joker | 5b1ea636490bfe74546dbb5f7757e25d9314a837e33403c042f21c769dc06b29

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2022 04:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b1ea636490bfe74546dbb5f7757e25d9314a837e33403c042f21c769dc06b29.exe
Size

164KB
MD5

3040458d5d9b7bd9d1f86e417a0645ce
SHA1

b168f84de222800d79ca488c33e6bb480b1ab05c
SHA256

5b1ea636490bfe74546dbb5f7757e25d9314a837e33403c042f21c769dc06b29
SHA512

089af126d61ccd958c979c53da9450bec1dd0e92ee7a93ea76277990453ac04d00faf1f0a82dc144067f2fa1f0dc8550d3b8fa85d4aa039500d0bb89c30df7c8
SSDEEP

3072:hh+7Du+WxLPt0fyHJBpn5Fu1k42FEmGcxs:hh+7i+yVdJBpn5sJ2FQD

Score

10^/10

joker evasion infostealer persistence trojan

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Executes dropped EXE 1 IoCs

pid	Process
4828	inlA0F.tmp

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
2144	attrib.exe
3368	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	5b1ea636490bfe74546dbb5f7757e25d9314a837e33403c042f21c769dc06b29.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hsdfasd = "\"C:\\Users\\Admin\\AppData\\Roaming\\PPLive\\tmp.\\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}\" hh.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~1\INTERN~1\ieframe.dll	cmd.exe
File opened for modification	C:\PROGRA~1\INTERN~1\ieframe.dll	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies Internet Explorer settings 1 TTPs 46 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\henniu515.site	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com\ = "126"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\Total = "126"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\henniu515.site\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30994842"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2613872311"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "189"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\henniu515.site\Total = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2596525620"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2596525620"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.henniu515.site	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\Total = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.henniu515.site\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30994842"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\cnkankan.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "126"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30994842"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C5F16508-5D8D-11ED-A0EE-E2272FE8D9C1} = "0"	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.71628.com/?i"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.71628.com/?i"	reg.exe

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\IsShortCut	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command\ = "wscript -e:vbs \"C:\\Users\\Admin\\AppData\\Roaming\\PPLive\\3.bat\""	reg.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5068	5b1ea636490bfe74546dbb5f7757e25d9314a837e33403c042f21c769dc06b29.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
456	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
456	iexplore.exe
456	iexplore.exe
1820	IEXPLORE.EXE
1820	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 3980	5068	5b1ea636490bfe74546dbb5f7757e25d9314a837e33403c042f21c769dc06b29.exe	89
PID 5068 wrote to memory of 3980	5068	5b1ea636490bfe74546dbb5f7757e25d9314a837e33403c042f21c769dc06b29.exe	89
PID 5068 wrote to memory of 3980	5068	5b1ea636490bfe74546dbb5f7757e25d9314a837e33403c042f21c769dc06b29.exe	89
PID 3980 wrote to memory of 3088	3980	cmd.exe	91
PID 3980 wrote to memory of 3088	3980	cmd.exe	91
PID 3980 wrote to memory of 3088	3980	cmd.exe	91
PID 3088 wrote to memory of 456	3088	cmd.exe	93
PID 3088 wrote to memory of 456	3088	cmd.exe	93
PID 3088 wrote to memory of 668	3088	cmd.exe	94
PID 3088 wrote to memory of 668	3088	cmd.exe	94
PID 3088 wrote to memory of 668	3088	cmd.exe	94
PID 3088 wrote to memory of 5108	3088	cmd.exe	96
PID 3088 wrote to memory of 5108	3088	cmd.exe	96
PID 3088 wrote to memory of 5108	3088	cmd.exe	96
PID 5068 wrote to memory of 4828	5068	5b1ea636490bfe74546dbb5f7757e25d9314a837e33403c042f21c769dc06b29.exe	97
PID 5068 wrote to memory of 4828	5068	5b1ea636490bfe74546dbb5f7757e25d9314a837e33403c042f21c769dc06b29.exe	97
PID 5068 wrote to memory of 4828	5068	5b1ea636490bfe74546dbb5f7757e25d9314a837e33403c042f21c769dc06b29.exe	97
PID 5068 wrote to memory of 2880	5068	5b1ea636490bfe74546dbb5f7757e25d9314a837e33403c042f21c769dc06b29.exe	99
PID 5068 wrote to memory of 2880	5068	5b1ea636490bfe74546dbb5f7757e25d9314a837e33403c042f21c769dc06b29.exe	99
PID 5068 wrote to memory of 2880	5068	5b1ea636490bfe74546dbb5f7757e25d9314a837e33403c042f21c769dc06b29.exe	99
PID 456 wrote to memory of 1820	456	iexplore.exe	98
PID 456 wrote to memory of 1820	456	iexplore.exe	98
PID 456 wrote to memory of 1820	456	iexplore.exe	98
PID 5108 wrote to memory of 3264	5108	cmd.exe	101
PID 5108 wrote to memory of 3264	5108	cmd.exe	101
PID 5108 wrote to memory of 3264	5108	cmd.exe	101
PID 5108 wrote to memory of 2780	5108	cmd.exe	102
PID 5108 wrote to memory of 2780	5108	cmd.exe	102
PID 5108 wrote to memory of 2780	5108	cmd.exe	102
PID 5108 wrote to memory of 3076	5108	cmd.exe	103
PID 5108 wrote to memory of 3076	5108	cmd.exe	103
PID 5108 wrote to memory of 3076	5108	cmd.exe	103
PID 5108 wrote to memory of 4648	5108	cmd.exe	104
PID 5108 wrote to memory of 4648	5108	cmd.exe	104
PID 5108 wrote to memory of 4648	5108	cmd.exe	104
PID 5108 wrote to memory of 4668	5108	cmd.exe	105
PID 5108 wrote to memory of 4668	5108	cmd.exe	105
PID 5108 wrote to memory of 4668	5108	cmd.exe	105
PID 5108 wrote to memory of 2144	5108	cmd.exe	106
PID 5108 wrote to memory of 2144	5108	cmd.exe	106
PID 5108 wrote to memory of 2144	5108	cmd.exe	106
PID 5108 wrote to memory of 3368	5108	cmd.exe	107
PID 5108 wrote to memory of 3368	5108	cmd.exe	107
PID 5108 wrote to memory of 3368	5108	cmd.exe	107
PID 5108 wrote to memory of 4660	5108	cmd.exe	108
PID 5108 wrote to memory of 4660	5108	cmd.exe	108
PID 5108 wrote to memory of 4660	5108	cmd.exe	108
PID 5108 wrote to memory of 3520	5108	cmd.exe	109
PID 5108 wrote to memory of 3520	5108	cmd.exe	109
PID 5108 wrote to memory of 3520	5108	cmd.exe	109
PID 4660 wrote to memory of 2368	4660	rundll32.exe	110
PID 4660 wrote to memory of 2368	4660	rundll32.exe	110
PID 4660 wrote to memory of 2368	4660	rundll32.exe	110
PID 2368 wrote to memory of 3100	2368	runonce.exe	111
PID 2368 wrote to memory of 3100	2368	runonce.exe	111
PID 2368 wrote to memory of 3100	2368	runonce.exe	111

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
2144	attrib.exe
3368	attrib.exe

C:\Users\Admin\AppData\Local\Temp\5b1ea636490bfe74546dbb5f7757e25d9314a837e33403c042f21c769dc06b29.exe
"C:\Users\Admin\AppData\Local\Temp\5b1ea636490bfe74546dbb5f7757e25d9314a837e33403c042f21c769dc06b29.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pds2010_check.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\1.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3088
  - - C:\PROGRA~1\INTERN~1\iexplore.exe
      C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWw.cnkankan.com/?71628
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:456
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:456 CREDAT:17410 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1820
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\1.inf
      4⤵
      PID:668
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\2.bat
      4⤵
      Drops file in Program Files directory
      Suspicious use of WriteProcessMemory
      PID:5108
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?i"" /f
        5⤵
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        
        PID:3264
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?i"" /f
        5⤵
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        
        PID:2780
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\tmp" /v "key" /d ""http://www.71628.com/?i"" /f
        5⤵
        
        PID:3076
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f
        5⤵
        Modifies registry class
        
        PID:4648
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\PPLive\3.bat""" /f
        5⤵
        Modifies registry class
        
        PID:4668
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2144
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3368
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\2.inf
        5⤵
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4660
      - C:\Windows\SysWOW64\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        6⤵
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        7⤵
        
        PID:3100
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 D:\VolumeDH\inj.dat,MainLoad
        5⤵
        
        PID:3520
- C:\Users\Admin\AppData\Local\Temp\inlA0F.tmp
  C:\Users\Admin\AppData\Local\Temp\inlA0F.tmp
  2⤵
  - Executes dropped EXE
  PID:4828
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\5B1EA6~1.EXE > nul
  2⤵
  PID:2880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
2d2178c4ba2e01df79b6e787caecd70e

SHA1
32feba9571993a2bdccc68d6de1bdd68f82cfbf8

SHA256
ba9dee61d1e95e7b33bdf223da96a8348a890459853c5437cd7981520d43849d

SHA512
23d8a224158a47ed813aa0ffec86f915fe28eaed3612f0e93be64bef5bfe08044730a550a3b7546e131fc3810c39defd6602ef30ed2f058336b8e7c5b5cd238c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
bdee0f21f402ef15309a682c41109908

SHA1
0d951552dd3a9f98e71dd6331d4b7eccc6351607

SHA256
4b1549164f602c296081f80227c1bea7a49f7a75d6bd907e66aa6cada8f6b6e1

SHA512
0bb9a4bc17f5e35bbb857e9dba8b9e435c0166eb4b324de04ee5b05535daf00ceff259ba1e5e1e1807087c9c8348ce304bfe77b8b1d5b2bf021c2ec390060551

Download Submit
C:\Users\Admin\AppData\Local\Temp\inlA0F.tmp

Filesize
57.2MB

MD5
d083e5fc3eee453cd5a0cae21947b6a3

SHA1
f85b0643d4598bb136f9dc4a8336df768a1c2fcb

SHA256
90ca40b40b1c8ad3e426fbde53a4edb22836dba466f72234333b62b345c8f19e

SHA512
015976402e5768dee152f09776dac2cf0841fb5b2c7bd20319c2315ea63c635cef09af5e759369e150bc67d8bdd4c427117ca5765b2a1cf9379d545898dcce4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\inlA0F.tmp

Filesize
57.2MB

MD5
d083e5fc3eee453cd5a0cae21947b6a3

SHA1
f85b0643d4598bb136f9dc4a8336df768a1c2fcb

SHA256
90ca40b40b1c8ad3e426fbde53a4edb22836dba466f72234333b62b345c8f19e

SHA512
015976402e5768dee152f09776dac2cf0841fb5b2c7bd20319c2315ea63c635cef09af5e759369e150bc67d8bdd4c427117ca5765b2a1cf9379d545898dcce4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pds2010_check.bat

Filesize
53B

MD5
23962a245f75fe25510051582203aff1

SHA1
20832a3a1179bb2730194d2f7738d41d5d669a43

SHA256
1abcea214b9b2bd76cc04be07ae2d4d70371e6ca443d99f4f1327afe7a5fc647

SHA512
dc36b64f2dbb710652900a31295c148760b0c44eae13515aa29613916c9dffe3d8e55ba61568f7c27b43bf0c341f7dcd4b9c721f81627fc6bb915b15c358fe80

Download Submit
C:\Users\Admin\AppData\Local\Temp\winrar_config.tmp

Filesize
630B

MD5
def799e58a41b0cc7912581957c6b70b

SHA1
92b7b065250910aae63b782c8aa9548289b7d7d5

SHA256
d5c4b84330a5c67f8c86ee470c66ff8f52124f6dbcb29f939561c9013b5c6c20

SHA512
20be77f16b629d023a4456925ec3d093fd3f202f6b208dd42c878614248b78da52da0f5c004d06d7d4d1583291ce6901e9d8157eadf129b7032b2fb902eb1ce5

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\1.bat

Filesize
3KB

MD5
286fe459674aef6eee17f6ac79a15fdb

SHA1
233dc43099c575a67b05fc1076e676324fd6e63d

SHA256
872cc596dc1fe6d5a131129bd84c2a76d6874e9c57ab2cd792d4d12b6f014fd2

SHA512
c9acc4a134001da76e7ae6aa5ae65ce58501942dfc1f80959ae4db27c06010db753c9d115eedbe0b2b0e30dd5c4dcd1d32816493b053c65cee81d3a343c87314

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\1.inf

Filesize
492B

MD5
34c14b8530e1094e792527f7a474fe77

SHA1
f71c4e9091140256b34c18220d1dd1efab1f301d

SHA256
fe0dfb3458bfe2a3632d365e00765fa10f14d62e7dfa8b70a055c7eb9fdb6713

SHA512
25bb09b526e1e9f5c6052f1f7c36b37c956c1b5649936af8df3abfcf120c931f3d2603e17a061cb99d8c8074bfb1973a5423cce89762fca53cd46aeb3e8944a2

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\2.bat

Filesize
3KB

MD5
d4917ae9072a10d8e12ef3b282b25b3b

SHA1
bd9ec6c6395997525ec7c15ecca2f115573cc14c

SHA256
6f7649988962c61ac7644262ee6082ef352bbb00cb155a3f4ef0467fbdf1c67b

SHA512
c6ed3119e008191ad56050f6b72a2d64e908c57e80fd0c252b8b1947cf091644c83b6bc16c56d6e2153579eb3e8711c8cd608977426a0906d56a7713bfca309d

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\2.inf

Filesize
247B

MD5
ca436f6f187bc049f9271ecdcbf348fa

SHA1
bf8a548071cfc150f7affb802538edf03d281106

SHA256
6cdfa9b7f0e1e4ee16bc8ce5d7448d47ea8866c1f55f3e56be5c2a4d183ca534

SHA512
d19e20aabddad6b0284f8c1d473e9180f30b49d4d8b54f26e7c8630228e16b1f6ba04023c5e8b1993d8a10d97adcfff683b216f79b9981bf16181641aebdd591

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\4.bat

Filesize
5.8MB

MD5
ee3b869031e640f8298cfbe19ffcbb15

SHA1
4743497bdd3f83fed51cb973ce3f8784f95306d7

SHA256
816102d9a610e8c6e20a59cf81e663c73c3ba3276c584b228ea917a2a6a52e6f

SHA512
fc838b04e4ee0d9cf9391780d67b30ba16c6c06f65e56cfd21ec0b65fa9abf47c70f1e7cb709b0e49dd4256d19422fb53451070f2500891da0c39690d51f951e

Download Submit
memory/456-174-0x00007FFAB9190000-0x00007FFAB91FE000-memory.dmp

Filesize
440KB

Download
memory/456-182-0x00007FFAB9190000-0x00007FFAB91FE000-memory.dmp

Filesize
440KB

Download
memory/456-146-0x00007FFAB9190000-0x00007FFAB91FE000-memory.dmp

Filesize
440KB

Download
memory/456-147-0x00007FFAB9190000-0x00007FFAB91FE000-memory.dmp

Filesize
440KB

Download
memory/456-223-0x00007FFAB9190000-0x00007FFAB91FE000-memory.dmp

Filesize
440KB

Download
memory/456-149-0x00007FFAB9190000-0x00007FFAB91FE000-memory.dmp

Filesize
440KB

Download
memory/456-150-0x00007FFAB9190000-0x00007FFAB91FE000-memory.dmp

Filesize
440KB

Download
memory/456-151-0x00007FFAB9190000-0x00007FFAB91FE000-memory.dmp

Filesize
440KB

Download
memory/456-153-0x00007FFAB9190000-0x00007FFAB91FE000-memory.dmp

Filesize
440KB

Download
memory/456-154-0x00007FFAB9190000-0x00007FFAB91FE000-memory.dmp

Filesize
440KB

Download
memory/456-222-0x00007FFAB9190000-0x00007FFAB91FE000-memory.dmp

Filesize
440KB

Download
memory/456-158-0x00007FFAB9190000-0x00007FFAB91FE000-memory.dmp

Filesize
440KB

Download
memory/456-157-0x00007FFAB9190000-0x00007FFAB91FE000-memory.dmp

Filesize
440KB

Download
memory/456-143-0x00007FFAB9190000-0x00007FFAB91FE000-memory.dmp

Filesize
440KB

Download
memory/456-162-0x00007FFAB9190000-0x00007FFAB91FE000-memory.dmp

Filesize
440KB

Download
memory/456-163-0x00007FFAB9190000-0x00007FFAB91FE000-memory.dmp

Filesize
440KB

Download
memory/456-217-0x00007FFAB9190000-0x00007FFAB91FE000-memory.dmp

Filesize
440KB

Download
memory/456-165-0x00007FFAB9190000-0x00007FFAB91FE000-memory.dmp

Filesize
440KB

Download
memory/456-140-0x00007FFAB9190000-0x00007FFAB91FE000-memory.dmp

Filesize
440KB

Download
memory/456-166-0x00007FFAB9190000-0x00007FFAB91FE000-memory.dmp

Filesize
440KB

Download
memory/456-167-0x00007FFAB9190000-0x00007FFAB91FE000-memory.dmp

Filesize
440KB

Download
memory/456-139-0x00007FFAB9190000-0x00007FFAB91FE000-memory.dmp

Filesize
440KB

Download
memory/456-171-0x00007FFAB9190000-0x00007FFAB91FE000-memory.dmp

Filesize
440KB

Download
memory/456-168-0x00007FFAB9190000-0x00007FFAB91FE000-memory.dmp

Filesize
440KB

Download
memory/456-175-0x00007FFAB9190000-0x00007FFAB91FE000-memory.dmp

Filesize
440KB

Download
memory/456-177-0x00007FFAB9190000-0x00007FFAB91FE000-memory.dmp

Filesize
440KB

Download
memory/456-216-0x00007FFAB9190000-0x00007FFAB91FE000-memory.dmp

Filesize
440KB

Download
memory/456-178-0x00007FFAB9190000-0x00007FFAB91FE000-memory.dmp

Filesize
440KB

Download
memory/456-214-0x00007FFAB9190000-0x00007FFAB91FE000-memory.dmp

Filesize
440KB

Download
memory/456-179-0x00007FFAB9190000-0x00007FFAB91FE000-memory.dmp

Filesize
440KB

Download
memory/456-180-0x00007FFAB9190000-0x00007FFAB91FE000-memory.dmp

Filesize
440KB

Download
memory/456-213-0x00007FFAB9190000-0x00007FFAB91FE000-memory.dmp

Filesize
440KB

Download
memory/456-181-0x00007FFAB9190000-0x00007FFAB91FE000-memory.dmp

Filesize
440KB

Download
memory/456-145-0x00007FFAB9190000-0x00007FFAB91FE000-memory.dmp

Filesize
440KB

Download
memory/456-212-0x00007FFAB9190000-0x00007FFAB91FE000-memory.dmp

Filesize
440KB

Download
memory/456-184-0x00007FFAB9190000-0x00007FFAB91FE000-memory.dmp

Filesize
440KB

Download
memory/456-188-0x00007FFAB9190000-0x00007FFAB91FE000-memory.dmp

Filesize
440KB

Download
memory/456-211-0x00007FFAB9190000-0x00007FFAB91FE000-memory.dmp

Filesize
440KB

Download
memory/456-190-0x00007FFAB9190000-0x00007FFAB91FE000-memory.dmp

Filesize
440KB

Download
memory/456-210-0x00007FFAB9190000-0x00007FFAB91FE000-memory.dmp

Filesize
440KB

Download
memory/456-194-0x00007FFAB9190000-0x00007FFAB91FE000-memory.dmp

Filesize
440KB

Download
memory/456-208-0x00007FFAB9190000-0x00007FFAB91FE000-memory.dmp

Filesize
440KB

Download
memory/456-201-0x00007FFAB9190000-0x00007FFAB91FE000-memory.dmp

Filesize
440KB

Download
memory/456-197-0x00007FFAB9190000-0x00007FFAB91FE000-memory.dmp

Filesize
440KB

Download
memory/5068-132-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5068-176-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5068-133-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads