joker | 2fc6cb628310d0119424a1a25b3c8132efcaa040c0285e95005e077a11e7e897

Analysis

max time kernel
155s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2022, 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fc6cb628310d0119424a1a25b3c8132efcaa040c0285e95005e077a11e7e897.exe
Size

160KB
MD5

5fd2ee06fccf4e13ce4f1ad3b62a28db
SHA1

4289f2de5bd69393cb4fb5190fff261a38edb8c8
SHA256

2fc6cb628310d0119424a1a25b3c8132efcaa040c0285e95005e077a11e7e897
SHA512

cc1f2c9f78fd2dcf2e2d02dc32f08067679238963fa9037d3d9d2fd512e8159f86eb968b8ccef982f8ceb7cd489b935b14f248a9890df42bfb471653f69a42ef
SSDEEP

1536:7zOEJKTB1rO/A5J2q+MEWafDuwrZd67iS+ra68IUvIi0rQ+L:XXcTBPt+MxJwVEi/8HAz9

Score

10^/10

joker evasion infostealer persistence trojan

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Executes dropped EXE 1 IoCs

pid	Process
4264	inl2AB7.tmp

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
3676	attrib.exe
4416	attrib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	2fc6cb628310d0119424a1a25b3c8132efcaa040c0285e95005e077a11e7e897.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	inl2AB7.tmp

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hsdfasd = "\"C:\\Users\\Admin\\AppData\\Roaming\\datread\\tmp.\\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}\" hh.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	rundll32.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~1\INTERN~1\ieframe.dll	cmd.exe
File opened for modification	C:\PROGRA~1\INTERN~1\ieframe.dll	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe

Modifies Internet Explorer settings 1 TTPs 57 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "126"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.henniu1111.site\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f007d2eb42e6d801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\Total = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com\ = "126"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d79060000000002000000000010660000000100002000000098af71010fdc30a90d54f7c800f49a184ced917dcf4cc596288267d54ac4e97d000000000e8000000002000020000000624046b4a92554515cd1236bb306246a1e681ccd309cbef55106693c34e97287200000000782dc8ed0160fc4efc95db9c3413ed33cd26c5674371b232c1e4037dccaafdc400000001b5e81a554b0d54c4941b1ca4c7050b27b930e2c452563ff49767a128b96c9eb5a2ec01a4c62c9c0cb349360b52b5cf652dbdb285f25a894137af9736e0af9b3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{080840E6-5236-11ED-A0EE-C65219BF0A09} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3727352102"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "189"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30991938"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30991938"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\cnkankan.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10b0c3eb42e6d801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\Total = "126"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\henniu1111.site	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.henniu1111.site	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\henniu1111.site\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3708758038"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d79060000000002000000000010660000000100002000000032d6c6e2a5e7725cac27bdc66ea106bed5796e35f6306614e4571a95248f1539000000000e8000000002000020000000bdf395f5f8d0f09081aeb964c43c3df8554516dccd7cdfecf71fc1460d801f1520000000d3547d25f3918e039d16ddab7c066b68e0c9df25fcfa6eb4835c91d7ed093af140000000ecf4d0da5d6b09ca1f6c0af126d079c90bbec10fcd57bd5a6ad1433d8574987f5ab7a3c039986e3a48c3d83360ce0114d0c82076b2408c29a8ac56157976894b	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30991938"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\henniu1111.site\Total = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3708758038"	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?n"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?n"	reg.exe

