Analysis
-
max time kernel
620s -
max time network
625s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system -
submitted
24-02-2024 03:54
Behavioral task
behavioral1
Sample
JOKE.exe
Resource
win7-20240221-en
7 signatures
1800 seconds
Behavioral task
behavioral2
Sample
JOKE.exe
Resource
win10-20240221-en
7 signatures
1800 seconds
Behavioral task
behavioral3
Sample
JOKE.exe
Resource
win10v2004-20240221-en
7 signatures
1800 seconds
Behavioral task
behavioral4
Sample
JOKE.exe
Resource
win11-20240221-en
7 signatures
1800 seconds
General
-
Target
JOKE.exe
-
Size
65KB
-
MD5
a85056ecfbf94af8efaa2e9dcec8ebb1
-
SHA1
f081275fbbdddad10689e185a750e1fd1ca0d0e5
-
SHA256
e00d04dcc4489101599f86df3956673c2ebcb8adbf05fb603266b91e9336b955
-
SHA512
c510e21e4d5b2b8fb2e7e902f74a6befbe20896490e607d640a2611020f20cede1d154e894fde5be8a6a2e564d2d7eb6d741d9b3ef21cdbefc5abdbc6a056fa9
-
SSDEEP
1536:yw10jQoN36tKQviFw1ufGqBnvALfLteF3nLrB9z3nWaF9bJS9vM:yw10jQoN36tKQviFCe1BnAfWl9zGaF9Z
Score
7/10
Malware Config
Signatures
-
Drops startup file 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe JOKE.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe JOKE.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.url JOKE.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\JOKE.exe\" .." JOKE.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\JOKE.exe\" .." JOKE.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
flow ioc 198 2.tcp.eu.ngrok.io 151 2.tcp.eu.ngrok.io 172 2.tcp.eu.ngrok.io 54 2.tcp.eu.ngrok.io 56 2.tcp.eu.ngrok.io 97 2.tcp.eu.ngrok.io 125 2.tcp.eu.ngrok.io 226 2.tcp.eu.ngrok.io 248 2.tcp.eu.ngrok.io 267 2.tcp.eu.ngrok.io 2 2.tcp.eu.ngrok.io 35 2.tcp.eu.ngrok.io 65 2.tcp.eu.ngrok.io -
Kills process with taskkill 2 IoCs
pid Process 4776 TASKKILL.exe 4756 TASKKILL.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe 4208 JOKE.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4208 JOKE.exe Token: SeDebugPrivilege 4756 TASKKILL.exe Token: SeDebugPrivilege 4776 TASKKILL.exe Token: 33 4208 JOKE.exe Token: SeIncBasePriorityPrivilege 4208 JOKE.exe Token: 33 4208 JOKE.exe Token: SeIncBasePriorityPrivilege 4208 JOKE.exe Token: 33 4208 JOKE.exe Token: SeIncBasePriorityPrivilege 4208 JOKE.exe Token: 33 4208 JOKE.exe Token: SeIncBasePriorityPrivilege 4208 JOKE.exe Token: 33 4208 JOKE.exe Token: SeIncBasePriorityPrivilege 4208 JOKE.exe Token: 33 4208 JOKE.exe Token: SeIncBasePriorityPrivilege 4208 JOKE.exe Token: 33 4208 JOKE.exe Token: SeIncBasePriorityPrivilege 4208 JOKE.exe Token: 33 4208 JOKE.exe Token: SeIncBasePriorityPrivilege 4208 JOKE.exe Token: 33 4208 JOKE.exe Token: SeIncBasePriorityPrivilege 4208 JOKE.exe Token: 33 4208 JOKE.exe Token: SeIncBasePriorityPrivilege 4208 JOKE.exe Token: 33 4208 JOKE.exe Token: SeIncBasePriorityPrivilege 4208 JOKE.exe Token: 33 4208 JOKE.exe Token: SeIncBasePriorityPrivilege 4208 JOKE.exe Token: 33 4208 JOKE.exe Token: SeIncBasePriorityPrivilege 4208 JOKE.exe Token: 33 4208 JOKE.exe Token: SeIncBasePriorityPrivilege 4208 JOKE.exe Token: 33 4208 JOKE.exe Token: SeIncBasePriorityPrivilege 4208 JOKE.exe Token: 33 4208 JOKE.exe Token: SeIncBasePriorityPrivilege 4208 JOKE.exe Token: 33 4208 JOKE.exe Token: SeIncBasePriorityPrivilege 4208 JOKE.exe Token: 33 4208 JOKE.exe Token: SeIncBasePriorityPrivilege 4208 JOKE.exe Token: 33 4208 JOKE.exe Token: SeIncBasePriorityPrivilege 4208 JOKE.exe Token: 33 4208 JOKE.exe Token: SeIncBasePriorityPrivilege 4208 JOKE.exe Token: 33 4208 JOKE.exe Token: SeIncBasePriorityPrivilege 4208 JOKE.exe Token: 33 4208 JOKE.exe Token: SeIncBasePriorityPrivilege 4208 JOKE.exe Token: 33 4208 JOKE.exe Token: SeIncBasePriorityPrivilege 4208 JOKE.exe Token: 33 4208 JOKE.exe Token: SeIncBasePriorityPrivilege 4208 JOKE.exe Token: 33 4208 JOKE.exe Token: SeIncBasePriorityPrivilege 4208 JOKE.exe Token: 33 4208 JOKE.exe Token: SeIncBasePriorityPrivilege 4208 JOKE.exe Token: 33 4208 JOKE.exe Token: SeIncBasePriorityPrivilege 4208 JOKE.exe Token: 33 4208 JOKE.exe Token: SeIncBasePriorityPrivilege 4208 JOKE.exe Token: 33 4208 JOKE.exe Token: SeIncBasePriorityPrivilege 4208 JOKE.exe Token: 33 4208 JOKE.exe Token: SeIncBasePriorityPrivilege 4208 JOKE.exe Token: 33 4208 JOKE.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4208 wrote to memory of 4756 4208 JOKE.exe 74 PID 4208 wrote to memory of 4756 4208 JOKE.exe 74 PID 4208 wrote to memory of 4756 4208 JOKE.exe 74 PID 4208 wrote to memory of 4776 4208 JOKE.exe 73 PID 4208 wrote to memory of 4776 4208 JOKE.exe 73 PID 4208 wrote to memory of 4776 4208 JOKE.exe 73
Processes
-
C:\Users\Admin\AppData\Local\Temp\JOKE.exe"C:\Users\Admin\AppData\Local\Temp\JOKE.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM cmd.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4776
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM wscript.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4756
-