joker | 3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4

Analysis

max time kernel
132s
max time network
179s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28-10-2022 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
Size

148KB
MD5

0715e3716413bb6a08a48fdb6affc560
SHA1

85f7ce09f3575692b1c647940cab6d6a46fdba32
SHA256

3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4
SHA512

e0b6b0de2d417fa903544c37837bc365edc9be622dab1272029f2537b5f3c5a4b79974536b832655f36a85552b735561c61446ac750f0b803ad43297a2276c68
SSDEEP

1536:0RmDgjvo1M8oXtHjrbZ4zynEPOv2sQJ1F/1fPWNltTwCYmdyDLLLLLLLL1FLqzi:gDToD8/Z5EPO+sQJZWNltTtiLqz

Score

10^/10

joker infostealer trojan

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Drops desktop.ini file(s) 11 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\desktop.ini	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\desktop.ini	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files\desktop.ini	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened (read-only)	\??\N:	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened (read-only)	\??\J:	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened (read-only)	\??\E:	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened (read-only)	\??\Z:	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened (read-only)	\??\Y:	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened (read-only)	\??\T:	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened (read-only)	\??\Q:	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened (read-only)	\??\O:	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened (read-only)	\??\M:	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened (read-only)	\??\V:	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened (read-only)	\??\U:	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened (read-only)	\??\S:	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened (read-only)	\??\R:	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened (read-only)	\??\L:	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened (read-only)	\??\K:	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened (read-only)	\??\F:	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened (read-only)	\??\G:	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened (read-only)	\??\X:	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened (read-only)	\??\W:	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened (read-only)	\??\I:	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened (read-only)	\??\H:	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\es-419.pak	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Vienna	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\vlc.mo	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop_PAL.wmv	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_ja_4.4.0.v20140623020002.jar	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215718.WMF	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTaskIcon.jpg	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nassau	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Cambridge_Bay	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\MST7	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\PresentationCore.resources.dll	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216112.JPG	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0199755.WMF	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0286068.WMF	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME02.CSS	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\ja-JP\msdaremr.dll.mui	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATHEDITOR_K_COL.HXK	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsMacroTemplate.html	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_decreaseindent.gif	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\validation.js	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR20F.GIF	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\Microsoft.Build.Utilities.v3.5.resources.dll	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\row_over.png	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0202045.JPG	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00231_.WMF	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_High.jpg	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui_5.5.0.165303.jar	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files\NewDisconnect.jpeg	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL104.XML	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\tzmappings	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_fi.dll	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\ROAD_01.MID	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Yakutat	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\redmenu.png	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-execution.xml_hidden	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\flyout.css	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\ActionsPane3.xsd	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198025.WMF	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0291794.WMF	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\init.js	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\15x15dot.png	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.console_1.1.0.v20140131-1639.jar	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\Issue Tracking.gta	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotsdarkoverlay.png	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\slideShow.html	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00779_.WMF	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0168644.WMF	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Ojinaga	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Guatemala	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_rest.png	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD08868_.WMF	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD09662_.WMF	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02746G.GIF	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\TAB_ON.GIF	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\StarterToolTemplates.xml	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\charsets.jar	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\MDIParent.zip	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-heapwalker.jar	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-coredump_ja.jar	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Vancouver	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.dll	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VGX\VGX.dll	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH02312_.WMF	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14530_.GIF	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\pknliutqbs13fwavisqefhadwclantian.com\Total = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\pknliutqbs13fwavisqefhadwclantian.com\Total = "252"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.pknliutqbs13fwavisqefhadwclantian.com\ = "315"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\i2s-lab.com\Total = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "378"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "441"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.pknliutqbs13fwavisqefhadwclantian.com\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\i2s-lab.com\Total = "126"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\pknliutqbs13fwavisqefhadwclantian.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.pknliutqbs13fwavisqefhadwclantian.com\ = "441"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "756"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\pknliutqbs13fwavisqefhadwclantian.com\Total = "189"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.pknliutqbs13fwavisqefhadwclantian.com\ = "126"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.i2s-lab.com\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.i2s-lab.com\ = "126"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.pknliutqbs13fwavisqefhadwclantian.com\ = "693"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "189"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.pknliutqbs13fwavisqefhadwclantian.com\ = "252"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\pknliutqbs13fwavisqefhadwclantian.com\Total = "315"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "693"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.pknliutqbs13fwavisqefhadwclantian.com\ = "567"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "315"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.pknliutqbs13fwavisqefhadwclantian.com\ = "189"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "567"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "630"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B215E101-5706-11ED-808D-42A98B637845} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\pknliutqbs13fwavisqefhadwclantian.com\Total = "504"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\pknliutqbs13fwavisqefhadwclantian.com\Total = "630"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.pknliutqbs13fwavisqefhadwclantian.com\ = "504"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\i2s-lab.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "373757156"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.pknliutqbs13fwavisqefhadwclantian.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\pknliutqbs13fwavisqefhadwclantian.com\Total = "441"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2032	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2032	iexplore.exe
2032	iexplore.exe
576	IEXPLORE.EXE
576	IEXPLORE.EXE
576	IEXPLORE.EXE
576	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 668 wrote to memory of 1836	668	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe	28
PID 668 wrote to memory of 1836	668	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe	28
PID 668 wrote to memory of 1836	668	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe	28
PID 668 wrote to memory of 1836	668	3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe	28
PID 1120 wrote to memory of 2032	1120	explorer.exe	30
PID 1120 wrote to memory of 2032	1120	explorer.exe	30
PID 1120 wrote to memory of 2032	1120	explorer.exe	30
PID 2032 wrote to memory of 576	2032	iexplore.exe	32
PID 2032 wrote to memory of 576	2032	iexplore.exe	32
PID 2032 wrote to memory of 576	2032	iexplore.exe	32
PID 2032 wrote to memory of 576	2032	iexplore.exe	32

C:\Users\Admin\AppData\Local\Temp\3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe
"C:\Users\Admin\AppData\Local\Temp\3c1082afe579862b6d02a7a6cb576e40fb18c0b8fd8b6fc04d32f4d576d23dc4.exe"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:668
- C:\Windows\SysWOW64\explorer.exe
  explorer http://www.i2s-lab.com/sophos.htm
  2⤵
  PID:1836

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.i2s-lab.com/sophos.htm
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2032 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
3dcf580a93972319e82cafbc047d34d5

SHA1
8528d2a1363e5de77dc3b1142850e51ead0f4b6b

SHA256
40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

SHA512
98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
663d6eaf211b41d13127f64a85b90db9

SHA1
eba5b01a577ae918faafd7dda2204f431efcca80

SHA256
3f9bf9d5dc43bd5e15f8bbc35db5631d184f2a40eae8721ecb424d9448178fd2

SHA512
e113f47e642aeb5c42dac8612222b873862d6510a0cb00dfde00a969e5a9aa83d129f12dd79d473ea4ce425c1a7f740f1f2598ac522d207bc6af6e21fca0b5e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
593fdcea4ec2934d679a65b1f77fd4ef

SHA1
a213db6d50cc1130368060284ab8101f1f6519f0

SHA256
1ffd2ff92f4319f5bf02c19cdd8962af039f01c1a716954ac412a954516c090c

SHA512
2a3b3906328b6a75ce2b36430f11e285c9c5c06824a4168855d62f05d36bea43074d51755ccab86e61cac8ac19798c558ae4d78c48bf20f37bd3820628a966d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\tcz8fqz\imagestore.dat

Filesize
5KB

MD5
9b19b7423a1a77513685ed8eb9c3178d

SHA1
81f4c9c9ea50a50a9c671f308b179ad36eaa20fe

SHA256
9074a37528e6e0edfe885bfa3e4e0365e8ab0183a6936b4e0ab5e5d95fcb2cc4

SHA512
00b29e240385ebf45e37eef2b4835826b78b12ce554359dc3c9c18c37439b5dbad90cac0514d644f630708b9c5220f3c6b8fde1b99119b1dc919a34e5e15d36d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\F146FOT1.txt

Filesize
608B

MD5
95af5094b78c0823def0c557777a773f

SHA1
78fb888093ceb3d324e3c4d0cb0124a9864481f8

SHA256
6dd25d2e84e0455f76ba73da62eaf241e2e4aaf2c7409e2021b3387cbf434c9d

SHA512
0b802c3deca2e939f9d76303d17ac46fb69f4c3c3bc116d84debfb5da66627d491b672557f782ea55d434b7e558527154c8fb4143f042faf107b3f8cd1ab2fa4

Download Submit
memory/1120-57-0x000007FEFB7B1000-0x000007FEFB7B3000-memory.dmp

Filesize
8KB

Download
memory/1836-55-0x0000000075981000-0x0000000075983000-memory.dmp

Filesize
8KB

Download
memory/1836-56-0x0000000074811000-0x0000000074813000-memory.dmp

Filesize
8KB

Download