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\IsShortCut	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command\ = "wscript -e:vbs \"C:\\Users\\Admin\\AppData\\Roaming\\datread\\3.bat\""	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell	reg.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2060	2fc6cb628310d0119424a1a25b3c8132efcaa040c0285e95005e077a11e7e897.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2088	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2088	iexplore.exe
2088	iexplore.exe
4644	IEXPLORE.EXE
4644	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2140	2060	2fc6cb628310d0119424a1a25b3c8132efcaa040c0285e95005e077a11e7e897.exe	89
PID 2060 wrote to memory of 2140	2060	2fc6cb628310d0119424a1a25b3c8132efcaa040c0285e95005e077a11e7e897.exe	89
PID 2060 wrote to memory of 2140	2060	2fc6cb628310d0119424a1a25b3c8132efcaa040c0285e95005e077a11e7e897.exe	89
PID 2140 wrote to memory of 2368	2140	cmd.exe	91
PID 2140 wrote to memory of 2368	2140	cmd.exe	91
PID 2140 wrote to memory of 2368	2140	cmd.exe	91
PID 2368 wrote to memory of 2088	2368	cmd.exe	93
PID 2368 wrote to memory of 2088	2368	cmd.exe	93
PID 2368 wrote to memory of 1360	2368	cmd.exe	94
PID 2368 wrote to memory of 1360	2368	cmd.exe	94
PID 2368 wrote to memory of 1360	2368	cmd.exe	94
PID 2368 wrote to memory of 4508	2368	cmd.exe	95
PID 2368 wrote to memory of 4508	2368	cmd.exe	95
PID 2368 wrote to memory of 4508	2368	cmd.exe	95
PID 2060 wrote to memory of 4264	2060	2fc6cb628310d0119424a1a25b3c8132efcaa040c0285e95005e077a11e7e897.exe	97
PID 2060 wrote to memory of 4264	2060	2fc6cb628310d0119424a1a25b3c8132efcaa040c0285e95005e077a11e7e897.exe	97
PID 2060 wrote to memory of 4264	2060	2fc6cb628310d0119424a1a25b3c8132efcaa040c0285e95005e077a11e7e897.exe	97
PID 2060 wrote to memory of 5004	2060	2fc6cb628310d0119424a1a25b3c8132efcaa040c0285e95005e077a11e7e897.exe	98
PID 2060 wrote to memory of 5004	2060	2fc6cb628310d0119424a1a25b3c8132efcaa040c0285e95005e077a11e7e897.exe	98
PID 2060 wrote to memory of 5004	2060	2fc6cb628310d0119424a1a25b3c8132efcaa040c0285e95005e077a11e7e897.exe	98
PID 4508 wrote to memory of 4704	4508	cmd.exe	102
PID 4508 wrote to memory of 4704	4508	cmd.exe	102
PID 4508 wrote to memory of 4704	4508	cmd.exe	102
PID 2088 wrote to memory of 4644	2088	iexplore.exe	99
PID 2088 wrote to memory of 4644	2088	iexplore.exe	99
PID 2088 wrote to memory of 4644	2088	iexplore.exe	99
PID 4508 wrote to memory of 2312	4508	cmd.exe	101
PID 4508 wrote to memory of 2312	4508	cmd.exe	101
PID 4508 wrote to memory of 2312	4508	cmd.exe	101
PID 4508 wrote to memory of 4108	4508	cmd.exe	103
PID 4508 wrote to memory of 4108	4508	cmd.exe	103
PID 4508 wrote to memory of 4108	4508	cmd.exe	103
PID 4508 wrote to memory of 3400	4508	cmd.exe	104
PID 4508 wrote to memory of 3400	4508	cmd.exe	104
PID 4508 wrote to memory of 3400	4508	cmd.exe	104
PID 4508 wrote to memory of 1176	4508	cmd.exe	105
PID 4508 wrote to memory of 1176	4508	cmd.exe	105
PID 4508 wrote to memory of 1176	4508	cmd.exe	105
PID 4508 wrote to memory of 3676	4508	cmd.exe	106
PID 4508 wrote to memory of 3676	4508	cmd.exe	106
PID 4508 wrote to memory of 3676	4508	cmd.exe	106
PID 4508 wrote to memory of 4416	4508	cmd.exe	107
PID 4508 wrote to memory of 4416	4508	cmd.exe	107
PID 4508 wrote to memory of 4416	4508	cmd.exe	107
PID 4508 wrote to memory of 3060	4508	cmd.exe	108
PID 4508 wrote to memory of 3060	4508	cmd.exe	108
PID 4508 wrote to memory of 3060	4508	cmd.exe	108
PID 4508 wrote to memory of 1608	4508	cmd.exe	109
PID 4508 wrote to memory of 1608	4508	cmd.exe	109
PID 4508 wrote to memory of 1608	4508	cmd.exe	109
PID 3060 wrote to memory of 4932	3060	rundll32.exe	110
PID 3060 wrote to memory of 4932	3060	rundll32.exe	110
PID 3060 wrote to memory of 4932	3060	rundll32.exe	110
PID 4932 wrote to memory of 1768	4932	runonce.exe	111
PID 4932 wrote to memory of 1768	4932	runonce.exe	111
PID 4932 wrote to memory of 1768	4932	runonce.exe	111

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
3676	attrib.exe
4416	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2fc6cb628310d0119424a1a25b3c8132efcaa040c0285e95005e077a11e7e897.exe
"C:\Users\Admin\AppData\Local\Temp\2fc6cb628310d0119424a1a25b3c8132efcaa040c0285e95005e077a11e7e897.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\glk_300_211.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\datread\1.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2368
  - - C:\PROGRA~1\INTERN~1\iexplore.exe
      C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWW.cnkankan.com/?82133
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2088
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2088 CREDAT:17410 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4644
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\datread\1.inf
      4⤵
      PID:1360
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\datread\2.bat
      4⤵
      Drops file in Program Files directory
      Suspicious use of WriteProcessMemory
      PID:4508
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?n"" /f
        5⤵
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        
        PID:2312
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?n"" /f
        5⤵
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        
        PID:4704
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?n"" /f
        5⤵
        
        PID:4108
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f
        5⤵
        Modifies registry class
        
        PID:3400
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\datread\3.bat""" /f
        5⤵
        Modifies registry class
        
        PID:1176
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\Users\Admin\AppData\Roaming\datread\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3676
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\Users\Admin\AppData\Roaming\datread\tmp
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4416
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\datread\2.inf
        5⤵
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3060
      - C:\Windows\SysWOW64\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        6⤵
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        7⤵
        
        PID:1768
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 D:\VolumeDH\inj.dat,MainLoad
        5⤵
        
        PID:1608
- C:\Users\Admin\AppData\Local\Temp\inl2AB7.tmp
  C:\Users\Admin\AppData\Local\Temp\inl2AB7.tmp
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  PID:4264
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\2FC6CB~1.EXE > nul
  2⤵
  PID:5004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
9ebd067ed9097e52468ed43389e20f84

SHA1
254e9e98e444f9aa5025e9f39d26c2ee6343b070

SHA256
c2f13a89d711a444d9e2e5a909191abfd3b00b1c73d8b6b5d8f9df8eaa5f8bad

SHA512
a70df9fc2fb4ffd351c4702d5b7dfda2f5b96b3596d53f09f981afce933a53768c940dc04e93b0098f5d2a309919d6b3a4398bb03b8bc5aa67c4ac7dff525c3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
7f02dc6e2f6673676e69f4dc29ee7490

SHA1
9c4b9fc367a65dc65c3c1a57f2cafe0d54e42ccf

SHA256
4c9710db1a3af93442f924ca7c5393e982306a8822b1cfed90523d0e5980ef48

SHA512
4d79f9f5862f741f15a66438e06563969525186814d192c941f7b6cb9ddbe9f01964694b16786d548985431f9b07d8dcb0f9d4ea80d4ee1c47ffe833e7672fb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ckj4gk4\imagestore.dat

Filesize
1KB

MD5
139fef1e7e29e8f46a5cdc114772d1ea

SHA1
e8fb9c7431b97ffdddb4086702ecb354bb9b980d

SHA256
1ebaaa8afa8cc88fb6fc02f739275b0ea84d42c0c0e3d64ede7866c9e99a8552

SHA512
51a742613b7d927993d19330b21ce39cd8d64fe344394e6da8b4e32893b77234801e59d757d718965eb61a9579729db05620bf9d0961c4f0c1fb43a21b3d01bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp

Filesize
858B

MD5
d727e34e3f5eb5ee1ce17fe4c66bf617

SHA1
ea796e8b305510775d244f30758e125a01569626

SHA256
d0cd1c2b674ee72b000ecacb181addd7735f4c3478731c23f4649e312e4c607d

SHA512
ae3028364bf02b3e7c78d7a44a3305537c16d7feefb9dd968296b86425babaccee81af0c40eb7f8f374266df0e2c3c1a08b6b951ceaddc55572d6f0f1e85705c

Download Submit
C:\Users\Admin\AppData\Local\Temp\glk_300_211.bat

Filesize
54B

MD5
5dd457b845e53fce36e6b543764337e4

SHA1
eb7f8ce82274afa5702b20eb5ba133bb71bcb8d6

SHA256
0a2c605c32f2e9b3eda6f18df3d8c1fc2d87922b9bb23d6c3a9de3aa3f383992

SHA512
0fea97ddf333c178ca4805fc85f8b66f81a7906d1cc7bf440206aff50cc711643e90115f046077a323b3cc78deeb704f7eb8a934d0a1cd011f6a3ad67057c9f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\inl2AB7.tmp

Filesize
57.2MB

MD5
77355f3363a63f193a47fa3011d65032

SHA1
d5be6a880906c718f1db7396b9551ed8f56e0f56

SHA256
0376f7ff2711ca8cab067122234a0ecce337d0b510b16a8796fe29562a58f513

SHA512
3a3ae82a710aaee138a48df6eab6b1d0294f9322045e07e753a10fcbc856bb9e2bbe50ec2fd59f231f85ca56635885ab18aeaf9a435f30b49561cd91470e1ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\inl2AB7.tmp

Filesize
57.2MB

MD5
77355f3363a63f193a47fa3011d65032

SHA1
d5be6a880906c718f1db7396b9551ed8f56e0f56

SHA256
0376f7ff2711ca8cab067122234a0ecce337d0b510b16a8796fe29562a58f513

SHA512
3a3ae82a710aaee138a48df6eab6b1d0294f9322045e07e753a10fcbc856bb9e2bbe50ec2fd59f231f85ca56635885ab18aeaf9a435f30b49561cd91470e1ab3

Download Submit
C:\Users\Admin\AppData\Roaming\datread\1.bat

Filesize
3KB

MD5
e580af507ea9f91de910e0c11b1e5ff1

SHA1
998ed9fad171139fca6e0da98f660417fb87fc1c

SHA256
7ab3f848e819dbfe653558a517b6bcd0274040d4e5a0a74e1556916aa5f9d356

SHA512
240d3ed95def600a7b6da7b4ec9f0d2289471d7c96c8bff7198b33d55671004e3b7ad500935d9bd8b7d1cc08ad648b05f1b21c4e958542ac6a150dc3dd4797ab

Download Submit
C:\Users\Admin\AppData\Roaming\datread\1.inf

Filesize
410B

MD5
66a1f0147fed7ddd19e9bb7ff93705c5

SHA1
9d803c81ea2195617379b880b227892ba30b0bf6

SHA256
4f45ce85e221352f7fe26e04968c7f7267dc24b55cf2b72b929b4c90e48cb764

SHA512
cfe51756ddec75d240249980a4d27870d15983add25058e4d0da4d8a3ea11384d4d228d6cbc95091f91e516e1ab4dfb1e315941dbd95bf717d4b31936311d597

Download Submit
C:\Users\Admin\AppData\Roaming\datread\2.bat

Filesize
3KB

MD5
7c54db0864c2eb965c63c3dfe6be2256

SHA1
303c5edaa7ec4530f88484e3c48ff7e674a676d1

SHA256
1886e568662fcc552a91c3ab25b86e5243032d4f43fa45ffb51c57ca533c4b91

SHA512
60677e5762c2a267269ca520f554b800e88ce80bd96479b0ab02ea9eded76332657c3c9b93961c47551bdea3feda4b1dd88e58ebd087ae42a7853fd4bf0b8997

Download Submit
C:\Users\Admin\AppData\Roaming\datread\2.inf

Filesize
248B

MD5
c5eaacddf7fe93d130f1eb67f3fc2d9d

SHA1
ce20a3a2d9925fa4672884ffda2ee200c06ad7ce

SHA256
c740a578ef5867e18bc914ef724c8258a324b4f35591690e91329a10d17f6b45

SHA512
1f9529123cf74f1c53f75d81b9b6dabb127fcef0067c104c5ca044e28450083fa379c256d63d07d4e4053f197c24e02f9e2ab4507f8bb1068032598b52bbbf77

Download Submit
C:\Users\Admin\AppData\Roaming\datread\4.bat

Filesize
5.8MB

MD5
f864a769555d766db905676145e4aae7

SHA1
4f1ea2507379d79c615279bff0cccd28a5f8fa86

SHA256
af90c76d539d77811dac42f884cfbbd516313397f657fc8608a8f2c2a5f6a906

SHA512
fd149fbb45d07acafe9410c849c5d2689be60d3965bb7b4e767fb77853000f236d7b43356d70deae1a40b2e980bc319c7a45db52e935336fa1c9c8ac3db617ec

Download Submit
memory/2060-132-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2060-171-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2060-133-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2088-176-0x00007FFCAC3E0000-0x00007FFCAC44E000-memory.dmp

Filesize
440KB

Download
memory/2088-187-0x00007FFCAC3E0000-0x00007FFCAC44E000-memory.dmp

Filesize
440KB

Download
memory/2088-156-0x00007FFCAC3E0000-0x00007FFCAC44E000-memory.dmp

Filesize
440KB

Download
memory/2088-160-0x00007FFCAC3E0000-0x00007FFCAC44E000-memory.dmp

Filesize
440KB

Download
memory/2088-152-0x00007FFCAC3E0000-0x00007FFCAC44E000-memory.dmp

Filesize
440KB

Download
memory/2088-151-0x00007FFCAC3E0000-0x00007FFCAC44E000-memory.dmp

Filesize
440KB

Download
memory/2088-163-0x00007FFCAC3E0000-0x00007FFCAC44E000-memory.dmp

Filesize
440KB

Download
memory/2088-150-0x00007FFCAC3E0000-0x00007FFCAC44E000-memory.dmp

Filesize
440KB

Download
memory/2088-149-0x00007FFCAC3E0000-0x00007FFCAC44E000-memory.dmp

Filesize
440KB

Download
memory/2088-165-0x00007FFCAC3E0000-0x00007FFCAC44E000-memory.dmp

Filesize
440KB

Download
memory/2088-167-0x00007FFCAC3E0000-0x00007FFCAC44E000-memory.dmp

Filesize
440KB

Download
memory/2088-168-0x00007FFCAC3E0000-0x00007FFCAC44E000-memory.dmp

Filesize
440KB

Download
memory/2088-225-0x00007FFCAC3E0000-0x00007FFCAC44E000-memory.dmp

Filesize
440KB

Download
memory/2088-145-0x00007FFCAC3E0000-0x00007FFCAC44E000-memory.dmp

Filesize
440KB

Download
memory/2088-170-0x00007FFCAC3E0000-0x00007FFCAC44E000-memory.dmp

Filesize
440KB

Download
memory/2088-166-0x00007FFCAC3E0000-0x00007FFCAC44E000-memory.dmp

Filesize
440KB

Download
memory/2088-224-0x00007FFCAC3E0000-0x00007FFCAC44E000-memory.dmp

Filesize
440KB

Download
memory/2088-174-0x00007FFCAC3E0000-0x00007FFCAC44E000-memory.dmp

Filesize
440KB

Download
memory/2088-148-0x00007FFCAC3E0000-0x00007FFCAC44E000-memory.dmp

Filesize
440KB

Download
memory/2088-178-0x00007FFCAC3E0000-0x00007FFCAC44E000-memory.dmp

Filesize
440KB

Download
memory/2088-179-0x00007FFCAC3E0000-0x00007FFCAC44E000-memory.dmp

Filesize
440KB

Download
memory/2088-177-0x00007FFCAC3E0000-0x00007FFCAC44E000-memory.dmp

Filesize
440KB

Download
memory/2088-181-0x00007FFCAC3E0000-0x00007FFCAC44E000-memory.dmp

Filesize
440KB

Download
memory/2088-182-0x00007FFCAC3E0000-0x00007FFCAC44E000-memory.dmp

Filesize
440KB

Download
memory/2088-219-0x00007FFCAC3E0000-0x00007FFCAC44E000-memory.dmp

Filesize
440KB

Download
memory/2088-217-0x00007FFCAC3E0000-0x00007FFCAC44E000-memory.dmp

Filesize
440KB

Download
memory/2088-147-0x00007FFCAC3E0000-0x00007FFCAC44E000-memory.dmp

Filesize
440KB

Download
memory/2088-216-0x00007FFCAC3E0000-0x00007FFCAC44E000-memory.dmp

Filesize
440KB

Download
memory/2088-185-0x00007FFCAC3E0000-0x00007FFCAC44E000-memory.dmp

Filesize
440KB

Download
memory/2088-153-0x00007FFCAC3E0000-0x00007FFCAC44E000-memory.dmp

Filesize
440KB

Download
memory/2088-144-0x00007FFCAC3E0000-0x00007FFCAC44E000-memory.dmp

Filesize
440KB

Download
memory/2088-189-0x00007FFCAC3E0000-0x00007FFCAC44E000-memory.dmp

Filesize
440KB

Download
memory/2088-193-0x00007FFCAC3E0000-0x00007FFCAC44E000-memory.dmp

Filesize
440KB

Download
memory/2088-194-0x00007FFCAC3E0000-0x00007FFCAC44E000-memory.dmp

Filesize
440KB

Download
memory/2088-214-0x00007FFCAC3E0000-0x00007FFCAC44E000-memory.dmp

Filesize
440KB

Download
memory/2088-213-0x00007FFCAC3E0000-0x00007FFCAC44E000-memory.dmp

Filesize
440KB

Download
memory/2088-197-0x00007FFCAC3E0000-0x00007FFCAC44E000-memory.dmp

Filesize
440KB

Download
memory/2088-212-0x00007FFCAC3E0000-0x00007FFCAC44E000-memory.dmp

Filesize
440KB

Download
memory/2088-199-0x00007FFCAC3E0000-0x00007FFCAC44E000-memory.dmp

Filesize
440KB

Download
memory/2088-142-0x00007FFCAC3E0000-0x00007FFCAC44E000-memory.dmp

Filesize
440KB

Download
memory/2088-141-0x00007FFCAC3E0000-0x00007FFCAC44E000-memory.dmp

Filesize
440KB

Download
memory/2088-211-0x00007FFCAC3E0000-0x00007FFCAC44E000-memory.dmp

Filesize
440KB

Download
memory/2088-203-0x00007FFCAC3E0000-0x00007FFCAC44E000-memory.dmp

Filesize
440KB

Download
memory/2088-208-0x00007FFCAC3E0000-0x00007FFCAC44E000-memory.dmp

Filesize
440KB

Download
memory/2088-210-0x00007FFCAC3E0000-0x00007FFCAC44E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads