist.exe
Token: SeIncBasePriorityPrivilege	4076	7997a273dfec79d0db8c47b9a1c4e1e30c8eb341e2dfe12147e9145f0f5f8dd5.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4424	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4424	iexplore.exe
4424	iexplore.exe
4060	IEXPLORE.EXE
4060	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4076 wrote to memory of 3360	4076	7997a273dfec79d0db8c47b9a1c4e1e30c8eb341e2dfe12147e9145f0f5f8dd5.exe	90
PID 4076 wrote to memory of 3360	4076	7997a273dfec79d0db8c47b9a1c4e1e30c8eb341e2dfe12147e9145f0f5f8dd5.exe	90
PID 4076 wrote to memory of 3360	4076	7997a273dfec79d0db8c47b9a1c4e1e30c8eb341e2dfe12147e9145f0f5f8dd5.exe	90
PID 3360 wrote to memory of 1008	3360	cmd.exe	92
PID 3360 wrote to memory of 1008	3360	cmd.exe	92
PID 3360 wrote to memory of 1008	3360	cmd.exe	92
PID 1008 wrote to memory of 4424	1008	cmd.exe	94
PID 1008 wrote to memory of 4424	1008	cmd.exe	94
PID 1008 wrote to memory of 4416	1008	cmd.exe	95
PID 1008 wrote to memory of 4416	1008	cmd.exe	95
PID 1008 wrote to memory of 4416	1008	cmd.exe	95
PID 1008 wrote to memory of 1332	1008	cmd.exe	96
PID 1008 wrote to memory of 1332	1008	cmd.exe	96
PID 1008 wrote to memory of 1332	1008	cmd.exe	96
PID 1332 wrote to memory of 4596	1332	cmd.exe	98
PID 1332 wrote to memory of 4596	1332	cmd.exe	98
PID 1332 wrote to memory of 4596	1332	cmd.exe	98
PID 1332 wrote to memory of 4004	1332	cmd.exe	99
PID 1332 wrote to memory of 4004	1332	cmd.exe	99
PID 1332 wrote to memory of 4004	1332	cmd.exe	99
PID 1332 wrote to memory of 956	1332	cmd.exe	100
PID 1332 wrote to memory of 956	1332	cmd.exe	100
PID 1332 wrote to memory of 956	1332	cmd.exe	100
PID 1332 wrote to memory of 4328	1332	cmd.exe	101
PID 1332 wrote to memory of 4328	1332	cmd.exe	101
PID 1332 wrote to memory of 4328	1332	cmd.exe	101
PID 1332 wrote to memory of 4604	1332	cmd.exe	102
PID 1332 wrote to memory of 4604	1332	cmd.exe	102
PID 1332 wrote to memory of 4604	1332	cmd.exe	102
PID 1332 wrote to memory of 4244	1332	cmd.exe	103
PID 1332 wrote to memory of 4244	1332	cmd.exe	103
PID 1332 wrote to memory of 4244	1332	cmd.exe	103
PID 4604 wrote to memory of 2072	4604	rundll32.exe	104
PID 4604 wrote to memory of 2072	4604	rundll32.exe	104
PID 4604 wrote to memory of 2072	4604	rundll32.exe	104
PID 4076 wrote to memory of 1524	4076	7997a273dfec79d0db8c47b9a1c4e1e30c8eb341e2dfe12147e9145f0f5f8dd5.exe	105
PID 4076 wrote to memory of 1524	4076	7997a273dfec79d0db8c47b9a1c4e1e30c8eb341e2dfe12147e9145f0f5f8dd5.exe	105
PID 4076 wrote to memory of 1524	4076	7997a273dfec79d0db8c47b9a1c4e1e30c8eb341e2dfe12147e9145f0f5f8dd5.exe	105
PID 2072 wrote to memory of 2196	2072	runonce.exe	106
PID 2072 wrote to memory of 2196	2072	runonce.exe	106
PID 2072 wrote to memory of 2196	2072	runonce.exe	106
PID 4424 wrote to memory of 4060	4424	iexplore.exe	107
PID 4424 wrote to memory of 4060	4424	iexplore.exe	107
PID 4424 wrote to memory of 4060	4424	iexplore.exe	107
PID 1332 wrote to memory of 4116	1332	cmd.exe	108
PID 1332 wrote to memory of 4116	1332	cmd.exe	108
PID 1332 wrote to memory of 4116	1332	cmd.exe	108
PID 1332 wrote to memory of 3776	1332	cmd.exe	110
PID 1332 wrote to memory of 3776	1332	cmd.exe	110
PID 1332 wrote to memory of 3776	1332	cmd.exe	110
PID 1332 wrote to memory of 3460	1332	cmd.exe	111
PID 1332 wrote to memory of 3460	1332	cmd.exe	111
PID 1332 wrote to memory of 3460	1332	cmd.exe	111
PID 1332 wrote to memory of 4780	1332	cmd.exe	112
PID 1332 wrote to memory of 4780	1332	cmd.exe	112
PID 1332 wrote to memory of 4780	1332	cmd.exe	112
PID 1332 wrote to memory of 688	1332	cmd.exe	114
PID 1332 wrote to memory of 688	1332	cmd.exe	114
PID 1332 wrote to memory of 688	1332	cmd.exe	114
PID 1332 wrote to memory of 1868	1332	cmd.exe	113
PID 1332 wrote to memory of 1868	1332	cmd.exe	113
PID 1332 wrote to memory of 1868	1332	cmd.exe	113
PID 1332 wrote to memory of 3916	1332	cmd.exe	115
PID 1332 wrote to memory of 3916	1332	cmd.exe	115

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
956	attrib.exe
4328	attrib.exe

C:\Users\Admin\AppData\Local\Temp\7997a273dfec79d0db8c47b9a1c4e1e30c8eb341e2dfe12147e9145f0f5f8dd5.exe
"C:\Users\Admin\AppData\Local\Temp\7997a273dfec79d0db8c47b9a1c4e1e30c8eb341e2dfe12147e9145f0f5f8dd5.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\lua\1.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1008
  - - C:\PROGRA~1\INTERN~1\iexplore.exe
      C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://www.cnkankan.com/?82133
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4424
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4424 CREDAT:17410 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4060
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\lua\1.inf
      4⤵
      PID:4416
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\lua\2.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1332
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{D71C5380-D2A0-CD69-E3EE-E1002B3A309E}" /v "IsShortCut" /d "" /f
        5⤵
        Modifies registry class
        
        PID:4596
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{D71C5380-D2A0-CD69-E3EE-E1002B3A309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\lua\3.bat""" /f
        5⤵
        Modifies registry class
        
        PID:4004
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\Users\Admin\AppData\Roaming\lua\tmp\a.{D71C5380-D2A0-CD69-E3EE-E1002B3A309E}
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:956
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\Users\Admin\AppData\Roaming\lua\tmp
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4328
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\lua\2.inf
        5⤵
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4604
      - C:\Windows\SysWOW64\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        6⤵
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        7⤵
        
        PID:2196
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4244
    - - C:\Windows\SysWOW64\find.exe
        
        find /i "360tray.exe" tasklist.txt
        5⤵
        
        PID:4116
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu" /v "{871C5380-42A0-1069-A2EA-08002B30309D}" /d "1" /f
        5⤵
        
        PID:3776
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu" /v "{871C5380-42A0-1069-A2EA-08002B30309D}" /d "1" /f
        5⤵
        
        PID:3460
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" /v "{871C5380-42A0-1069-A2EA-08002B30309D}" /d "1" /f
        5⤵
        
        PID:4780
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\htafile\DefaultIcon" /v "" /d "C:\Program Files\Internet Explorer\IEXPLORE.EXE" /f
        5⤵
        Modifies registry class
        
        PID:1868
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\htafile" /v "NeverShowExt" /d "" /f
        5⤵
        Modifies registry class
        
        PID:688
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d "http://www.82133.com/?S" /f
        5⤵
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        
        PID:3916
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d "http://www.82133.com/?S" /f
        5⤵
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        
        PID:4136
- C:\Users\Admin\AppData\Local\Temp\inlE32E.tmp
  C:\Users\Admin\AppData\Local\Temp\inlE32E.tmp
  2⤵
  - Executes dropped EXE
  PID:1524
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\7997A2~1.EXE > nul
  2⤵
  PID:4984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\dqptnfu\imagestore.dat

Filesize
1KB

MD5
15e7776431b16457306ab483a18f78e1

SHA1
63781c7bb64e54e9420886b3f4a7eb2d32368ab7

SHA256
92b3016e78f4e06ec8c658017a8a79c012e4f905f61112a94226463338cc24f6

SHA512
8aa6ad98ca9c9d95b46844f5655094399c07a02b38d78d4ab2716773d30418f9fbeda28b3e2136d44cdcd24430d28c0b09c645eeaa1623bba60e5211ba90da68

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp

Filesize
1KB

MD5
5e300ab3cf5cfdd7fad2e9cecbe10888

SHA1
6d9cf5fa643d779928a2260749d374200bc3ab7b

SHA256
1ae11a97bc7f49666aaad5abbdaada3989bc7b26bedaace34e79cb274455fa49

SHA512
bb898deb86b91b601291a4174ed8bec5d79d95876ab5ae138d5c132fb50eed213aa95d6cbcc667cdea80bbe4dd68a52e3eeb17466dd74ff8e27b27d9076a3fb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\inlE32E.tmp

Filesize
57.2MB

MD5
c7095b74521dd960e6411cfaf133c3cb

SHA1
ec412a4d083d10029955c3fc3e4bceeb06d1cb5c

SHA256
6ff96c8be4a0511e918805031931b6b7dd4bf3baee8f6ea614bb547d82840047

SHA512
d4a9cd82570c862c24babfd395afb30c5e9d52b2ca02022e90e7ef55ea49720a7e0e650474a5d6f3b37d8fd906e47d7505c6c8f6c5964c188c86a4f0c5c029ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\inlE32E.tmp

Filesize
57.2MB

MD5
c7095b74521dd960e6411cfaf133c3cb

SHA1
ec412a4d083d10029955c3fc3e4bceeb06d1cb5c

SHA256
6ff96c8be4a0511e918805031931b6b7dd4bf3baee8f6ea614bb547d82840047

SHA512
d4a9cd82570c862c24babfd395afb30c5e9d52b2ca02022e90e7ef55ea49720a7e0e650474a5d6f3b37d8fd906e47d7505c6c8f6c5964c188c86a4f0c5c029ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\tasklist.txt

Filesize
7KB

MD5
d5a36caf9857203e486703f51e12ac8c

SHA1
e93ee06ef32d4c5643d8d236613865f4b40280c1

SHA256
7841d1108c79cb19a831a3512f23afbdd18af314a784c3476f25a1f4df1b4008

SHA512
d9b5833f9d77eba020c285d94dbd946f99b0f537560e8a37ad8237c13ebf9d1b20d5919874610500060d79570166382d26b54ed1e4b285026504044da12f95f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_ext.bat

Filesize
50B

MD5
e08ad52d3d132292f9c51e7cfec5fe08

SHA1
269f7eb185a9ff02664297bfb6f5df9f86ec10f0

SHA256
bd2a3003fb1f771283b30a044c49aecb72bfdff4322330337dba4992ecd198f4

SHA512
3dc0331f3ee9a57de7bda71a94953239bc7033a130f2b783b35d17ce3ed7b7928c154323d10ba81bd81d3bfd2d7c123cec55f5178d2b44286c2f857ccd6a1722

Download Submit
C:\Users\Admin\AppData\Roaming\lua\1.bat

Filesize
2KB

MD5
e9b0ea3bb8833d31df07f7ceaf019e02

SHA1
d147c5363b7fa233cbf2247897a465661f5ad408

SHA256
c9908af4e516f3fe5631e31d099f16f8c4e4d8b91d073003c10a3a0a0bc30fe3

SHA512
4c2a36d0498dd3332ca19e969d1ceaab2a57ef4d12adcc3ffff218a9d72dbfc1622fb22c08215da778821d50d3fd72b0d559f891196176e00459ef01300c9b2b

Download Submit
C:\Users\Admin\AppData\Roaming\lua\1.inf

Filesize
424B

MD5
5d8e8066c8e44558a044f4de83b79df2

SHA1
4920014abe179ae430bb55b3c4bdb6966327f551

SHA256
1d51c8abf3a0f5d4b2e61209507052bd12797d12c7821cb8868a0f3cd9950149

SHA512
792b8d0dcb3309ac0513d45e683dbf301ad06d60f4ae770b9d6c0d975eef6b85af17fb3f05fb74866556a11ef0c92f98b20fd81d455ab4b97606257fa782ea81

Download Submit
C:\Users\Admin\AppData\Roaming\lua\2.bat

Filesize
8KB

MD5
fad373a616743963bbd11fa966e3f5ac

SHA1
89638961a6a0d6622fa3214e6abc2bc810c549cf

SHA256
2c5b82c6c39cfba12d70cd4080165bd18ce3e65d3e540e2f787b9e7c583eb319

SHA512
956c7d65a3ac45b688fe3ae71f04c664542d03910f8f727ed27fc5d36bf2571d3e397d16ee28ac19512dfa939b8bbd453a307f9d778b84bf689cf32af9a4c39b

Download Submit
C:\Users\Admin\AppData\Roaming\lua\2.inf

Filesize
244B

MD5
2de3e6e4faea8c4a10ddd4f26455caca

SHA1
b7c02274aa020619e6c7b925427b027ffcc28629

SHA256
9f29d64886130752a5fe40ce6e83a8f35dc65340871cfe435499a609037c2824

SHA512
0e49cbd89766d3697ce4c9a2c83de32ebaee2d41f1a635a94cf0c73541aaa614f4f5b755f55d21fdea07fc76985bc741f2649abc1c6a32e9876ffa6b3a1c33c8

Download Submit
memory/4076-232-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4076-133-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4076-132-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4424-176-0x00007FFE37FB0000-0x00007FFE3801E000-memory.dmp

Filesize
440KB

Download
memory/4424-197-0x00007FFE37FB0000-0x00007FFE3801E000-memory.dmp

Filesize
440KB

Download
memory/4424-169-0x00007FFE37FB0000-0x00007FFE3801E000-memory.dmp

Filesize
440KB

Download
memory/4424-170-0x00007FFE37FB0000-0x00007FFE3801E000-memory.dmp

Filesize
440KB

Download
memory/4424-163-0x00007FFE37FB0000-0x00007FFE3801E000-memory.dmp

Filesize
440KB

Download
memory/4424-161-0x00007FFE37FB0000-0x00007FFE3801E000-memory.dmp

Filesize
440KB

Download
memory/4424-158-0x00007FFE37FB0000-0x00007FFE3801E000-memory.dmp

Filesize
440KB

Download
memory/4424-157-0x00007FFE37FB0000-0x00007FFE3801E000-memory.dmp

Filesize
440KB

Download
memory/4424-174-0x00007FFE37FB0000-0x00007FFE3801E000-memory.dmp

Filesize
440KB

Download
memory/4424-155-0x00007FFE37FB0000-0x00007FFE3801E000-memory.dmp

Filesize
440KB

Download
memory/4424-177-0x00007FFE37FB0000-0x00007FFE3801E000-memory.dmp

Filesize
440KB

Download
memory/4424-179-0x00007FFE37FB0000-0x00007FFE3801E000-memory.dmp

Filesize
440KB

Download
memory/4424-154-0x00007FFE37FB0000-0x00007FFE3801E000-memory.dmp

Filesize
440KB

Download
memory/4424-183-0x00007FFE37FB0000-0x00007FFE3801E000-memory.dmp

Filesize
440KB

Download
memory/4424-184-0x00007FFE37FB0000-0x00007FFE3801E000-memory.dmp

Filesize
440KB

Download
memory/4424-182-0x00007FFE37FB0000-0x00007FFE3801E000-memory.dmp

Filesize
440KB

Download
memory/4424-185-0x00007FFE37FB0000-0x00007FFE3801E000-memory.dmp

Filesize
440KB

Download
memory/4424-153-0x00007FFE37FB0000-0x00007FFE3801E000-memory.dmp

Filesize
440KB

Download
memory/4424-152-0x00007FFE37FB0000-0x00007FFE3801E000-memory.dmp

Filesize
440KB

Download
memory/4424-188-0x00007FFE37FB0000-0x00007FFE3801E000-memory.dmp

Filesize
440KB

Download
memory/4424-189-0x00007FFE37FB0000-0x00007FFE3801E000-memory.dmp

Filesize
440KB

Download
memory/4424-190-0x00007FFE37FB0000-0x00007FFE3801E000-memory.dmp

Filesize
440KB

Download
memory/4424-191-0x00007FFE37FB0000-0x00007FFE3801E000-memory.dmp

Filesize
440KB

Download
memory/4424-192-0x00007FFE37FB0000-0x00007FFE3801E000-memory.dmp

Filesize
440KB

Download
memory/4424-196-0x00007FFE37FB0000-0x00007FFE3801E000-memory.dmp

Filesize
440KB

Download
memory/4424-199-0x00007FFE37FB0000-0x00007FFE3801E000-memory.dmp

Filesize
440KB

Download
memory/4424-150-0x00007FFE37FB0000-0x00007FFE3801E000-memory.dmp

Filesize
440KB

Download
memory/4424-149-0x00007FFE37FB0000-0x00007FFE3801E000-memory.dmp

Filesize
440KB

Download
memory/4424-201-0x00007FFE37FB0000-0x00007FFE3801E000-memory.dmp

Filesize
440KB

Download
memory/4424-202-0x00007FFE37FB0000-0x00007FFE3801E000-memory.dmp

Filesize
440KB

Download
memory/4424-142-0x00007FFE37FB0000-0x00007FFE3801E000-memory.dmp

Filesize
440KB

Download
memory/4424-147-0x00007FFE37FB0000-0x00007FFE3801E000-memory.dmp

Filesize
440KB

Download
memory/4424-209-0x00007FFE37FB0000-0x00007FFE3801E000-memory.dmp

Filesize
440KB

Download
memory/4424-148-0x00007FFE37FB0000-0x00007FFE3801E000-memory.dmp

Filesize
440KB

Download
memory/4424-226-0x00007FFE37FB0000-0x00007FFE3801E000-memory.dmp

Filesize
440KB

Download
memory/4424-143-0x00007FFE37FB0000-0x00007FFE3801E000-memory.dmp

Filesize
440KB

Download
memory/4424-213-0x00007FFE37FB0000-0x00007FFE3801E000-memory.dmp

Filesize
440KB

Download
memory/4424-214-0x00007FFE37FB0000-0x00007FFE3801E000-memory.dmp

Filesize
440KB

Download
memory/4424-215-0x00007FFE37FB0000-0x00007FFE3801E000-memory.dmp

Filesize
440KB

Download
memory/4424-216-0x00007FFE37FB0000-0x00007FFE3801E000-memory.dmp

Filesize
440KB

Download
memory/4424-217-0x00007FFE37FB0000-0x00007FFE3801E000-memory.dmp

Filesize
440KB

Download
memory/4424-219-0x00007FFE37FB0000-0x00007FFE3801E000-memory.dmp

Filesize
440KB

Download
memory/4424-220-0x00007FFE37FB0000-0x00007FFE3801E000-memory.dmp

Filesize
440KB

Download
memory/4424-225-0x00007FFE37FB0000-0x00007FFE3801E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads