Overview

overview

10

Static

static

URLScan

urlscan

1

https://tgsgp.oss-ac...

windows7-x64

10

https://tgsgp.oss-ac...

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    198s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-10-2022 18:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://tgsgp.oss-accelerate.aliyuncs.com/x64/Installers/T888CH7/tsetup-x64.4.2.0.exe

Score
10/10
jokerdiscoveryinfostealertrojan

Malware Config

Signatures

  • joker

    Joker is an Android malware that targets billing and SMS fraud.

    infostealertrojanjoker
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 30 IoCs
    adwarespyware
  • Modifies registry class 16 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 10 IoCs
  • Suspicious use of SendNotifyMessage 7 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://tgsgp.oss-accelerate.aliyuncs.com/x64/Installers/T888CH7/tsetup-x64.4.2.0.exe
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2980
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2980 CREDAT:17410 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:3552
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\94PW68LC\tsetup-x64.4.2.0.exe
      "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\94PW68LC\tsetup-x64.4.2.0.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2400
      • C:\Users\Admin\AppData\Local\Temp\is-GSUGP.tmp\tsetup-x64.4.2.0.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-GSUGP.tmp\tsetup-x64.4.2.0.tmp" /SL5="$501F8,36322295,814592,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\94PW68LC\tsetup-x64.4.2.0.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:4584
        • C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
          "C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe"
          4⤵
          • Executes dropped EXE
          • Drops desktop.ini file(s)
          • Enumerates system info in registry
          • Modifies registry class
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          PID:1564

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\94PW68LC\tsetup-x64.4.2.0.exe
    Filesize

    35.5MB

    MD5

    7c9b45db295868dac64ad9e927c02f51

    SHA1

    3ea928ab4cf506b703f9345e4b1f3ad522b242e9

    SHA256

    3f2e13e69c5eb5dc2a46fd627c4116f0dcf97376152b5f960d867cca93446d8d

    SHA512

    b9064f888a7206fe99df2568d2c427a431b171ec6b0aaa9f352c6b9f35bbb9ea86c376b62677faf9cab688178a6db10175392e187d1416130fab7adc8ae90451

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\94PW68LC\tsetup-x64.4.2.0.exe.q3fzbkd.partial
    Filesize

    35.5MB

    MD5

    7c9b45db295868dac64ad9e927c02f51

    SHA1

    3ea928ab4cf506b703f9345e4b1f3ad522b242e9

    SHA256

    3f2e13e69c5eb5dc2a46fd627c4116f0dcf97376152b5f960d867cca93446d8d

    SHA512

    b9064f888a7206fe99df2568d2c427a431b171ec6b0aaa9f352c6b9f35bbb9ea86c376b62677faf9cab688178a6db10175392e187d1416130fab7adc8ae90451

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-GSUGP.tmp\tsetup-x64.4.2.0.tmp
    Filesize

    3.0MB

    MD5

    ce3b2ef0b07d1770ddd8fa09a34138de

    SHA1

    d07d12411d4a95cd26701fe83eb6d90d81103eee

    SHA256

    22e0e4420698350d18a6c02244c5fa1ff2c772eacb9e7019a8f212b479934386

    SHA512

    02edc78f9b7c8ad01a79243bbc7b51d2b86fb650535d134cc06360519b49ed30241de5cb916ab0624098e2b2b4c94b246e0fcf19e513b4e526100d46db652442

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-GSUGP.tmp\tsetup-x64.4.2.0.tmp
    Filesize

    3.0MB

    MD5

    ce3b2ef0b07d1770ddd8fa09a34138de

    SHA1

    d07d12411d4a95cd26701fe83eb6d90d81103eee

    SHA256

    22e0e4420698350d18a6c02244c5fa1ff2c772eacb9e7019a8f212b479934386

    SHA512

    02edc78f9b7c8ad01a79243bbc7b51d2b86fb650535d134cc06360519b49ed30241de5cb916ab0624098e2b2b4c94b246e0fcf19e513b4e526100d46db652442

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
    Filesize

    114.2MB

    MD5

    fb3be1dcac7e48d44cb355c261776f2f

    SHA1

    cba72d43c128c77093866d3a48fe6fa2f0a8c33f

    SHA256

    1b6cad5a326748b2faa1180a269a73332df2ee933b5646ceb0bdb83ba4bd24f7

    SHA512

    a6932b5fb04f5a9472c17e05102a522cc373578fd2f7244df6aa20f3cc92c5d02d71cee01ce2e302596044d88a59f7c0acb59599f1d04f0cc6208d3a364e9a61

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
    Filesize

    114.2MB

    MD5

    fb3be1dcac7e48d44cb355c261776f2f

    SHA1

    cba72d43c128c77093866d3a48fe6fa2f0a8c33f

    SHA256

    1b6cad5a326748b2faa1180a269a73332df2ee933b5646ceb0bdb83ba4bd24f7

    SHA512

    a6932b5fb04f5a9472c17e05102a522cc373578fd2f7244df6aa20f3cc92c5d02d71cee01ce2e302596044d88a59f7c0acb59599f1d04f0cc6208d3a364e9a61

    Download Submit

  • memory/1564-144-0x0000017AD1FC0000-0x0000017AD1FD0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1564-147-0x0000017AD1FC0000-0x0000017AD1FD0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2400-140-0x0000000000400000-0x00000000004D4000-memory.dmp

    Filesize

    848KB

    Download

  • memory/2400-137-0x0000000000400000-0x00000000004D4000-memory.dmp

    Filesize

    848KB

    Download

  • memory/2400-135-0x0000000000400000-0x00000000004D4000-memory.dmp

    Filesize

    848KB

    Download

  • memory/2400-145-0x0000000000400000-0x00000000004D4000-memory.dmp

    Filesize

    848KB

    Download