joker | e03dae04b372e4581f8a39bd30c56b4435423c9209ea4d86dbd445faeefafd23

Analysis

max time kernel
87s
max time network
166s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-10-2022 04:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e03dae04b372e4581f8a39bd30c56b4435423c9209ea4d86dbd445faeefafd23.exe
Size

943KB
MD5

a31c29394aff003f6695119188032150
SHA1

5695a7e86c933e9d20b71aa8e9edb85f3c68d2b0
SHA256

e03dae04b372e4581f8a39bd30c56b4435423c9209ea4d86dbd445faeefafd23
SHA512

ca0e10261d6f2f0cd3cebb723ad247ca02c19d8667063f4b4800aa155039257f4dcbf0701accf257aea8a03ef0384db5d4887f6965f7d2b10c84b3a47de9b40e
SSDEEP

24576:sswE9bUix084d2mVWcaW2nrwqbqzcCnwcIcS:s1koPwxWvJfwxT

Score

10^/10

joker bootkit discovery evasion infostealer persistence trojan

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Executes dropped EXE 2 IoCs

pid	Process
1500	shandian.exe
276	shandian.exe

Loads dropped DLL 11 IoCs

pid	Process
1436	e03dae04b372e4581f8a39bd30c56b4435423c9209ea4d86dbd445faeefafd23.exe
1436	e03dae04b372e4581f8a39bd30c56b4435423c9209ea4d86dbd445faeefafd23.exe
1436	e03dae04b372e4581f8a39bd30c56b4435423c9209ea4d86dbd445faeefafd23.exe
1436	e03dae04b372e4581f8a39bd30c56b4435423c9209ea4d86dbd445faeefafd23.exe
1436	e03dae04b372e4581f8a39bd30c56b4435423c9209ea4d86dbd445faeefafd23.exe
1436	e03dae04b372e4581f8a39bd30c56b4435423c9209ea4d86dbd445faeefafd23.exe
1436	e03dae04b372e4581f8a39bd30c56b4435423c9209ea4d86dbd445faeefafd23.exe
1436	e03dae04b372e4581f8a39bd30c56b4435423c9209ea4d86dbd445faeefafd23.exe
1436	e03dae04b372e4581f8a39bd30c56b4435423c9209ea4d86dbd445faeefafd23.exe
1500	shandian.exe
1500	shandian.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	e03dae04b372e4581f8a39bd30c56b4435423c9209ea4d86dbd445faeefafd23.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\shandian = "C:\\Program Files (x86)\\shandian\\shandian.exe"	e03dae04b372e4581f8a39bd30c56b4435423c9209ea4d86dbd445faeefafd23.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	shandian.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	e03dae04b372e4581f8a39bd30c56b4435423c9209ea4d86dbd445faeefafd23.exe
File opened for modification	\??\PhysicalDrive0	shandian.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\shandian\ico\360.ico	e03dae04b372e4581f8a39bd30c56b4435423c9209ea4d86dbd445faeefafd23.exe
File created	C:\Program Files (x86)\shandian\ico\anquan.ico	e03dae04b372e4581f8a39bd30c56b4435423c9209ea4d86dbd445faeefafd23.exe
File created	C:\Program Files (x86)\shandian\shandian.exe	e03dae04b372e4581f8a39bd30c56b4435423c9209ea4d86dbd445faeefafd23.exe
File created	C:\Program Files (x86)\shandian\bin\shandian.exe	e03dae04b372e4581f8a39bd30c56b4435423c9209ea4d86dbd445faeefafd23.exe
File created	C:\Program Files (x86)\shandian\bin\shandian.ini	e03dae04b372e4581f8a39bd30c56b4435423c9209ea4d86dbd445faeefafd23.exe
File opened for modification	C:\Program Files (x86)\shandian\config.ini	e03dae04b372e4581f8a39bd30c56b4435423c9209ea4d86dbd445faeefafd23.exe
File created	C:\Program Files (x86)\shandian\uninst.exe	e03dae04b372e4581f8a39bd30c56b4435423c9209ea4d86dbd445faeefafd23.exe
File opened for modification	C:\Program Files (x86)\shandian\bin\shandian.ini	shandian.exe
File created	C:\Program Files (x86)\shandian\ico\taobao.ico	e03dae04b372e4581f8a39bd30c56b4435423c9209ea4d86dbd445faeefafd23.exe
File created	C:\PROGRA~2\shandian\bin\twcache.ini	shandian.exe
File opened for modification	C:\PROGRA~2\shandian\bin\twcache.ini	shandian.exe
File created	C:\Program Files (x86)\shandian\bin\shandian.ini.tmp	shandian.exe
File created	C:\Program Files (x86)\shandian\home.bat	e03dae04b372e4581f8a39bd30c56b4435423c9209ea4d86dbd445faeefafd23.exe
File created	C:\Program Files (x86)\shandian\ico\ie.ico	e03dae04b372e4581f8a39bd30c56b4435423c9209ea4d86dbd445faeefafd23.exe
File created	C:\PROGRA~2\shandian\bin\theworld.ac	shandian.exe
File opened for modification	C:\PROGRA~2\shandian\bin\theworld.ac	shandian.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x000600000001449e-62.dat	nsis_installer_1
behavioral1/files/0x000600000001449e-62.dat	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 23 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\shandian.exe = "1"	shandian.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INTERNET_SHELL_FOLDERS\shandian.exe = "0"	shandian.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	shandian.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "126"	shandian.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	shandian.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE	shandian.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\shandian.exe = "1"	shandian.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION	shandian.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INTERNET_SHELL_FOLDERS	shandian.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\165.3.94.21\ = "63"	shandian.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\165.3.94.21\Total = "63"	shandian.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT	shandian.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage	shandian.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\165.3.94.21\NumberOfSubdomains = "1"	shandian.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	shandian.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\165.3.94.21\ = "126"	shandian.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	shandian.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT\shandian.exe = "0"	shandian.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\165.3.94.21	shandian.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\165.3.94.21\Total = "126"	shandian.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	shandian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	shandian.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jlbnh.com"	e03dae04b372e4581f8a39bd30c56b4435423c9209ea4d86dbd445faeefafd23.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jlbnh.com/?tn 3"	reg.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	reg.exe

Modifies system certificate store 2 TTPs 12 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	e03dae04b372e4581f8a39bd30c56b4435423c9209ea4d86dbd445faeefafd23.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	shandian.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	shandian.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	shandian.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	shandian.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	e03dae04b372e4581f8a39bd30c56b4435423c9209ea4d86dbd445faeefafd23.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	shandian.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	shandian.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	shandian.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	shandian.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	shandian.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	shandian.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1812	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1812	AUDIODG.EXE
Token: 33	1812	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1812	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1500	shandian.exe
276	shandian.exe
276	shandian.exe
276	shandian.exe
276	shandian.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1436 wrote to memory of 1500	1436	e03dae04b372e4581f8a39bd30c56b4435423c9209ea4d86dbd445faeefafd23.exe	30
PID 1436 wrote to memory of 1500	1436	e03dae04b372e4581f8a39bd30c56b4435423c9209ea4d86dbd445faeefafd23.exe	30
PID 1436 wrote to memory of 1500	1436	e03dae04b372e4581f8a39bd30c56b4435423c9209ea4d86dbd445faeefafd23.exe	30
PID 1436 wrote to memory of 1500	1436	e03dae04b372e4581f8a39bd30c56b4435423c9209ea4d86dbd445faeefafd23.exe	30
PID 1436 wrote to memory of 1876	1436	e03dae04b372e4581f8a39bd30c56b4435423c9209ea4d86dbd445faeefafd23.exe	31
PID 1436 wrote to memory of 1876	1436	e03dae04b372e4581f8a39bd30c56b4435423c9209ea4d86dbd445faeefafd23.exe	31
PID 1436 wrote to memory of 1876	1436	e03dae04b372e4581f8a39bd30c56b4435423c9209ea4d86dbd445faeefafd23.exe	31
PID 1436 wrote to memory of 1876	1436	e03dae04b372e4581f8a39bd30c56b4435423c9209ea4d86dbd445faeefafd23.exe	31
PID 1876 wrote to memory of 1140	1876	cmd.exe	33
PID 1876 wrote to memory of 1140	1876	cmd.exe	33
PID 1876 wrote to memory of 1140	1876	cmd.exe	33
PID 1876 wrote to memory of 1140	1876	cmd.exe	33
PID 1876 wrote to memory of 1824	1876	cmd.exe	34
PID 1876 wrote to memory of 1824	1876	cmd.exe	34
PID 1876 wrote to memory of 1824	1876	cmd.exe	34
PID 1876 wrote to memory of 1824	1876	cmd.exe	34
PID 1876 wrote to memory of 876	1876	cmd.exe	36
PID 1876 wrote to memory of 876	1876	cmd.exe	36
PID 1876 wrote to memory of 876	1876	cmd.exe	36
PID 1876 wrote to memory of 876	1876	cmd.exe	36
PID 1500 wrote to memory of 276	1500	shandian.exe	37
PID 1500 wrote to memory of 276	1500	shandian.exe	37
PID 1500 wrote to memory of 276	1500	shandian.exe	37
PID 1500 wrote to memory of 276	1500	shandian.exe	37

C:\Users\Admin\AppData\Local\Temp\e03dae04b372e4581f8a39bd30c56b4435423c9209ea4d86dbd445faeefafd23.exe
"C:\Users\Admin\AppData\Local\Temp\e03dae04b372e4581f8a39bd30c56b4435423c9209ea4d86dbd445faeefafd23.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies Internet Explorer start page
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Program Files (x86)\shandian\shandian.exe
  "C:\Program Files (x86)\shandian\shandian.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Program Files (x86)\shandian\bin\shandian.exe
    "C:\Program Files (x86)\shandian\bin\shandian.exe"
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Writes to the Master Boot Record (MBR)
    - Drops file in Program Files directory
    - Modifies Internet Explorer settings
    - Modifies system certificate store
    - Suspicious use of SetWindowsHookEx
    PID:276
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\shandian\home.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCR\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command" /v "" /t reg_expand_sz /d "C:\Program Files\Internet Explorer\iexplore.exe http://www.jlbnh.com/?tn 3" /f
    3⤵
    - Modifies registry class
    PID:1140
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\SOFTWARE\Policies\Microsoft\Internet Explorer\Main" /v "Start Page" /d "http://www.jlbnh.com/?tn 3" /f
    3⤵
    PID:1824
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Internet Explorer\Main" /v "Start Page" /d "http://www.jlbnh.com/?tn 3" /f
    3⤵
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    PID:876

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x50c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\shandian\bin\shandian.exe

Filesize
1.4MB

MD5
0b8c8dd921f439cdba4e2bbb63fafa6e

SHA1
c00954b5413f7773db7800ab83644eef9af1a6d1

SHA256
77ee2e0a6d9b3be61a86f187487d856bc0ea35b935247bc88036b5e350fc56ef

SHA512
5f2aeabf0de4a56dcb1b68111805f1f4db2f319ad4b313701e7c9f41a6c5095acb3c5ac7553d2cd120a9fdea463cf9f61b4c66f17be8c4719b7dc01f5cb018c8

Download Submit
C:\Program Files (x86)\shandian\bin\shandian.exe

Filesize
1.4MB

MD5
0b8c8dd921f439cdba4e2bbb63fafa6e

SHA1
c00954b5413f7773db7800ab83644eef9af1a6d1

SHA256
77ee2e0a6d9b3be61a86f187487d856bc0ea35b935247bc88036b5e350fc56ef

SHA512
5f2aeabf0de4a56dcb1b68111805f1f4db2f319ad4b313701e7c9f41a6c5095acb3c5ac7553d2cd120a9fdea463cf9f61b4c66f17be8c4719b7dc01f5cb018c8

Download Submit
C:\Program Files (x86)\shandian\bin\shandian.ini

Filesize
74B

MD5
9d36846620a1b56a9d5ace29337db49f

SHA1
93ed1fa019a7b263b38403811af5042688b2100a

SHA256
4b2d9733336aa571d89b34849416e1254d3361cca692ebf97a85c7ca122d2284

SHA512
5b84f8323fd4fed102d9c28c687524560fb051f51ed6c57d71e355357342d93b87362c012695454df56d64dcca012f0df023109e66296d3f079002ac089da88e

Download Submit
C:\Program Files (x86)\shandian\config.ini

Filesize
145B

MD5
4153026849974b788269916d89b87cb0

SHA1
826d1e632022978e6e950d456985864d2919606d

SHA256
9e642f520533505e601b8593eb36ffec7cb10f101e599a535a5708a0b4a905d5

SHA512
12fb36f11ce2b28a22f96e73cd76c65af2e0787572f4bbe8e78914462bb88bf27b75b3685c995639782ecda0b3ce99660c2bc7fc6ebfdcff25da33b95a7396ff

Download Submit
C:\Program Files (x86)\shandian\home.bat

Filesize
703B

MD5
32ae016db9efcbe0b1ec1a94c2d6e2eb

SHA1
376cf1143cce54a01132e24bce677aa7210dc045

SHA256
8b3b6b6e773017a797ce6b9575d36fdef7b959522bc399df8315c8bbb9af7c72

SHA512
08e3f77fc072881ad9b4942051a5c12032d6e42eed3cd29dc90d1e31d452f8bd682ab9ccfb40720a2d2d67151c5076d6b049d1e4e6c6010e1f235866006ad3b7

Download Submit
C:\Program Files (x86)\shandian\shandian.exe

Filesize
96KB

MD5
b442fa57a35ce2505b4ece4a18d0239b

SHA1
28f6045d76bc77c76738c8f6128b7d6ec65b1865

SHA256
0063f24996e1b897ee94d51fc53593fda3a1c293ecde20f1b921e5e8ee56b4cc

SHA512
420d12e775a793be3230116464deb6c8e1fb442f33600237fa798ebd1e46a66ca4eada265f8eab6644573c098662538af9aae9cfbaea946efbc310923348fe57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6C7617C370060193ABB4C6A6FF28D1D6

Filesize
503B

MD5
cbebbcb41a6c3b094c5902e947b7b2eb

SHA1
d2e971a245a59bb4bad1a80fdac668aaeccc9994

SHA256
b8bc8729088722724c5e44f23683f1ac24f0ab5fe0227cdb99f7feff13aed223

SHA512
e2f626b52b5ada3e013959dc3af624a0c1fe7fac38173d25647a0a82fd29ab0806ce86e4ef3288a240190bece5cdb65b6b1e2b7532724ab3f2ab4f735d75d03f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
c60a4cbfdb2f568c6998bac06cf83203

SHA1
a8b196fdb53ffc8fd459c78d2259c83b52fa9e02

SHA256
773672029a8ec51ca69e84e4f00ea5e362c73da7ca6971b9706064cbc3565071

SHA512
852e6e34c126d1839e7e1db8a0f8dd5704ec928dc36c6e4fb4248b5182339ae9411b942ea686a4b07cfbd1863bbfa46167ff858f177c9c3eddacdfb955d022dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6C7617C370060193ABB4C6A6FF28D1D6

Filesize
548B

MD5
7dbd76c6af811eddad9b1bbf29415f76

SHA1
a87511c8a91c10ff7abc463f62acc4ed718c3616

SHA256
dff0c10fab3802548e3618c8d32b6550019bfc735ed4d34bfda089443cc489ab

SHA512
b76210ae2fe1d41273a161727b3edc5f02c01132a9f3c880da20c422c0f1f4591922b8651c66774ce2e90c60378fe058f379c6f0f3d11c934d66e5e9339c420a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
ee7a47de08011349253de30c68e4ef5d

SHA1
e012924962ba890e7ea210ddd206021ebe6ab0a3

SHA256
9138e9e23ac64f154848cf807c4dcbcea98e41e3643642fb16687b2fd881b95c

SHA512
f430fbd28d27281019119e3644572cebde19eb9576bde03c26c8ee04fd6500629f1c16f4471428cfc713a0dd2fd19fda09c8c89d39f457fe150d70f1e90c4f0f

Download Submit
\Program Files (x86)\shandian\bin\shandian.exe

Filesize
1.4MB

MD5
0b8c8dd921f439cdba4e2bbb63fafa6e

SHA1
c00954b5413f7773db7800ab83644eef9af1a6d1

SHA256
77ee2e0a6d9b3be61a86f187487d856bc0ea35b935247bc88036b5e350fc56ef

SHA512
5f2aeabf0de4a56dcb1b68111805f1f4db2f319ad4b313701e7c9f41a6c5095acb3c5ac7553d2cd120a9fdea463cf9f61b4c66f17be8c4719b7dc01f5cb018c8

Download Submit
\Program Files (x86)\shandian\bin\shandian.exe

Filesize
1.4MB

MD5
0b8c8dd921f439cdba4e2bbb63fafa6e

SHA1
c00954b5413f7773db7800ab83644eef9af1a6d1

SHA256
77ee2e0a6d9b3be61a86f187487d856bc0ea35b935247bc88036b5e350fc56ef

SHA512
5f2aeabf0de4a56dcb1b68111805f1f4db2f319ad4b313701e7c9f41a6c5095acb3c5ac7553d2cd120a9fdea463cf9f61b4c66f17be8c4719b7dc01f5cb018c8

Download Submit
\Program Files (x86)\shandian\shandian.exe

Filesize
96KB

MD5
b442fa57a35ce2505b4ece4a18d0239b

SHA1
28f6045d76bc77c76738c8f6128b7d6ec65b1865

SHA256
0063f24996e1b897ee94d51fc53593fda3a1c293ecde20f1b921e5e8ee56b4cc

SHA512
420d12e775a793be3230116464deb6c8e1fb442f33600237fa798ebd1e46a66ca4eada265f8eab6644573c098662538af9aae9cfbaea946efbc310923348fe57

Download Submit
\Program Files (x86)\shandian\shandian.exe

Filesize
96KB

MD5
b442fa57a35ce2505b4ece4a18d0239b

SHA1
28f6045d76bc77c76738c8f6128b7d6ec65b1865

SHA256
0063f24996e1b897ee94d51fc53593fda3a1c293ecde20f1b921e5e8ee56b4cc

SHA512
420d12e775a793be3230116464deb6c8e1fb442f33600237fa798ebd1e46a66ca4eada265f8eab6644573c098662538af9aae9cfbaea946efbc310923348fe57

Download Submit
\Program Files (x86)\shandian\shandian.exe

Filesize
96KB

MD5
b442fa57a35ce2505b4ece4a18d0239b

SHA1
28f6045d76bc77c76738c8f6128b7d6ec65b1865

SHA256
0063f24996e1b897ee94d51fc53593fda3a1c293ecde20f1b921e5e8ee56b4cc

SHA512
420d12e775a793be3230116464deb6c8e1fb442f33600237fa798ebd1e46a66ca4eada265f8eab6644573c098662538af9aae9cfbaea946efbc310923348fe57

Download Submit
\Program Files (x86)\shandian\shandian.exe

Filesize
96KB

MD5
b442fa57a35ce2505b4ece4a18d0239b

SHA1
28f6045d76bc77c76738c8f6128b7d6ec65b1865

SHA256
0063f24996e1b897ee94d51fc53593fda3a1c293ecde20f1b921e5e8ee56b4cc

SHA512
420d12e775a793be3230116464deb6c8e1fb442f33600237fa798ebd1e46a66ca4eada265f8eab6644573c098662538af9aae9cfbaea946efbc310923348fe57

Download Submit
\Program Files (x86)\shandian\uninst.exe

Filesize
119KB

MD5
9d6528499866e9c26b196d2d5acf68d6

SHA1
03d87e5c3d789c96dd06b93ea9dfa003e6ccef32

SHA256
6ebe7cfce2b08f96e9a516c03c8078dda90c466341d0e6282fa9156be8142976

SHA512
4ff296d66ab797e62ad821272d84a99a6fe9898ba2e909e6742fa2ef2fc8cf0e53e7cb6127f68fc5d7253d9cead97313acd4232e86b1c3878dfb27cc7084f81e

Download Submit
\Users\Admin\AppData\Local\Temp\nst2BB4.tmp\Md5dll.dll

Filesize
8KB

MD5
a7d710e78711d5ab90e4792763241754

SHA1
f31cecd926c5d497aba163a17b75975ec34beb13

SHA256
9b05dd603f13c196f3f21c43f48834208fed2294f7090fcd1334931014611fb2

SHA512
f0ca2d6f9a8aeac84ef8b051154a041adffc46e3e9aced142e9c7bf5f7272b047e1db421d38cb2d9182d7442bee3dd806618b019ec042a23ae0e71671d2943c0

Download Submit
\Users\Admin\AppData\Local\Temp\nst2BB4.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nst2BB4.tmp\bind.dll

Filesize
56KB

MD5
b2181e501ce4b03aa5b01d63dbec0b6e

SHA1
3bdf5e76795d87fd005080ccc84596b16c407364

SHA256
40a9e5e0e902a55218361f6965e909c900866eb1ebe6d7b193a077805fb89394

SHA512
ca48994bc13c3c1a4fa50a969a4add2c2caead38fd64d705f83ed372039d9461cc45f898fd7012f2e399f1da62f51a799a9ad9f1fb5b8cf40ae4070e774ddc0a

Download Submit
\Users\Admin\AppData\Local\Temp\nst2BB4.tmp\xID.dll

Filesize
9KB

MD5
3a5ed71aa9c6846d95d57235c4c443d7

SHA1
08156d29bed654f8f8d7f46ddbce84d22d4710cf

SHA256
5e3fa4d610cb2d80ed9991cb2562bd70c5b4d49dbcf4e42a1017c59eedbe28a4

SHA512
5cdb5059020c20a83f230ae2d75bfb6fd69a03418ba6407336db9f0c653fea1e8f4a51400812da81a8bde2f6e4d95fd80e29eb462e818ddbd881789c00d5d1d1

Download Submit
memory/276-81-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/276-82-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/276-85-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/276-84-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/276-86-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1436-54-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads