Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
29/10/2022, 20:10
General
-
Target
e2664ed981b0869e0b5b864e5f4303718a77f039661796de1205045a86b2586f.exe
-
Size
33KB
-
MD5
8414a54ccaa4798c137b276ecc1c3c7f
-
SHA1
b636af08fff1212ca37e82f21e1b5390c4e3d335
-
SHA256
e2664ed981b0869e0b5b864e5f4303718a77f039661796de1205045a86b2586f
-
SHA512
466a160252e60c879200d3a9bb48743dbbd1a1121aedc741ffcb6846bbaca53abd362ae20a243f9bdb956559f1f6a8dac13800acbe26046840afef58bb050498
-
SSDEEP
768:C4URzUjUI/znSxATOj21M8kMKfpp3Rs4pG:TURzW/uqTs8kpRRs4U
Malware Config
Signatures
-
joker
Joker is an Android malware that targets billing and SMS fraud.
-
Executes dropped EXE 1 IoCs
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 48 IoCs
-
Modifies Internet Explorer start page 1 TTPs 2 IoCs
-
Modifies registry class 13 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2664ed981b0869e0b5b864e5f4303718a77f039661796de1205045a86b2586f.exe"C:\Users\Admin\AppData\Local\Temp\e2664ed981b0869e0b5b864e5f4303718a77f039661796de1205045a86b2586f.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\lua\1.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\PROGRA~1\INTERN~1\iexplore.exeC:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://www.cnkankan.com/?821334⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3028 CREDAT:17410 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\lua\1.inf4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\lua\2.bat4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{D71C5380-D2A0-CD69-E3EE-E1002B3A309E}" /v "IsShortCut" /d "" /f5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{D71C5380-D2A0-CD69-E3EE-E1002B3A309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\lua\3.bat""" /f5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\lua\tmp\a.{D71C5380-D2A0-CD69-E3EE-E1002B3A309E}5⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\lua\tmp5⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\lua\2.inf5⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\find.exefind /i "360tray.exe" tasklist.txt5⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu" /v "{871C5380-42A0-1069-A2EA-08002B30309D}" /d "1" /f5⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu" /v "{871C5380-42A0-1069-A2EA-08002B30309D}" /d "1" /f5⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" /v "{871C5380-42A0-1069-A2EA-08002B30309D}" /d "1" /f5⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\htafile" /v "NeverShowExt" /d "" /f5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\htafile\DefaultIcon" /v "" /d "C:\Program Files\Internet Explorer\IEXPLORE.EXE" /f5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d "http://www.82133.com/?S" /f5⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d "http://www.82133.com/?S" /f5⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\inl2B43.tmpC:\Users\Admin\AppData\Local\Temp\inl2B43.tmp2⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\E2664E~1.EXE > nul2⤵
-
-
C:\Windows\SysWOW64\runonce.exe"C:\Windows\system32\runonce.exe" -r1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe" -o2⤵
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
471B
MD5a66314123c8c72372bcb8583a5400a95
SHA1fc3e45060463c37775da0bd4a8920296d222753d
SHA256657c92d95798fc5dad4272f3d6d71776737ac0bcdce4ac6864ca5532f2ccf34d
SHA512d9f5c243b04d7b3fbbcb37c68c583db672390644500cfa4d58280048d9fde52c668fd67e84ecd6ace20b2813eefb756627adbd04a6f19719f6e907aa3fffe4f1
-
Filesize
434B
MD5689dbbc24b6b02bec667165ee9ae3948
SHA1485d67481e4349fecde8420b05f14db665be9d56
SHA256f13f3d4ae74288019f19a30daed4dfba0d24994b3c2b32cb10c8e2dde36009d0
SHA51255172259093b308a80aad4bef5b9b6468a3e1cce92a7277c50b3599c08727ad1e577a10fd1dc35b2547126cf20ca0114df2053a87ddc382a8ea33140404418a6
-
Filesize
1KB
MD5f7ff8e881393a7c98deb6a9d131efac9
SHA14919dc2284a00ae2cd5b425d7eb6608a0c34fea6
SHA2568f017012d1fc9d4827bba7e56f6aadda2909ba3c19bca79e191adec143e799ea
SHA512f70b00515fa17c9b974db677ba643e8bab17d2d254a4fd58b96affb463b382c3645c0ad50fbcf1ecabc2e6793630c58ae7a563ad95c8ac3cc9796385c4ec1d59
-
Filesize
57.2MB
MD5a49e942840744e61ec28fcce3e5c8639
SHA17ced888a256232e952b8b5919f9aef9a7f37d313
SHA256a3f23c5fa54d28fc33c51390bc1f8ab4c27da91c9a2a24fc781f673c8c954dda
SHA5120e72e47d925bab232e9c4fc70879058195611ae3c241e092e479ff3870a217324a04b6a60ab1e340ab570975ddd07a68b7b81697087b73aec1c60638b5171d49
-
Filesize
57.2MB
MD5a49e942840744e61ec28fcce3e5c8639
SHA17ced888a256232e952b8b5919f9aef9a7f37d313
SHA256a3f23c5fa54d28fc33c51390bc1f8ab4c27da91c9a2a24fc781f673c8c954dda
SHA5120e72e47d925bab232e9c4fc70879058195611ae3c241e092e479ff3870a217324a04b6a60ab1e340ab570975ddd07a68b7b81697087b73aec1c60638b5171d49
-
Filesize
7KB
MD577287fb5a570ba6d24a3da94db1c2fdf
SHA10df60e96b7b32032fb485da5010339359f95deb8
SHA25602b168b426c0455bfc04472fecdb46f0d90e4502c0c2b847962b28900fbd1c4f
SHA5124c9f5b5ec7da8b3a3226a85187057a71959c4ac21025a553462d6fcdf0557156bee0c996304741e3f4ebbd804103903f6c3ce9bcd6277098f853ddce2559a029
-
Filesize
50B
MD5e08ad52d3d132292f9c51e7cfec5fe08
SHA1269f7eb185a9ff02664297bfb6f5df9f86ec10f0
SHA256bd2a3003fb1f771283b30a044c49aecb72bfdff4322330337dba4992ecd198f4
SHA5123dc0331f3ee9a57de7bda71a94953239bc7033a130f2b783b35d17ce3ed7b7928c154323d10ba81bd81d3bfd2d7c123cec55f5178d2b44286c2f857ccd6a1722
-
Filesize
2KB
MD5e9b0ea3bb8833d31df07f7ceaf019e02
SHA1d147c5363b7fa233cbf2247897a465661f5ad408
SHA256c9908af4e516f3fe5631e31d099f16f8c4e4d8b91d073003c10a3a0a0bc30fe3
SHA5124c2a36d0498dd3332ca19e969d1ceaab2a57ef4d12adcc3ffff218a9d72dbfc1622fb22c08215da778821d50d3fd72b0d559f891196176e00459ef01300c9b2b
-
Filesize
424B
MD55d8e8066c8e44558a044f4de83b79df2
SHA14920014abe179ae430bb55b3c4bdb6966327f551
SHA2561d51c8abf3a0f5d4b2e61209507052bd12797d12c7821cb8868a0f3cd9950149
SHA512792b8d0dcb3309ac0513d45e683dbf301ad06d60f4ae770b9d6c0d975eef6b85af17fb3f05fb74866556a11ef0c92f98b20fd81d455ab4b97606257fa782ea81
-
Filesize
8KB
MD5fad373a616743963bbd11fa966e3f5ac
SHA189638961a6a0d6622fa3214e6abc2bc810c549cf
SHA2562c5b82c6c39cfba12d70cd4080165bd18ce3e65d3e540e2f787b9e7c583eb319
SHA512956c7d65a3ac45b688fe3ae71f04c664542d03910f8f727ed27fc5d36bf2571d3e397d16ee28ac19512dfa939b8bbd453a307f9d778b84bf689cf32af9a4c39b
-
Filesize
244B
MD52de3e6e4faea8c4a10ddd4f26455caca
SHA1b7c02274aa020619e6c7b925427b027ffcc28629
SHA2569f29d64886130752a5fe40ce6e83a8f35dc65340871cfe435499a609037c2824
SHA5120e49cbd89766d3697ce4c9a2c83de32ebaee2d41f1a635a94cf0c73541aaa614f4f5b755f55d21fdea07fc76985bc741f2649abc1c6a32e9876ffa6b3a1c33c8
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
84KB
-
Filesize
12KB
-
Filesize
84KB
-
Filesize
84KB