Analysis
-
max time kernel
141s -
max time network
160s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
24-02-2024 04:26
Behavioral task
behavioral1
Sample
JOKE.exe
Resource
win7-20240220-en
26 signatures
1800 seconds
Behavioral task
behavioral2
Sample
JOKE.exe
Resource
win10-20240221-en
31 signatures
1800 seconds
Behavioral task
behavioral3
Sample
JOKE.exe
Resource
win10v2004-20240221-en
20 signatures
1800 seconds
Behavioral task
behavioral4
Sample
JOKE.exe
Resource
win11-20240221-en
7 signatures
1800 seconds
General
-
Target
JOKE.exe
-
Size
65KB
-
MD5
a85056ecfbf94af8efaa2e9dcec8ebb1
-
SHA1
f081275fbbdddad10689e185a750e1fd1ca0d0e5
-
SHA256
e00d04dcc4489101599f86df3956673c2ebcb8adbf05fb603266b91e9336b955
-
SHA512
c510e21e4d5b2b8fb2e7e902f74a6befbe20896490e607d640a2611020f20cede1d154e894fde5be8a6a2e564d2d7eb6d741d9b3ef21cdbefc5abdbc6a056fa9
-
SSDEEP
1536:yw10jQoN36tKQviFw1ufGqBnvALfLteF3nLrB9z3nWaF9bJS9vM:yw10jQoN36tKQviFCe1BnAfWl9zGaF9Z
Score
7/10
Malware Config
Signatures
-
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe JOKE.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.url JOKE.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe JOKE.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\JOKE.exe\" .." JOKE.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\JOKE.exe\" .." JOKE.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
flow ioc 1 2.tcp.eu.ngrok.io -
Kills process with taskkill 2 IoCs
pid Process 4956 TASKKILL.exe 4148 TASKKILL.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe 2548 JOKE.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeDebugPrivilege 2548 JOKE.exe Token: SeDebugPrivilege 4956 TASKKILL.exe Token: SeDebugPrivilege 4148 TASKKILL.exe Token: 33 2548 JOKE.exe Token: SeIncBasePriorityPrivilege 2548 JOKE.exe Token: 33 2548 JOKE.exe Token: SeIncBasePriorityPrivilege 2548 JOKE.exe Token: 33 2548 JOKE.exe Token: SeIncBasePriorityPrivilege 2548 JOKE.exe Token: 33 2548 JOKE.exe Token: SeIncBasePriorityPrivilege 2548 JOKE.exe Token: 33 2548 JOKE.exe Token: SeIncBasePriorityPrivilege 2548 JOKE.exe Token: 33 2548 JOKE.exe Token: SeIncBasePriorityPrivilege 2548 JOKE.exe Token: 33 2548 JOKE.exe Token: SeIncBasePriorityPrivilege 2548 JOKE.exe Token: 33 2548 JOKE.exe Token: SeIncBasePriorityPrivilege 2548 JOKE.exe Token: 33 2548 JOKE.exe Token: SeIncBasePriorityPrivilege 2548 JOKE.exe Token: 33 2548 JOKE.exe Token: SeIncBasePriorityPrivilege 2548 JOKE.exe Token: 33 2548 JOKE.exe Token: SeIncBasePriorityPrivilege 2548 JOKE.exe Token: 33 2548 JOKE.exe Token: SeIncBasePriorityPrivilege 2548 JOKE.exe Token: 33 2548 JOKE.exe Token: SeIncBasePriorityPrivilege 2548 JOKE.exe Token: 33 2548 JOKE.exe Token: SeIncBasePriorityPrivilege 2548 JOKE.exe Token: 33 2548 JOKE.exe Token: SeIncBasePriorityPrivilege 2548 JOKE.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2548 wrote to memory of 4956 2548 JOKE.exe 79 PID 2548 wrote to memory of 4956 2548 JOKE.exe 79 PID 2548 wrote to memory of 4956 2548 JOKE.exe 79 PID 2548 wrote to memory of 4148 2548 JOKE.exe 80 PID 2548 wrote to memory of 4148 2548 JOKE.exe 80 PID 2548 wrote to memory of 4148 2548 JOKE.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\JOKE.exe"C:\Users\Admin\AppData\Local\Temp\JOKE.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM wscript.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4956
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM cmd.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4148
-