Analysis
-
max time kernel
695s -
max time network
701s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
24-02-2024 03:54
Behavioral task
behavioral1
Sample
JOKE.exe
Resource
win7-20240221-en
7 signatures
1800 seconds
Behavioral task
behavioral2
Sample
JOKE.exe
Resource
win10-20240221-en
7 signatures
1800 seconds
Behavioral task
behavioral3
Sample
JOKE.exe
Resource
win10v2004-20240221-en
7 signatures
1800 seconds
Behavioral task
behavioral4
Sample
JOKE.exe
Resource
win11-20240221-en
7 signatures
1800 seconds
General
-
Target
JOKE.exe
-
Size
65KB
-
MD5
a85056ecfbf94af8efaa2e9dcec8ebb1
-
SHA1
f081275fbbdddad10689e185a750e1fd1ca0d0e5
-
SHA256
e00d04dcc4489101599f86df3956673c2ebcb8adbf05fb603266b91e9336b955
-
SHA512
c510e21e4d5b2b8fb2e7e902f74a6befbe20896490e607d640a2611020f20cede1d154e894fde5be8a6a2e564d2d7eb6d741d9b3ef21cdbefc5abdbc6a056fa9
-
SSDEEP
1536:yw10jQoN36tKQviFw1ufGqBnvALfLteF3nLrB9z3nWaF9bJS9vM:yw10jQoN36tKQviFCe1BnAfWl9zGaF9Z
Score
7/10
Malware Config
Signatures
-
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe JOKE.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.url JOKE.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe JOKE.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\JOKE.exe\" .." JOKE.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\JOKE.exe\" .." JOKE.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs
flow ioc 136 2.tcp.eu.ngrok.io 64 2.tcp.eu.ngrok.io 98 2.tcp.eu.ngrok.io 129 2.tcp.eu.ngrok.io 164 2.tcp.eu.ngrok.io 239 2.tcp.eu.ngrok.io 289 2.tcp.eu.ngrok.io 320 2.tcp.eu.ngrok.io 32 2.tcp.eu.ngrok.io 190 2.tcp.eu.ngrok.io 192 2.tcp.eu.ngrok.io 219 2.tcp.eu.ngrok.io 266 2.tcp.eu.ngrok.io 305 2.tcp.eu.ngrok.io -
Kills process with taskkill 2 IoCs
pid Process 4228 TASKKILL.exe 3232 TASKKILL.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe 1300 JOKE.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1300 JOKE.exe Token: SeDebugPrivilege 3232 TASKKILL.exe Token: SeDebugPrivilege 4228 TASKKILL.exe Token: 33 1300 JOKE.exe Token: SeIncBasePriorityPrivilege 1300 JOKE.exe Token: 33 1300 JOKE.exe Token: SeIncBasePriorityPrivilege 1300 JOKE.exe Token: 33 1300 JOKE.exe Token: SeIncBasePriorityPrivilege 1300 JOKE.exe Token: 33 1300 JOKE.exe Token: SeIncBasePriorityPrivilege 1300 JOKE.exe Token: 33 1300 JOKE.exe Token: SeIncBasePriorityPrivilege 1300 JOKE.exe Token: 33 1300 JOKE.exe Token: SeIncBasePriorityPrivilege 1300 JOKE.exe Token: 33 1300 JOKE.exe Token: SeIncBasePriorityPrivilege 1300 JOKE.exe Token: 33 1300 JOKE.exe Token: SeIncBasePriorityPrivilege 1300 JOKE.exe Token: 33 1300 JOKE.exe Token: SeIncBasePriorityPrivilege 1300 JOKE.exe Token: 33 1300 JOKE.exe Token: SeIncBasePriorityPrivilege 1300 JOKE.exe Token: 33 1300 JOKE.exe Token: SeIncBasePriorityPrivilege 1300 JOKE.exe Token: 33 1300 JOKE.exe Token: SeIncBasePriorityPrivilege 1300 JOKE.exe Token: 33 1300 JOKE.exe Token: SeIncBasePriorityPrivilege 1300 JOKE.exe Token: 33 1300 JOKE.exe Token: SeIncBasePriorityPrivilege 1300 JOKE.exe Token: 33 1300 JOKE.exe Token: SeIncBasePriorityPrivilege 1300 JOKE.exe Token: 33 1300 JOKE.exe Token: SeIncBasePriorityPrivilege 1300 JOKE.exe Token: 33 1300 JOKE.exe Token: SeIncBasePriorityPrivilege 1300 JOKE.exe Token: 33 1300 JOKE.exe Token: SeIncBasePriorityPrivilege 1300 JOKE.exe Token: 33 1300 JOKE.exe Token: SeIncBasePriorityPrivilege 1300 JOKE.exe Token: 33 1300 JOKE.exe Token: SeIncBasePriorityPrivilege 1300 JOKE.exe Token: 33 1300 JOKE.exe Token: SeIncBasePriorityPrivilege 1300 JOKE.exe Token: 33 1300 JOKE.exe Token: SeIncBasePriorityPrivilege 1300 JOKE.exe Token: 33 1300 JOKE.exe Token: SeIncBasePriorityPrivilege 1300 JOKE.exe Token: 33 1300 JOKE.exe Token: SeIncBasePriorityPrivilege 1300 JOKE.exe Token: 33 1300 JOKE.exe Token: SeIncBasePriorityPrivilege 1300 JOKE.exe Token: 33 1300 JOKE.exe Token: SeIncBasePriorityPrivilege 1300 JOKE.exe Token: 33 1300 JOKE.exe Token: SeIncBasePriorityPrivilege 1300 JOKE.exe Token: 33 1300 JOKE.exe Token: SeIncBasePriorityPrivilege 1300 JOKE.exe Token: 33 1300 JOKE.exe Token: SeIncBasePriorityPrivilege 1300 JOKE.exe Token: 33 1300 JOKE.exe Token: SeIncBasePriorityPrivilege 1300 JOKE.exe Token: 33 1300 JOKE.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1300 wrote to memory of 4228 1300 JOKE.exe 88 PID 1300 wrote to memory of 4228 1300 JOKE.exe 88 PID 1300 wrote to memory of 4228 1300 JOKE.exe 88 PID 1300 wrote to memory of 3232 1300 JOKE.exe 91 PID 1300 wrote to memory of 3232 1300 JOKE.exe 91 PID 1300 wrote to memory of 3232 1300 JOKE.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\JOKE.exe"C:\Users\Admin\AppData\Local\Temp\JOKE.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM wscript.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4228
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM cmd.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3232
-