Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

e50dec2ce1...e7.exe

windows7-x64

10

e50dec2ce1...e7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    06/11/2022, 07:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e50dec2ce16a676fbb9135dced4902b897069c3f635031b27cb358478d134ee7.exe

  • Size

    27KB

  • MD5

    115d47da2b4602a57a0ce5e6cedf0d40

  • SHA1

    30b2edaca0d4d8098dbc225dd6d26e3a048b5a24

  • SHA256

    e50dec2ce16a676fbb9135dced4902b897069c3f635031b27cb358478d134ee7

  • SHA512

    d56cd79fcb88a42f6487356b72b4029b108fd9fe5c8c82d4fd4c9dd4993638cf11adb55fad4987d94ca0763364feff1b90647f87e79e57768ae9ab8d02c8c236

  • SSDEEP

    384:rPNs6IOSB0Qgns0jfbwFz88AfeQ990P34Pkfj0eohDTkVOhvF27z/985K29T/7Ww:rPNs/OS6zcF48A2Q/0Q2C9yoYf

Score
10/10
jokerbootkitdiscoveryinfostealerpersistencetrojanupx

Malware Config

Extracted

Family

joker

C2

http://mmtie.oss-cn-hangzhou.aliyuncs.com

Signatures

  • joker

    Joker is an Android malware that targets billing and SMS fraud.

    infostealertrojanjoker
  • Downloads MZ/PE file
  • Drops file in Drivers directory 11 IoCs
  • Executes dropped EXE 2 IoCs
  • Registers COM server for autorun 1 TTPs 3 IoCs
    persistence
  • Sets file execution options in registry 2 TTPs 28 IoCs
    persistence
  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Loads dropped DLL 14 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e50dec2ce16a676fbb9135dced4902b897069c3f635031b27cb358478d134ee7.exe
    "C:\Users\Admin\AppData\Local\Temp\e50dec2ce16a676fbb9135dced4902b897069c3f635031b27cb358478d134ee7.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1904
    • C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\duba_1_244.exe
      "C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\duba_1_244.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Registers COM server for autorun
      • Sets file execution options in registry
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:1500
    • C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\install1968982.exe
      "C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\install1968982.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • Modifies registry class
      PID:1540
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\e50dec2ce16a676fbb9135dced4902b897069c3f635031b27cb358478d134ee7.exe.bat
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1512
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /IM e50dec2ce16a676fbb9135dced4902b897069c3f635031b27cb358478d134ee7.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:536

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\e50dec2ce16a676fbb9135dced4902b897069c3f635031b27cb358478d134ee7.exe.bat
    Filesize

    330B

    MD5

    576ab231dbbbd590427d75c64a178a36

    SHA1

    1de395b7af852e4fa2e8076775d1d9a784615b41

    SHA256

    19075a439dc5c7db6c0b796bfcf15ffafb611e920bc67e6e78d88c81a7c71ad9

    SHA512

    ddeea8fb7148200546a2bc11524d73df74a5a41f96b4cf003458f5a3918337fc42cc2624efca911bf985524b0353939086063c175b7761e464b6643280571ced

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\duba_1_244.exe
    Filesize

    16.8MB

    MD5

    1f1c87b2b8528523907cc58c00923df8

    SHA1

    ea0f7ad5e2d0bc48e52ea9e00c56dc14ea026514

    SHA256

    37e29c28eb4a4753f6926c2f7dfd169a09e184264f537c64893637716237733a

    SHA512

    2a8d2107eb8d479d8378c780389278e2d20653954d93dea72700b9bb9c21bc7ecf826243c1aadf8a6bc2705cc9d0055a01cf24c32a8ba38cca87ca51abd66fbc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\duba_1_244.exe
    Filesize

    16.8MB

    MD5

    1f1c87b2b8528523907cc58c00923df8

    SHA1

    ea0f7ad5e2d0bc48e52ea9e00c56dc14ea026514

    SHA256

    37e29c28eb4a4753f6926c2f7dfd169a09e184264f537c64893637716237733a

    SHA512

    2a8d2107eb8d479d8378c780389278e2d20653954d93dea72700b9bb9c21bc7ecf826243c1aadf8a6bc2705cc9d0055a01cf24c32a8ba38cca87ca51abd66fbc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\install1968982.exe
    Filesize

    4.6MB

    MD5

    512fe2eb54dde3c922ce73c075a592a1

    SHA1

    4332a256f0a77381ecd11e823475c335691325d7

    SHA256

    110f6a132f05a0d7b31d449beb75c7b22cd1fd409d50b32ded10e8ac305d852e

    SHA512

    a3f6fda13e054d5f3f52f0b62895c94b467b32e5811bf52e91c7c747554204af150c0bddce229bcd4b912c575079376ffdd02dbe281d2a59f1f6824b464b993e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\install1968982.exe
    Filesize

    4.6MB

    MD5

    512fe2eb54dde3c922ce73c075a592a1

    SHA1

    4332a256f0a77381ecd11e823475c335691325d7

    SHA256

    110f6a132f05a0d7b31d449beb75c7b22cd1fd409d50b32ded10e8ac305d852e

    SHA512

    a3f6fda13e054d5f3f52f0b62895c94b467b32e5811bf52e91c7c747554204af150c0bddce229bcd4b912c575079376ffdd02dbe281d2a59f1f6824b464b993e

    Download Submit

  • \Program Files (x86)\kingsoft\kingsoft antivirus\kavmenu.dll
    Filesize

    69KB

    MD5

    c8ed4b3af03d82cc3fe2f8c42c22326c

    SHA1

    78a2e216262b8f1b35e408685cf20f2fa4685d8f

    SHA256

    1c73f57c31845d3719644f815ca9df1efb18cfc3dfc2dc1b4afddb71261afb31

    SHA512

    34e6cf09afa68875be24005f90be35bb7c490ac9d2f63befadfdd1902136c383ee903442c9df572e2ccd0b7ea1be10857401c76c5b6923c28f8eaecab5b3c45c

    Download Submit

  • \Program Files (x86)\kingsoft\kingsoft antivirus\kislive.exe
    Filesize

    1.1MB

    MD5

    04eeb71a179940aca8073ddaa5bf4350

    SHA1

    02f7c99c4a2784b2db466b20c6e9c02cccc733b6

    SHA256

    acd8f6de1355fa40d4703149eeae1887c3f4ee0474f65c7aa257db38924e1385

    SHA512

    049a164a916863f037f88288faab7ce6f92d555fac4e819d6b79ed787c583f0a0d821ef173440c481f4d2a39ee1547437c6471e2e2b37cf53ad6701ede452f21

    Download Submit

  • \Program Files (x86)\kingsoft\kingsoft antivirus\kismain.exe
    Filesize

    337KB

    MD5

    bb1ce6771f3bdfa3db16106e6802cf45

    SHA1

    9303e90c1782df8dd383ae75235e400e4a75df25

    SHA256

    b30440a7fe3f2cef818e9769df7aea5af5bd150058630299c34836f0eeec0270

    SHA512

    d412665027d7ad1b110a9e62b8ef2d1ab500b559865bb2cfa6584347993bb1e5634e442b158b3a8cbbf2df62d5ccd81714ac3e7f97246aca7b700991147893c2

    Download Submit

  • \Program Files (x86)\kingsoft\kingsoft antivirus\kismain.exe
    Filesize

    337KB

    MD5

    bb1ce6771f3bdfa3db16106e6802cf45

    SHA1

    9303e90c1782df8dd383ae75235e400e4a75df25

    SHA256

    b30440a7fe3f2cef818e9769df7aea5af5bd150058630299c34836f0eeec0270

    SHA512

    d412665027d7ad1b110a9e62b8ef2d1ab500b559865bb2cfa6584347993bb1e5634e442b158b3a8cbbf2df62d5ccd81714ac3e7f97246aca7b700991147893c2

    Download Submit

  • \Program Files (x86)\kingsoft\kingsoft antivirus\krecycle.exe
    Filesize

    495KB

    MD5

    c423991edd1e101d7c1aa7f2fe5d6670

    SHA1

    1f19d1c7e6f9189b2cdc875cc4b5c9afcf976e51

    SHA256

    f6cf76ca159237d0661b94d49d50657363db2df2f1b15188a60ef207c09a9ca4

    SHA512

    73640c9f8342ba3d51649726e85bad9510860ca836f8de21df27d9163ae0a6092a66fe8b10c3870f1ec3084a5ea1cb2917af50572b865a15d8faa8306fb9df9f

    Download Submit

  • \Program Files (x86)\kingsoft\kingsoft antivirus\security\ksde\kisknl.sys
    Filesize

    259KB

    MD5

    1636dd864151388451acb8b2fc1fccb8

    SHA1

    06e3ac51140a1f7c35f79f8c69e997919838bd01

    SHA256

    859bdfd8e8f067c3d2328e3cc910d906d07298fd2a5ffc9e89f22df61c499126

    SHA512

    694911e645fc982ec31aba9283c5e247a93d05b378a3e6eee1374d7f405257bef0e665f58fe29f1dd8417169373a772b6015548c1dc4643266a457b283dcaf10

    Download Submit

  • \Program Files (x86)\kingsoft\kingsoft antivirus\security\ksde\kisknl.sys
    Filesize

    259KB

    MD5

    1636dd864151388451acb8b2fc1fccb8

    SHA1

    06e3ac51140a1f7c35f79f8c69e997919838bd01

    SHA256

    859bdfd8e8f067c3d2328e3cc910d906d07298fd2a5ffc9e89f22df61c499126

    SHA512

    694911e645fc982ec31aba9283c5e247a93d05b378a3e6eee1374d7f405257bef0e665f58fe29f1dd8417169373a772b6015548c1dc4643266a457b283dcaf10

    Download Submit

  • \Program Files (x86)\kingsoft\kingsoft antivirus\uni0nst.exe
    Filesize

    842KB

    MD5

    c833984034607e01850987d075f4c3b9

    SHA1

    c5cb941666198a1678c88faf22be0a1b0b007813

    SHA256

    c6027958286a3f1a0e5ff5e104d461c6a1df7e1d0a828ab78fffa506ee2cc294

    SHA512

    918e3fee2fae74e8f278277774d8237c658b3d7c994ec20640c81667e66671a3029bdf7ff8e9fcfdbff8f1b2d8f98bd5492d5a3200d516a47db19a2ecce72d59

    Download Submit

  • \Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\duba_1_244.exe
    Filesize

    16.8MB

    MD5

    1f1c87b2b8528523907cc58c00923df8

    SHA1

    ea0f7ad5e2d0bc48e52ea9e00c56dc14ea026514

    SHA256

    37e29c28eb4a4753f6926c2f7dfd169a09e184264f537c64893637716237733a

    SHA512

    2a8d2107eb8d479d8378c780389278e2d20653954d93dea72700b9bb9c21bc7ecf826243c1aadf8a6bc2705cc9d0055a01cf24c32a8ba38cca87ca51abd66fbc

    Download Submit

  • \Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\duba_1_244.exe
    Filesize

    16.8MB

    MD5

    1f1c87b2b8528523907cc58c00923df8

    SHA1

    ea0f7ad5e2d0bc48e52ea9e00c56dc14ea026514

    SHA256

    37e29c28eb4a4753f6926c2f7dfd169a09e184264f537c64893637716237733a

    SHA512

    2a8d2107eb8d479d8378c780389278e2d20653954d93dea72700b9bb9c21bc7ecf826243c1aadf8a6bc2705cc9d0055a01cf24c32a8ba38cca87ca51abd66fbc

    Download Submit

  • \Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\duba_1_244.exe
    Filesize

    16.8MB

    MD5

    1f1c87b2b8528523907cc58c00923df8

    SHA1

    ea0f7ad5e2d0bc48e52ea9e00c56dc14ea026514

    SHA256

    37e29c28eb4a4753f6926c2f7dfd169a09e184264f537c64893637716237733a

    SHA512

    2a8d2107eb8d479d8378c780389278e2d20653954d93dea72700b9bb9c21bc7ecf826243c1aadf8a6bc2705cc9d0055a01cf24c32a8ba38cca87ca51abd66fbc

    Download Submit

  • \Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\install1968982.exe
    Filesize

    4.6MB

    MD5

    512fe2eb54dde3c922ce73c075a592a1

    SHA1

    4332a256f0a77381ecd11e823475c335691325d7

    SHA256

    110f6a132f05a0d7b31d449beb75c7b22cd1fd409d50b32ded10e8ac305d852e

    SHA512

    a3f6fda13e054d5f3f52f0b62895c94b467b32e5811bf52e91c7c747554204af150c0bddce229bcd4b912c575079376ffdd02dbe281d2a59f1f6824b464b993e

    Download Submit

  • \Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\install1968982.exe
    Filesize

    4.6MB

    MD5

    512fe2eb54dde3c922ce73c075a592a1

    SHA1

    4332a256f0a77381ecd11e823475c335691325d7

    SHA256

    110f6a132f05a0d7b31d449beb75c7b22cd1fd409d50b32ded10e8ac305d852e

    SHA512

    a3f6fda13e054d5f3f52f0b62895c94b467b32e5811bf52e91c7c747554204af150c0bddce229bcd4b912c575079376ffdd02dbe281d2a59f1f6824b464b993e

    Download Submit

  • \Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\install1968982.exe
    Filesize

    4.6MB

    MD5

    512fe2eb54dde3c922ce73c075a592a1

    SHA1

    4332a256f0a77381ecd11e823475c335691325d7

    SHA256

    110f6a132f05a0d7b31d449beb75c7b22cd1fd409d50b32ded10e8ac305d852e

    SHA512

    a3f6fda13e054d5f3f52f0b62895c94b467b32e5811bf52e91c7c747554204af150c0bddce229bcd4b912c575079376ffdd02dbe281d2a59f1f6824b464b993e

    Download Submit

  • memory/1500-91-0x0000000000400000-0x000000000051E000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1500-98-0x0000000003E60000-0x0000000003EE9000-memory.dmp

    Filesize

    548KB

    Download

  • memory/1500-97-0x0000000003E60000-0x0000000003EE9000-memory.dmp

    Filesize

    548KB

    Download

  • memory/1500-93-0x0000000000B20000-0x0000000000C3E000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1500-92-0x0000000000B20000-0x0000000000C3E000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1500-90-0x0000000003E60000-0x0000000003EE9000-memory.dmp

    Filesize

    548KB

    Download

  • memory/1500-89-0x0000000003E60000-0x0000000003EE9000-memory.dmp

    Filesize

    548KB

    Download

  • memory/1500-68-0x0000000000B20000-0x0000000000C3E000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1500-64-0x0000000000400000-0x000000000051E000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1540-79-0x0000000000CA0000-0x0000000000EA0000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1540-77-0x0000000000400000-0x0000000000600000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1540-96-0x0000000000400000-0x0000000000600000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1540-78-0x0000000000CA0000-0x0000000000EA0000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1904-76-0x0000000003D60000-0x0000000003F60000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1904-54-0x0000000076DC1000-0x0000000076DC3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1904-81-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1904-58-0x0000000000020000-0x0000000000034000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1904-63-0x0000000003D60000-0x0000000003E7E000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1904-55-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1904-56-0x0000000000020000-0x0000000000034000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1904-57-0x0000000000020000-0x0000000000034000-memory.dmp

    Filesize

    80KB

    Download