Overview

overview

10

Static

static

URLScan

urlscan

1

https://tgsgp.oss-ac...

windows7-x64

10

https://tgsgp.oss-ac...

windows10-2004-x64

10

Analysis

  • max time kernel
    132s
  • max time network
    163s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    26-10-2022 18:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://tgsgp.oss-accelerate.aliyuncs.com/x64/Installers/T888CH7/tsetup-x64.4.2.0.exe

Score
10/10
jokerdiscoveryinfostealertrojan

Malware Config

Signatures

  • joker

    Joker is an Android malware that targets billing and SMS fraud.

    infostealertrojanjoker
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 9 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 16 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 11 IoCs
  • Suspicious use of SendNotifyMessage 7 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://tgsgp.oss-accelerate.aliyuncs.com/x64/Installers/T888CH7/tsetup-x64.4.2.0.exe
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1788
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1788 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1772
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3XPFXPM5\tsetup-x64.4.2.0.exe
      "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3XPFXPM5\tsetup-x64.4.2.0.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1648
      • C:\Users\Admin\AppData\Local\Temp\is-J2C0L.tmp\tsetup-x64.4.2.0.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-J2C0L.tmp\tsetup-x64.4.2.0.tmp" /SL5="$301B0,36322295,814592,C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3XPFXPM5\tsetup-x64.4.2.0.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:1932
        • C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
          "C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe"
          4⤵
          • Executes dropped EXE
          • Drops desktop.ini file(s)
          • Enumerates system info in registry
          • Modifies registry class
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:2040

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    340B

    MD5

    a1286b0c8384438715d75e2ce698f44b

    SHA1

    21ebfffa2129be3ae2608d2cfcfc132a8a368d6e

    SHA256

    fc24f8b4469c603c92307c98d8ae4b31a10d976843e86a97a9c776e5e9390c2b

    SHA512

    0c26a7b054cc9c8591d0e0d8440133e84d566561daedf55628c7a8254c19ae6af484e625994a079ffb0e31735d78fd5bcac8cc6748cbc7340e97a3549db8c239

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3XPFXPM5\tsetup-x64.4.2.0.exe
    Filesize

    35.5MB

    MD5

    7c9b45db295868dac64ad9e927c02f51

    SHA1

    3ea928ab4cf506b703f9345e4b1f3ad522b242e9

    SHA256

    3f2e13e69c5eb5dc2a46fd627c4116f0dcf97376152b5f960d867cca93446d8d

    SHA512

    b9064f888a7206fe99df2568d2c427a431b171ec6b0aaa9f352c6b9f35bbb9ea86c376b62677faf9cab688178a6db10175392e187d1416130fab7adc8ae90451

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3XPFXPM5\tsetup-x64.4.2.0.exe.3rsobye.partial
    Filesize

    35.5MB

    MD5

    7c9b45db295868dac64ad9e927c02f51

    SHA1

    3ea928ab4cf506b703f9345e4b1f3ad522b242e9

    SHA256

    3f2e13e69c5eb5dc2a46fd627c4116f0dcf97376152b5f960d867cca93446d8d

    SHA512

    b9064f888a7206fe99df2568d2c427a431b171ec6b0aaa9f352c6b9f35bbb9ea86c376b62677faf9cab688178a6db10175392e187d1416130fab7adc8ae90451

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-J2C0L.tmp\tsetup-x64.4.2.0.tmp
    Filesize

    3.0MB

    MD5

    ce3b2ef0b07d1770ddd8fa09a34138de

    SHA1

    d07d12411d4a95cd26701fe83eb6d90d81103eee

    SHA256

    22e0e4420698350d18a6c02244c5fa1ff2c772eacb9e7019a8f212b479934386

    SHA512

    02edc78f9b7c8ad01a79243bbc7b51d2b86fb650535d134cc06360519b49ed30241de5cb916ab0624098e2b2b4c94b246e0fcf19e513b4e526100d46db652442

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-J2C0L.tmp\tsetup-x64.4.2.0.tmp
    Filesize

    3.0MB

    MD5

    ce3b2ef0b07d1770ddd8fa09a34138de

    SHA1

    d07d12411d4a95cd26701fe83eb6d90d81103eee

    SHA256

    22e0e4420698350d18a6c02244c5fa1ff2c772eacb9e7019a8f212b479934386

    SHA512

    02edc78f9b7c8ad01a79243bbc7b51d2b86fb650535d134cc06360519b49ed30241de5cb916ab0624098e2b2b4c94b246e0fcf19e513b4e526100d46db652442

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\DYMH1TPF.txt
    Filesize

    603B

    MD5

    5b38b3c1cb88693266a329f7c244e70f

    SHA1

    6f525f58dcb53bbe574519e64140736b2a2ad1ae

    SHA256

    ff88391545c430c10aee38b5248ce8240b1371d4131864a29d38de974653e723

    SHA512

    226950f3f5484a4c441cc718ccad7639228eeed904fa17402ee17fe2417167bc604926cdbeae256fcdcd9682f6c80cc03017d3e3d17e93fc9d3189027b8faf69

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
    Filesize

    114.2MB

    MD5

    fb3be1dcac7e48d44cb355c261776f2f

    SHA1

    cba72d43c128c77093866d3a48fe6fa2f0a8c33f

    SHA256

    1b6cad5a326748b2faa1180a269a73332df2ee933b5646ceb0bdb83ba4bd24f7

    SHA512

    a6932b5fb04f5a9472c17e05102a522cc373578fd2f7244df6aa20f3cc92c5d02d71cee01ce2e302596044d88a59f7c0acb59599f1d04f0cc6208d3a364e9a61

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
    Filesize

    114.2MB

    MD5

    fb3be1dcac7e48d44cb355c261776f2f

    SHA1

    cba72d43c128c77093866d3a48fe6fa2f0a8c33f

    SHA256

    1b6cad5a326748b2faa1180a269a73332df2ee933b5646ceb0bdb83ba4bd24f7

    SHA512

    a6932b5fb04f5a9472c17e05102a522cc373578fd2f7244df6aa20f3cc92c5d02d71cee01ce2e302596044d88a59f7c0acb59599f1d04f0cc6208d3a364e9a61

    Download Submit

  • \Users\Admin\AppData\Local\Temp\is-J2C0L.tmp\tsetup-x64.4.2.0.tmp
    Filesize

    3.0MB

    MD5

    ce3b2ef0b07d1770ddd8fa09a34138de

    SHA1

    d07d12411d4a95cd26701fe83eb6d90d81103eee

    SHA256

    22e0e4420698350d18a6c02244c5fa1ff2c772eacb9e7019a8f212b479934386

    SHA512

    02edc78f9b7c8ad01a79243bbc7b51d2b86fb650535d134cc06360519b49ed30241de5cb916ab0624098e2b2b4c94b246e0fcf19e513b4e526100d46db652442

    Download Submit

  • \Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
    Filesize

    114.2MB

    MD5

    fb3be1dcac7e48d44cb355c261776f2f

    SHA1

    cba72d43c128c77093866d3a48fe6fa2f0a8c33f

    SHA256

    1b6cad5a326748b2faa1180a269a73332df2ee933b5646ceb0bdb83ba4bd24f7

    SHA512

    a6932b5fb04f5a9472c17e05102a522cc373578fd2f7244df6aa20f3cc92c5d02d71cee01ce2e302596044d88a59f7c0acb59599f1d04f0cc6208d3a364e9a61

    Download Submit

  • \Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
    Filesize

    114.2MB

    MD5

    fb3be1dcac7e48d44cb355c261776f2f

    SHA1

    cba72d43c128c77093866d3a48fe6fa2f0a8c33f

    SHA256

    1b6cad5a326748b2faa1180a269a73332df2ee933b5646ceb0bdb83ba4bd24f7

    SHA512

    a6932b5fb04f5a9472c17e05102a522cc373578fd2f7244df6aa20f3cc92c5d02d71cee01ce2e302596044d88a59f7c0acb59599f1d04f0cc6208d3a364e9a61

    Download Submit

  • \Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
    Filesize

    114.2MB

    MD5

    fb3be1dcac7e48d44cb355c261776f2f

    SHA1

    cba72d43c128c77093866d3a48fe6fa2f0a8c33f

    SHA256

    1b6cad5a326748b2faa1180a269a73332df2ee933b5646ceb0bdb83ba4bd24f7

    SHA512

    a6932b5fb04f5a9472c17e05102a522cc373578fd2f7244df6aa20f3cc92c5d02d71cee01ce2e302596044d88a59f7c0acb59599f1d04f0cc6208d3a364e9a61

    Download Submit

  • \Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
    Filesize

    114.2MB

    MD5

    fb3be1dcac7e48d44cb355c261776f2f

    SHA1

    cba72d43c128c77093866d3a48fe6fa2f0a8c33f

    SHA256

    1b6cad5a326748b2faa1180a269a73332df2ee933b5646ceb0bdb83ba4bd24f7

    SHA512

    a6932b5fb04f5a9472c17e05102a522cc373578fd2f7244df6aa20f3cc92c5d02d71cee01ce2e302596044d88a59f7c0acb59599f1d04f0cc6208d3a364e9a61

    Download Submit

  • \Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
    Filesize

    114.2MB

    MD5

    fb3be1dcac7e48d44cb355c261776f2f

    SHA1

    cba72d43c128c77093866d3a48fe6fa2f0a8c33f

    SHA256

    1b6cad5a326748b2faa1180a269a73332df2ee933b5646ceb0bdb83ba4bd24f7

    SHA512

    a6932b5fb04f5a9472c17e05102a522cc373578fd2f7244df6aa20f3cc92c5d02d71cee01ce2e302596044d88a59f7c0acb59599f1d04f0cc6208d3a364e9a61

    Download Submit

  • \Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
    Filesize

    114.2MB

    MD5

    fb3be1dcac7e48d44cb355c261776f2f

    SHA1

    cba72d43c128c77093866d3a48fe6fa2f0a8c33f

    SHA256

    1b6cad5a326748b2faa1180a269a73332df2ee933b5646ceb0bdb83ba4bd24f7

    SHA512

    a6932b5fb04f5a9472c17e05102a522cc373578fd2f7244df6aa20f3cc92c5d02d71cee01ce2e302596044d88a59f7c0acb59599f1d04f0cc6208d3a364e9a61

    Download Submit

  • \Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
    Filesize

    114.2MB

    MD5

    fb3be1dcac7e48d44cb355c261776f2f

    SHA1

    cba72d43c128c77093866d3a48fe6fa2f0a8c33f

    SHA256

    1b6cad5a326748b2faa1180a269a73332df2ee933b5646ceb0bdb83ba4bd24f7

    SHA512

    a6932b5fb04f5a9472c17e05102a522cc373578fd2f7244df6aa20f3cc92c5d02d71cee01ce2e302596044d88a59f7c0acb59599f1d04f0cc6208d3a364e9a61

    Download Submit

  • \Users\Admin\AppData\Roaming\Telegram Desktop\unins000.exe
    Filesize

    3.0MB

    MD5

    c0ba2551f23967b0bcd4fd046486142a

    SHA1

    68ce7b400287626cbe324128e7102aad0be21303

    SHA256

    897ea37f617b3ffd4114f155271ce27701f55bec2d1d2951b74ed5d0338f37b5

    SHA512

    84525521f2041a3208f2cf4ee939feae354804fb288d8a02207e6938b91932e26fef400e9acf24b5eefd3c85c307ec9f2fbcf3498aa45464a6a512405ddc141f

    Download Submit

  • memory/1648-65-0x0000000000400000-0x00000000004D4000-memory.dmp

    Filesize

    848KB

    Download

  • memory/1648-57-0x0000000076321000-0x0000000076323000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1648-64-0x0000000000400000-0x00000000004D4000-memory.dmp

    Filesize

    848KB

    Download

  • memory/1648-58-0x0000000000400000-0x00000000004D4000-memory.dmp

    Filesize

    848KB

    Download

  • memory/1648-55-0x0000000000000000-mapping.dmp

    Download

  • memory/1648-79-0x0000000000400000-0x00000000004D4000-memory.dmp

    Filesize

    848KB

    Download

  • memory/1932-61-0x0000000000000000-mapping.dmp

    Download

  • memory/1932-66-0x0000000072001000-0x0000000072003000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2040-82-0x000007FEFBD01000-0x000007FEFBD03000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2040-80-0x0000000000070000-0x0000000000080000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2040-84-0x0000000002470000-0x000000000247A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2040-83-0x0000000002470000-0x000000000247A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2040-77-0x0000000000000000-mapping.dmp

    Download

  • memory/2040-86-0x0000000002500000-0x000000000250A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2040-87-0x0000000002500000-0x000000000250A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2040-88-0x0000000002470000-0x000000000247A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2040-90-0x0000000002500000-0x000000000250A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2040-89-0x0000000002500000-0x000000000250A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2040-91-0x0000000000070000-0x0000000000080000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2040-92-0x0000000002470000-0x0000000002476000-memory.dmp

    Filesize

    24KB

    Download