joker | c0f9c674554abee4fcbd695eefe9aa3a8677c5dd477c73904415be3ad6b2c48c

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
19-10-2022 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0f9c674554abee4fcbd695eefe9aa3a8677c5dd477c73904415be3ad6b2c48c.exe
Size

54KB
MD5

a0cd2483f8fdb53ab6fce6339c0d79f2
SHA1

ccf543c5767effd4b63e9bd9ace773c5c9055d2f
SHA256

c0f9c674554abee4fcbd695eefe9aa3a8677c5dd477c73904415be3ad6b2c48c
SHA512

4fddb97aacfd0f475b295d801fe1444f17ca999dbb86131b3e7cbfce784b1d266ffa8ac14aec17979bfb6c0664022fb21543a043f6aef08113a256cf18d6b9af
SSDEEP

1536:dmL/ODWaaQHViEPDjMAN+3ALhi1tUUUuJkLegdV:wbaaKt3MAKQcMUUuJ0dV

Score

10^/10

joker evasion infostealer persistence trojan

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Executes dropped EXE 1 IoCs

pid	Process
4628	inl11DF.tmp

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
4536	attrib.exe
2616	attrib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	c0f9c674554abee4fcbd695eefe9aa3a8677c5dd477c73904415be3ad6b2c48c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	inl11DF.tmp

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hsdfasd = "\"C:\\Users\\Admin\\AppData\\Roaming\\redload\\tmp.\\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}\" hh.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~1\INTERN~1\ieframe.dll	cmd.exe
File opened for modification	C:\PROGRA~1\INTERN~1\ieframe.dll	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies Internet Explorer settings 1 TTPs 46 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.henniu5555.site\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "126"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30991335"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2583877887"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com\ = "126"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\henniu5555.site	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\henniu5555.site\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\cnkankan.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\Total = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "189"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2607159684"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C5169273-4FDA-11ED-A0EE-F63A18EFECFD} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\henniu5555.site\Total = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30991335"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30991335"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\Total = "126"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\henniu5555.site	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.henniu5555.site	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2583877887"	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.71628.com/?S"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.71628.com/?S"	reg.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command\ = "wscript -e:vbs \"C:\\Users\\Admin\\AppData\\Roaming\\redload\\3.bat\""	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\IsShortCut	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	reg.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4760	c0f9c674554abee4fcbd695eefe9aa3a8677c5dd477c73904415be3ad6b2c48c.exe
Token: SeIncBasePriorityPrivilege	4628	inl11DF.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4856	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4856	iexplore.exe
4856	iexplore.exe
3108	IEXPLORE.EXE
3108	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 3752	4760	c0f9c674554abee4fcbd695eefe9aa3a8677c5dd477c73904415be3ad6b2c48c.exe	91
PID 4760 wrote to memory of 3752	4760	c0f9c674554abee4fcbd695eefe9aa3a8677c5dd477c73904415be3ad6b2c48c.exe	91
PID 4760 wrote to memory of 3752	4760	c0f9c674554abee4fcbd695eefe9aa3a8677c5dd477c73904415be3ad6b2c48c.exe	91
PID 3752 wrote to memory of 5088	3752	cmd.exe	93
PID 3752 wrote to memory of 5088	3752	cmd.exe	93
PID 3752 wrote to memory of 5088	3752	cmd.exe	93
PID 5088 wrote to memory of 4856	5088	cmd.exe	95
PID 5088 wrote to memory of 4856	5088	cmd.exe	95
PID 5088 wrote to memory of 4232	5088	cmd.exe	96
PID 5088 wrote to memory of 4232	5088	cmd.exe	96
PID 5088 wrote to memory of 4232	5088	cmd.exe	96
PID 5088 wrote to memory of 1516	5088	cmd.exe	97
PID 5088 wrote to memory of 1516	5088	cmd.exe	97
PID 5088 wrote to memory of 1516	5088	cmd.exe	97
PID 4760 wrote to memory of 4628	4760	c0f9c674554abee4fcbd695eefe9aa3a8677c5dd477c73904415be3ad6b2c48c.exe	99
PID 4760 wrote to memory of 4628	4760	c0f9c674554abee4fcbd695eefe9aa3a8677c5dd477c73904415be3ad6b2c48c.exe	99
PID 4760 wrote to memory of 4628	4760	c0f9c674554abee4fcbd695eefe9aa3a8677c5dd477c73904415be3ad6b2c48c.exe	99
PID 4760 wrote to memory of 1668	4760	c0f9c674554abee4fcbd695eefe9aa3a8677c5dd477c73904415be3ad6b2c48c.exe	100
PID 4760 wrote to memory of 1668	4760	c0f9c674554abee4fcbd695eefe9aa3a8677c5dd477c73904415be3ad6b2c48c.exe	100
PID 4760 wrote to memory of 1668	4760	c0f9c674554abee4fcbd695eefe9aa3a8677c5dd477c73904415be3ad6b2c48c.exe	100
PID 1516 wrote to memory of 1712	1516	cmd.exe	102
PID 1516 wrote to memory of 1712	1516	cmd.exe	102
PID 1516 wrote to memory of 1712	1516	cmd.exe	102
PID 4856 wrote to memory of 3108	4856	iexplore.exe	103
PID 4856 wrote to memory of 3108	4856	iexplore.exe	103
PID 4856 wrote to memory of 3108	4856	iexplore.exe	103
PID 1516 wrote to memory of 1288	1516	cmd.exe	104
PID 1516 wrote to memory of 1288	1516	cmd.exe	104
PID 1516 wrote to memory of 1288	1516	cmd.exe	104
PID 1516 wrote to memory of 3748	1516	cmd.exe	105
PID 1516 wrote to memory of 3748	1516	cmd.exe	105
PID 1516 wrote to memory of 3748	1516	cmd.exe	105
PID 1516 wrote to memory of 2876	1516	cmd.exe	106
PID 1516 wrote to memory of 2876	1516	cmd.exe	106
PID 1516 wrote to memory of 2876	1516	cmd.exe	106
PID 1516 wrote to memory of 3644	1516	cmd.exe	107
PID 1516 wrote to memory of 3644	1516	cmd.exe	107
PID 1516 wrote to memory of 3644	1516	cmd.exe	107
PID 1516 wrote to memory of 4536	1516	cmd.exe	108
PID 1516 wrote to memory of 4536	1516	cmd.exe	108
PID 1516 wrote to memory of 4536	1516	cmd.exe	108
PID 1516 wrote to memory of 2616	1516	cmd.exe	109
PID 1516 wrote to memory of 2616	1516	cmd.exe	109
PID 1516 wrote to memory of 2616	1516	cmd.exe	109
PID 1516 wrote to memory of 3976	1516	cmd.exe	110
PID 1516 wrote to memory of 3976	1516	cmd.exe	110
PID 1516 wrote to memory of 3976	1516	cmd.exe	110
PID 1516 wrote to memory of 4196	1516	cmd.exe	111
PID 1516 wrote to memory of 4196	1516	cmd.exe	111
PID 1516 wrote to memory of 4196	1516	cmd.exe	111
PID 3976 wrote to memory of 5096	3976	rundll32.exe	112
PID 3976 wrote to memory of 5096	3976	rundll32.exe	112
PID 3976 wrote to memory of 5096	3976	rundll32.exe	112
PID 5096 wrote to memory of 3556	5096	runonce.exe	113
PID 5096 wrote to memory of 3556	5096	runonce.exe	113
PID 5096 wrote to memory of 3556	5096	runonce.exe	113
PID 4628 wrote to memory of 692	4628	inl11DF.tmp	116
PID 4628 wrote to memory of 692	4628	inl11DF.tmp	116
PID 4628 wrote to memory of 692	4628	inl11DF.tmp	116

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
4536	attrib.exe
2616	attrib.exe

C:\Users\Admin\AppData\Local\Temp\c0f9c674554abee4fcbd695eefe9aa3a8677c5dd477c73904415be3ad6b2c48c.exe
"C:\Users\Admin\AppData\Local\Temp\c0f9c674554abee4fcbd695eefe9aa3a8677c5dd477c73904415be3ad6b2c48c.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s_g_l_209.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\redload\1.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5088
  - - C:\PROGRA~1\INTERN~1\iexplore.exe
      C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://www.cnkankan.com/?71628
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4856
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4856 CREDAT:17410 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3108
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\redload\1.inf
      4⤵
      PID:4232
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\redload\2.bat
      4⤵
      Drops file in Program Files directory
      Suspicious use of WriteProcessMemory
      PID:1516
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?S"" /f
        5⤵
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        
        PID:1712
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?S"" /f
        5⤵
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        
        PID:1288
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\tmp" /v "key" /d ""http://www.71628.com/?S"" /f
        5⤵
        
        PID:3748
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f
        5⤵
        Modifies registry class
        
        PID:2876
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\redload\3.bat""" /f
        5⤵
        Modifies registry class
        
        PID:3644
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\Users\Admin\AppData\Roaming\redload\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4536
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\Users\Admin\AppData\Roaming\redload\tmp
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2616
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\redload\2.inf
        5⤵
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3976
      - C:\Windows\SysWOW64\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        6⤵
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        7⤵
        
        PID:3556
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 D:\VolumeDH\inj.dat,MainLoad
        5⤵
        
        PID:4196
- C:\Users\Admin\AppData\Local\Temp\inl11DF.tmp
  C:\Users\Admin\AppData\Local\Temp\inl11DF.tmp
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4628
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inl11DF.tmp > nul
    3⤵
    PID:692
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\C0F9C6~1.EXE > nul
  2⤵
  PID:1668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
d3ff0edeee7d1ea5754d8a290ae01189

SHA1
253ee24a4776d30bac0aedd7ea213adea6acb6f9

SHA256
e2e542a3681c428c021d38e608dffa43da666f6f3c53f623c21dc184639b222b

SHA512
ab14449059ae31856026e8d8cb0ec0b4158da0fd19f2a73940a159574a9084ce6a09ac05fb80ef3ab11cd9b1395dce021872215baced48f9e8a0bf7311000db7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
869d0233b09cb59e69caf869d854a538

SHA1
d41aad169aadcbc3d60c37ea2719f93d954e4cbf

SHA256
ccf99e103555875a0990cb10073d0988a3314e71da112835a6d8c83f773be7f7

SHA512
5d110527cc46543031eb9c10b2fe303cb63d963bc4afa28efaabfcd4df6f0e0e7eba270982b69dc45300daf38313b0b870461c6d7165986206024a0de8ac591f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp

Filesize
790B

MD5
b18422bf438bbb7798280375a7bc0976

SHA1
c1b77b35e3a38ff2ad119f25e548beb5ff68c2e2

SHA256
ee8709e751067193dccdfe218108bdae6a30919d7b6c860bc848c7cc4b242fa4

SHA512
23cb9c74905f514a2bf4ef91afc53ceb08230b3ce68e3eab17bb36c674260d143a7e7105958ff4ed5c2a416bddffb3c7e28dcf8060cbf323c7e4cab71f613176

Download Submit
C:\Users\Admin\AppData\Local\Temp\inl11DF.tmp

Filesize
57.2MB

MD5
b4a0221915c3c4b4c762acce6a3582c5

SHA1
3673514fa039491d5908bfa2392e70378b8e2f18

SHA256
d52e838643f8a4c92e91d97def5ca829c746e962b40493563ef80258f43394e0

SHA512
4c83e1f8d879c8c8865d08da6df9e9d743a0c59e1b1dae0a0d177e276986ae458c154656a6e559fb46d5cfe66392ba8e732b4485c7ad029ccc9b0190d3434700

Download Submit
C:\Users\Admin\AppData\Local\Temp\inl11DF.tmp

Filesize
57.2MB

MD5
b4a0221915c3c4b4c762acce6a3582c5

SHA1
3673514fa039491d5908bfa2392e70378b8e2f18

SHA256
d52e838643f8a4c92e91d97def5ca829c746e962b40493563ef80258f43394e0

SHA512
4c83e1f8d879c8c8865d08da6df9e9d743a0c59e1b1dae0a0d177e276986ae458c154656a6e559fb46d5cfe66392ba8e732b4485c7ad029ccc9b0190d3434700

Download Submit
C:\Users\Admin\AppData\Local\Temp\s_g_l_209.bat

Filesize
54B

MD5
504490369970f1c0eb580afbcdf91618

SHA1
b52f65cd538e6c998b2c7e3167f9c8e8fa6c7971

SHA256
a13a0579286521f0d7cb55fc7d28c6d33f14c0573e9e69f7584fa4008a8e7d43

SHA512
5495ce79abf0fc4ffbfaf9aefa484145f4e0d3e8457be0e2e4dfb1284fb5413016f2d9867e2386db5c4f7b51863bfffeae8ea6bd879053fdf6a928ab2a0857ad

Download Submit
C:\Users\Admin\AppData\Roaming\redload\1.bat

Filesize
3KB

MD5
b13d4a59d37d8c293276a4c428ad5659

SHA1
710bfa65cfd533b78c564e15e0bbe954e9265ecf

SHA256
3aea9dee221648916706758561e23796b2325e4019b28a3070fe2fd8d1d4ed28

SHA512
8cb3aec7463cf7d14f333bb9257f03c7f7491f4da4fea3311e505f99b9f6797f0aa3f689355a6625d9f104b8511f7e75218b4c2fdd7f9ac96927d7aa4a6ed0ba

Download Submit
C:\Users\Admin\AppData\Roaming\redload\1.inf

Filesize
410B

MD5
66a1f0147fed7ddd19e9bb7ff93705c5

SHA1
9d803c81ea2195617379b880b227892ba30b0bf6

SHA256
4f45ce85e221352f7fe26e04968c7f7267dc24b55cf2b72b929b4c90e48cb764

SHA512
cfe51756ddec75d240249980a4d27870d15983add25058e4d0da4d8a3ea11384d4d228d6cbc95091f91e516e1ab4dfb1e315941dbd95bf717d4b31936311d597

Download Submit
C:\Users\Admin\AppData\Roaming\redload\2.bat

Filesize
3KB

MD5
185a49cc37f1724dc196f67c42a76340

SHA1
27fde7b9ba462fc36ba5705832ae44b454d718cf

SHA256
3fe8fbf78cb9855c0cc663dda80354318fb2c7ef1dc4d378c98bb1383015140d

SHA512
97ee31a378404bae99616a057ddbed8450f56bfd5d0508b4cc3b864e73aa5d8d1f15b21c82ed3570494603ac90bb7cee1b8cbdae9d935bb1ddb71264004e4c22

Download Submit
C:\Users\Admin\AppData\Roaming\redload\2.inf

Filesize
248B

MD5
2197ffb407fb3b2250045c084f73b70a

SHA1
3d0efbacba73ac5e8d77f0d25d63fc424511bcf6

SHA256
a1a42f5a41ce65135b1ad525eabc04cce89ee07d2f51d06e5e1dea6047081591

SHA512
b35a99e144da3f02de71158f58a6b937435d1bce941126a554783c667654b880527b11ba8a5c0fcf093ce28863ea4f5e60f73f8f973a727f177d584d2e9c80fe

Download Submit
C:\Users\Admin\AppData\Roaming\redload\4.bat

Filesize
5.8MB

MD5
57ea1b9d488a993521d122e9fb5544bc

SHA1
02e3df90988581e1c8239490e6bd4f6e74a27d9c

SHA256
8f5595321be14a29f257054e45c996a0447137aa9edc32264b30268054be02fb

SHA512
c07e889f1d0fbcde5846ea3f648a83318f86099a83059c010d61f015c10dc4207492af19a4e483c19c3d661424b10d49db817a73627bea101fe43d62b5a76ee3

Download Submit
memory/4760-169-0x00000000005C0000-0x00000000005E5000-memory.dmp

Filesize
148KB

Download
memory/4760-133-0x0000000000C50000-0x0000000000C53000-memory.dmp

Filesize
12KB

Download
memory/4760-134-0x00000000005C0000-0x00000000005E5000-memory.dmp

Filesize
148KB

Download
memory/4760-132-0x00000000005C0000-0x00000000005E5000-memory.dmp

Filesize
148KB

Download
memory/4856-146-0x00007FF8FA540000-0x00007FF8FA5AE000-memory.dmp

Filesize
440KB

Download
memory/4856-193-0x00007FF8FA540000-0x00007FF8FA5AE000-memory.dmp

Filesize
440KB

Download
memory/4856-170-0x00007FF8FA540000-0x00007FF8FA5AE000-memory.dmp

Filesize
440KB

Download
memory/4856-152-0x00007FF8FA540000-0x00007FF8FA5AE000-memory.dmp

Filesize
440KB

Download
memory/4856-171-0x00007FF8FA540000-0x00007FF8FA5AE000-memory.dmp

Filesize
440KB

Download
memory/4856-165-0x00007FF8FA540000-0x00007FF8FA5AE000-memory.dmp

Filesize
440KB

Download
memory/4856-173-0x00007FF8FA540000-0x00007FF8FA5AE000-memory.dmp

Filesize
440KB

Download
memory/4856-175-0x00007FF8FA540000-0x00007FF8FA5AE000-memory.dmp

Filesize
440KB

Download
memory/4856-177-0x00007FF8FA540000-0x00007FF8FA5AE000-memory.dmp

Filesize
440KB

Download
memory/4856-178-0x00007FF8FA540000-0x00007FF8FA5AE000-memory.dmp

Filesize
440KB

Download
memory/4856-179-0x00007FF8FA540000-0x00007FF8FA5AE000-memory.dmp

Filesize
440KB

Download
memory/4856-180-0x00007FF8FA540000-0x00007FF8FA5AE000-memory.dmp

Filesize
440KB

Download
memory/4856-149-0x00007FF8FA540000-0x00007FF8FA5AE000-memory.dmp

Filesize
440KB

Download
memory/4856-182-0x00007FF8FA540000-0x00007FF8FA5AE000-memory.dmp

Filesize
440KB

Download
memory/4856-183-0x00007FF8FA540000-0x00007FF8FA5AE000-memory.dmp

Filesize
440KB

Download
memory/4856-184-0x00007FF8FA540000-0x00007FF8FA5AE000-memory.dmp

Filesize
440KB

Download
memory/4856-150-0x00007FF8FA540000-0x00007FF8FA5AE000-memory.dmp

Filesize
440KB

Download
memory/4856-186-0x00007FF8FA540000-0x00007FF8FA5AE000-memory.dmp

Filesize
440KB

Download
memory/4856-147-0x00007FF8FA540000-0x00007FF8FA5AE000-memory.dmp

Filesize
440KB

Download
memory/4856-189-0x00007FF8FA540000-0x00007FF8FA5AE000-memory.dmp

Filesize
440KB

Download
memory/4856-157-0x00007FF8FA540000-0x00007FF8FA5AE000-memory.dmp

Filesize
440KB

Download
memory/4856-144-0x00007FF8FA540000-0x00007FF8FA5AE000-memory.dmp

Filesize
440KB

Download
memory/4856-195-0x00007FF8FA540000-0x00007FF8FA5AE000-memory.dmp

Filesize
440KB

Download
memory/4856-166-0x00007FF8FA540000-0x00007FF8FA5AE000-memory.dmp

Filesize
440KB

Download
memory/4856-164-0x00007FF8FA540000-0x00007FF8FA5AE000-memory.dmp

Filesize
440KB

Download
memory/4856-142-0x00007FF8FA540000-0x00007FF8FA5AE000-memory.dmp

Filesize
440KB

Download
memory/4856-198-0x00007FF8FA540000-0x00007FF8FA5AE000-memory.dmp

Filesize
440KB

Download
memory/4856-163-0x00007FF8FA540000-0x00007FF8FA5AE000-memory.dmp

Filesize
440KB

Download
memory/4856-201-0x00007FF8FA540000-0x00007FF8FA5AE000-memory.dmp

Filesize
440KB

Download
memory/4856-161-0x00007FF8FA540000-0x00007FF8FA5AE000-memory.dmp

Filesize
440KB

Download
memory/4856-155-0x00007FF8FA540000-0x00007FF8FA5AE000-memory.dmp

Filesize
440KB

Download
memory/4856-204-0x00007FF8FA540000-0x00007FF8FA5AE000-memory.dmp

Filesize
440KB

Download
memory/4856-160-0x00007FF8FA540000-0x00007FF8FA5AE000-memory.dmp

Filesize
440KB

Download
memory/4856-209-0x00007FF8FA540000-0x00007FF8FA5AE000-memory.dmp

Filesize
440KB

Download
memory/4856-211-0x00007FF8FA540000-0x00007FF8FA5AE000-memory.dmp

Filesize
440KB

Download
memory/4856-212-0x00007FF8FA540000-0x00007FF8FA5AE000-memory.dmp

Filesize
440KB

Download
memory/4856-213-0x00007FF8FA540000-0x00007FF8FA5AE000-memory.dmp

Filesize
440KB

Download
memory/4856-214-0x00007FF8FA540000-0x00007FF8FA5AE000-memory.dmp

Filesize
440KB

Download
memory/4856-215-0x00007FF8FA540000-0x00007FF8FA5AE000-memory.dmp

Filesize
440KB

Download
memory/4856-217-0x00007FF8FA540000-0x00007FF8FA5AE000-memory.dmp

Filesize
440KB

Download
memory/4856-218-0x00007FF8FA540000-0x00007FF8FA5AE000-memory.dmp

Filesize
440KB

Download
memory/4856-220-0x00007FF8FA540000-0x00007FF8FA5AE000-memory.dmp

Filesize
440KB

Download
memory/4856-225-0x00007FF8FA540000-0x00007FF8FA5AE000-memory.dmp

Filesize
440KB

Download
memory/4856-226-0x00007FF8FA540000-0x00007FF8FA5AE000-memory.dmp

Filesize
440KB

Download
memory/4856-159-0x00007FF8FA540000-0x00007FF8FA5AE000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads