joker | 29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5

Analysis

max time kernel
90s
max time network
158s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21-10-2022 05:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe
Size

918KB
MD5

72233abb3b0ab88ffcb01d0c5840d890
SHA1

361c6f8569a5e2d16c1bc9d92fd6702de6af124c
SHA256

29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5
SHA512

56860c804740567412679ad11abd6714337da710a245873dc753c5db06c68bd7be1e61a08765fb545fe2f6a4f43ecec292d43d66ed2f9ab94e920e470a023882
SSDEEP

24576:VBmTZE9bUix084d2mVWcaW2nrwqbqzcClwcbcI:qkoPwxWvJNwiT

Score

10^/10

joker bootkit discovery evasion infostealer persistence trojan

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Executes dropped EXE 2 IoCs

pid	Process
1336	shandian.exe
1540	shandian.exe

Loads dropped DLL 11 IoCs

pid	Process
1792	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe
1792	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe
1792	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe
1792	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe
1792	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe
1792	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe
1792	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe
1792	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe
1792	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe
1336	shandian.exe
1336	shandian.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\shandian = "C:\\Program Files (x86)\\shandian\\shandian.exe"	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	shandian.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe
File opened for modification	\??\PhysicalDrive0	shandian.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\shandian\bin\shandian.exe	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe
File created	C:\Program Files (x86)\shandian\ico\ie.ico	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe
File opened for modification	C:\Program Files (x86)\shandian\config.ini	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe
File created	C:\PROGRA~2\shandian\bin\theworld.ac	shandian.exe
File opened for modification	C:\PROGRA~2\shandian\bin\theworld.ac	shandian.exe
File created	C:\PROGRA~2\shandian\bin\twcache.ini	shandian.exe
File created	C:\Program Files (x86)\shandian\bin\shandian.ini	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe
File created	C:\Program Files (x86)\shandian\ico\360.ico	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe
File created	C:\Program Files (x86)\shandian\ico\anquan.ico	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe
File created	C:\Program Files (x86)\shandian\home.bat	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe
File created	C:\Program Files (x86)\shandian\shandian.exe	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe
File created	C:\Program Files (x86)\shandian\ico\taobao.ico	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe
File created	C:\Program Files (x86)\shandian\uninst.exe	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe
File opened for modification	C:\PROGRA~2\shandian\bin\twcache.ini	shandian.exe
File created	C:\Program Files (x86)\shandian\bin\shandian.ini.tmp	shandian.exe
File opened for modification	C:\Program Files (x86)\shandian\bin\shandian.ini	shandian.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0008000000012308-62.dat	nsis_installer_1
behavioral1/files/0x0008000000012308-62.dat	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	shandian.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\shandian.exe = "1"	shandian.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INTERNET_SHELL_FOLDERS\shandian.exe = "0"	shandian.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INTERNET_SHELL_FOLDERS	shandian.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\jlbnh.com	shandian.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\jlbnh.com\NumberOfSubdomains = "1"	shandian.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	shandian.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.jlbnh.com\ = "63"	shandian.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT	shandian.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.jlbnh.com	shandian.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\yhys23.xyz\NumberOfSubdomains = "1"	shandian.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\yhys23.xyz\Total = "63"	shandian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	shandian.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	shandian.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\yhys23.xyz\Total = "126"	shandian.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "189"	shandian.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION	shandian.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage	shandian.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\yhys23.xyz\ = "63"	shandian.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	shandian.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE	shandian.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	shandian.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\jlbnh.com\Total = "63"	shandian.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\yhys23.xyz	shandian.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT\shandian.exe = "0"	shandian.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "126"	shandian.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\yhys23.xyz\ = "126"	shandian.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\shandian.exe = "1"	shandian.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jlbnh.com"	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jlbnh.com/?tn 3"	reg.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage	reg.exe

Modifies system certificate store 2 TTPs 14 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	shandian.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	shandian.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	shandian.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	shandian.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	shandian.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	shandian.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	shandian.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	shandian.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	shandian.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	shandian.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	shandian.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	shandian.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1864	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1864	AUDIODG.EXE
Token: 33	1864	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1864	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1336	shandian.exe
1540	shandian.exe
1540	shandian.exe
1540	shandian.exe
1540	shandian.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 1336	1792	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe	31
PID 1792 wrote to memory of 1336	1792	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe	31
PID 1792 wrote to memory of 1336	1792	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe	31
PID 1792 wrote to memory of 1336	1792	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe	31
PID 1792 wrote to memory of 1392	1792	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe	32
PID 1792 wrote to memory of 1392	1792	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe	32
PID 1792 wrote to memory of 1392	1792	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe	32
PID 1792 wrote to memory of 1392	1792	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe	32
PID 1392 wrote to memory of 1648	1392	cmd.exe	34
PID 1392 wrote to memory of 1648	1392	cmd.exe	34
PID 1392 wrote to memory of 1648	1392	cmd.exe	34
PID 1392 wrote to memory of 1648	1392	cmd.exe	34
PID 1392 wrote to memory of 2012	1392	cmd.exe	35
PID 1392 wrote to memory of 2012	1392	cmd.exe	35
PID 1392 wrote to memory of 2012	1392	cmd.exe	35
PID 1392 wrote to memory of 2012	1392	cmd.exe	35
PID 1392 wrote to memory of 1488	1392	cmd.exe	36
PID 1392 wrote to memory of 1488	1392	cmd.exe	36
PID 1392 wrote to memory of 1488	1392	cmd.exe	36
PID 1392 wrote to memory of 1488	1392	cmd.exe	36
PID 1336 wrote to memory of 1540	1336	shandian.exe	37
PID 1336 wrote to memory of 1540	1336	shandian.exe	37
PID 1336 wrote to memory of 1540	1336	shandian.exe	37
PID 1336 wrote to memory of 1540	1336	shandian.exe	37

C:\Users\Admin\AppData\Local\Temp\29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe
"C:\Users\Admin\AppData\Local\Temp\29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies Internet Explorer start page
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Program Files (x86)\shandian\shandian.exe
  "C:\Program Files (x86)\shandian\shandian.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1336
- - C:\Program Files (x86)\shandian\bin\shandian.exe
    "C:\Program Files (x86)\shandian\bin\shandian.exe"
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Writes to the Master Boot Record (MBR)
    - Drops file in Program Files directory
    - Modifies Internet Explorer settings
    - Modifies system certificate store
    - Suspicious use of SetWindowsHookEx
    PID:1540
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\shandian\home.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCR\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command" /v "" /t reg_expand_sz /d "C:\Program Files\Internet Explorer\iexplore.exe http://www.jlbnh.com/?tn 3" /f
    3⤵
    - Modifies registry class
    PID:1648
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\SOFTWARE\Policies\Microsoft\Internet Explorer\Main" /v "Start Page" /d "http://www.jlbnh.com/?tn 3" /f
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Internet Explorer\Main" /v "Start Page" /d "http://www.jlbnh.com/?tn 3" /f
    3⤵
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    PID:1488

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x578
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\shandian\bin\shandian.exe

Filesize
1.4MB

MD5
0b8c8dd921f439cdba4e2bbb63fafa6e

SHA1
c00954b5413f7773db7800ab83644eef9af1a6d1

SHA256
77ee2e0a6d9b3be61a86f187487d856bc0ea35b935247bc88036b5e350fc56ef

SHA512
5f2aeabf0de4a56dcb1b68111805f1f4db2f319ad4b313701e7c9f41a6c5095acb3c5ac7553d2cd120a9fdea463cf9f61b4c66f17be8c4719b7dc01f5cb018c8

Download Submit
C:\Program Files (x86)\shandian\bin\shandian.exe

Filesize
1.4MB

MD5
0b8c8dd921f439cdba4e2bbb63fafa6e

SHA1
c00954b5413f7773db7800ab83644eef9af1a6d1

SHA256
77ee2e0a6d9b3be61a86f187487d856bc0ea35b935247bc88036b5e350fc56ef

SHA512
5f2aeabf0de4a56dcb1b68111805f1f4db2f319ad4b313701e7c9f41a6c5095acb3c5ac7553d2cd120a9fdea463cf9f61b4c66f17be8c4719b7dc01f5cb018c8

Download Submit
C:\Program Files (x86)\shandian\bin\shandian.ini

Filesize
74B

MD5
9d36846620a1b56a9d5ace29337db49f

SHA1
93ed1fa019a7b263b38403811af5042688b2100a

SHA256
4b2d9733336aa571d89b34849416e1254d3361cca692ebf97a85c7ca122d2284

SHA512
5b84f8323fd4fed102d9c28c687524560fb051f51ed6c57d71e355357342d93b87362c012695454df56d64dcca012f0df023109e66296d3f079002ac089da88e

Download Submit
C:\Program Files (x86)\shandian\config.ini

Filesize
145B

MD5
fa40f1eae346621af2002e64f964c891

SHA1
4c834cebf5f3844896d7880b9982650a89bc8cf3

SHA256
498779b7b777e513b48c9e465157d65e05d890b227eb00b7f48393e525c2f31a

SHA512
0488de3d58e72514f1ac9642222afe2f62a111fb5438d3ad349b380c32dfd97bcca66b367b5cfab7da4a98166a28b44549406b5bcc88f4aec77e54db69225e6a

Download Submit
C:\Program Files (x86)\shandian\home.bat

Filesize
703B

MD5
32ae016db9efcbe0b1ec1a94c2d6e2eb

SHA1
376cf1143cce54a01132e24bce677aa7210dc045

SHA256
8b3b6b6e773017a797ce6b9575d36fdef7b959522bc399df8315c8bbb9af7c72

SHA512
08e3f77fc072881ad9b4942051a5c12032d6e42eed3cd29dc90d1e31d452f8bd682ab9ccfb40720a2d2d67151c5076d6b049d1e4e6c6010e1f235866006ad3b7

Download Submit
C:\Program Files (x86)\shandian\shandian.exe

Filesize
96KB

MD5
b442fa57a35ce2505b4ece4a18d0239b

SHA1
28f6045d76bc77c76738c8f6128b7d6ec65b1865

SHA256
0063f24996e1b897ee94d51fc53593fda3a1c293ecde20f1b921e5e8ee56b4cc

SHA512
420d12e775a793be3230116464deb6c8e1fb442f33600237fa798ebd1e46a66ca4eada265f8eab6644573c098662538af9aae9cfbaea946efbc310923348fe57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6C7617C370060193ABB4C6A6FF28D1D6

Filesize
503B

MD5
90b8af1245fa9a9aa55b050aeadc1b24

SHA1
37fdb1791913a257d9e855e2fe44fec7ba85759b

SHA256
575235b9fe3088d769b78faff10662cfd13954cf477eb0ef951bc1671f1755d1

SHA512
aeb648a72c34e7cb476aa02a3b0e3ed198ef7cf13fb5b21e154066fcf93f3337581469295ad4796c5019015c152c56ad33053f695b4dbcd75d952fe609254b7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
0d7b78b5124c80f98ed7238f443a66ef

SHA1
5101434c67d7dccb367cf51722d85a34b2cabc3b

SHA256
d86f7086417f975db3818cd42ad6f275a05afd47c5472e5150a78719ed882d20

SHA512
6c6566e3e06753243e5c0495e0378cd6274dee0944b8f18ac441f221f7d9f7e5ba99b12a364ceb4e540b54891cbb512bf3b2ba0a567fea32630eef0d55e4f26a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6C7617C370060193ABB4C6A6FF28D1D6

Filesize
548B

MD5
8b7c4c7e17335af4ca76f99f9f00d60b

SHA1
0d580a6c73b808fe33d922d169f3ec3f814816fc

SHA256
2a551c77bed66953f36d09e2760bfca321a04f7a9967df91bd963f05888a4e25

SHA512
eb865691808f6b8db042961e4782984abd95b50284e2e5a1eae1c17d788c3dc5caa0ef8d9b48099291bde3f3ad3223ce04d93a1feb296386037f369a8b2fb697

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
598da45eb52e30cc4c9322c460bf69c1

SHA1
7b3089cfab63489b1007166fe5ac0061cad289b7

SHA256
b1b8f863067eab509627e5e9486688f57eee5c3f3e29768b37ebde2464628e72

SHA512
ee92c20fb442b7578c08f8f0c01865658c2e2978aa0b3a281e8e74229b3e6587b190d26bc69dab9b44318b3eebad057e787bf25d3bb923c35b694d45ab01bcb7

Download Submit
\Program Files (x86)\shandian\bin\shandian.exe

Filesize
1.4MB

MD5
0b8c8dd921f439cdba4e2bbb63fafa6e

SHA1
c00954b5413f7773db7800ab83644eef9af1a6d1

SHA256
77ee2e0a6d9b3be61a86f187487d856bc0ea35b935247bc88036b5e350fc56ef

SHA512
5f2aeabf0de4a56dcb1b68111805f1f4db2f319ad4b313701e7c9f41a6c5095acb3c5ac7553d2cd120a9fdea463cf9f61b4c66f17be8c4719b7dc01f5cb018c8

Download Submit
\Program Files (x86)\shandian\bin\shandian.exe

Filesize
1.4MB

MD5
0b8c8dd921f439cdba4e2bbb63fafa6e

SHA1
c00954b5413f7773db7800ab83644eef9af1a6d1

SHA256
77ee2e0a6d9b3be61a86f187487d856bc0ea35b935247bc88036b5e350fc56ef

SHA512
5f2aeabf0de4a56dcb1b68111805f1f4db2f319ad4b313701e7c9f41a6c5095acb3c5ac7553d2cd120a9fdea463cf9f61b4c66f17be8c4719b7dc01f5cb018c8

Download Submit
\Program Files (x86)\shandian\shandian.exe

Filesize
96KB

MD5
b442fa57a35ce2505b4ece4a18d0239b

SHA1
28f6045d76bc77c76738c8f6128b7d6ec65b1865

SHA256
0063f24996e1b897ee94d51fc53593fda3a1c293ecde20f1b921e5e8ee56b4cc

SHA512
420d12e775a793be3230116464deb6c8e1fb442f33600237fa798ebd1e46a66ca4eada265f8eab6644573c098662538af9aae9cfbaea946efbc310923348fe57

Download Submit
\Program Files (x86)\shandian\shandian.exe

Filesize
96KB

MD5
b442fa57a35ce2505b4ece4a18d0239b

SHA1
28f6045d76bc77c76738c8f6128b7d6ec65b1865

SHA256
0063f24996e1b897ee94d51fc53593fda3a1c293ecde20f1b921e5e8ee56b4cc

SHA512
420d12e775a793be3230116464deb6c8e1fb442f33600237fa798ebd1e46a66ca4eada265f8eab6644573c098662538af9aae9cfbaea946efbc310923348fe57

Download Submit
\Program Files (x86)\shandian\shandian.exe

Filesize
96KB

MD5
b442fa57a35ce2505b4ece4a18d0239b

SHA1
28f6045d76bc77c76738c8f6128b7d6ec65b1865

SHA256
0063f24996e1b897ee94d51fc53593fda3a1c293ecde20f1b921e5e8ee56b4cc

SHA512
420d12e775a793be3230116464deb6c8e1fb442f33600237fa798ebd1e46a66ca4eada265f8eab6644573c098662538af9aae9cfbaea946efbc310923348fe57

Download Submit
\Program Files (x86)\shandian\shandian.exe

Filesize
96KB

MD5
b442fa57a35ce2505b4ece4a18d0239b

SHA1
28f6045d76bc77c76738c8f6128b7d6ec65b1865

SHA256
0063f24996e1b897ee94d51fc53593fda3a1c293ecde20f1b921e5e8ee56b4cc

SHA512
420d12e775a793be3230116464deb6c8e1fb442f33600237fa798ebd1e46a66ca4eada265f8eab6644573c098662538af9aae9cfbaea946efbc310923348fe57

Download Submit
\Program Files (x86)\shandian\uninst.exe

Filesize
94KB

MD5
674b1f11337c2d0334d5441a749b1e26

SHA1
63befb477ab4af153d4c851341a1daf6f0d8923c

SHA256
eb2273cbde197d713c51e7617f4fa0bf7f7b50f70bb261e66c6ef05806251dcf

SHA512
4908a417eb6aca1c583e15a022a642ca219b86eded0433fbde4170803097b061c946596b84402800d0cc13971525d5668c43540a2b4e79834c61e9832cf22c4a

Download Submit
\Users\Admin\AppData\Local\Temp\nsdFF28.tmp\Md5dll.dll

Filesize
8KB

MD5
a7d710e78711d5ab90e4792763241754

SHA1
f31cecd926c5d497aba163a17b75975ec34beb13

SHA256
9b05dd603f13c196f3f21c43f48834208fed2294f7090fcd1334931014611fb2

SHA512
f0ca2d6f9a8aeac84ef8b051154a041adffc46e3e9aced142e9c7bf5f7272b047e1db421d38cb2d9182d7442bee3dd806618b019ec042a23ae0e71671d2943c0

Download Submit
\Users\Admin\AppData\Local\Temp\nsdFF28.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
\Users\Admin\AppData\Local\Temp\nsdFF28.tmp\bind.dll

Filesize
56KB

MD5
b2181e501ce4b03aa5b01d63dbec0b6e

SHA1
3bdf5e76795d87fd005080ccc84596b16c407364

SHA256
40a9e5e0e902a55218361f6965e909c900866eb1ebe6d7b193a077805fb89394

SHA512
ca48994bc13c3c1a4fa50a969a4add2c2caead38fd64d705f83ed372039d9461cc45f898fd7012f2e399f1da62f51a799a9ad9f1fb5b8cf40ae4070e774ddc0a

Download Submit
\Users\Admin\AppData\Local\Temp\nsdFF28.tmp\xID.dll

Filesize
9KB

MD5
3a5ed71aa9c6846d95d57235c4c443d7

SHA1
08156d29bed654f8f8d7f46ddbce84d22d4710cf

SHA256
5e3fa4d610cb2d80ed9991cb2562bd70c5b4d49dbcf4e42a1017c59eedbe28a4

SHA512
5cdb5059020c20a83f230ae2d75bfb6fd69a03418ba6407336db9f0c653fea1e8f4a51400812da81a8bde2f6e4d95fd80e29eb462e818ddbd881789c00d5d1d1

Download Submit
memory/1540-83-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1540-82-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1540-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1540-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1540-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1792-54-0x0000000076321000-0x0000000076323000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads