Analysis
-
max time kernel
337s -
max time network
342s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
24-02-2024 03:54
Behavioral task
behavioral1
Sample
JOKE.exe
Resource
win7-20240221-en
7 signatures
1800 seconds
Behavioral task
behavioral2
Sample
JOKE.exe
Resource
win10-20240221-en
7 signatures
1800 seconds
Behavioral task
behavioral3
Sample
JOKE.exe
Resource
win10v2004-20240221-en
7 signatures
1800 seconds
Behavioral task
behavioral4
Sample
JOKE.exe
Resource
win11-20240221-en
7 signatures
1800 seconds
General
-
Target
JOKE.exe
-
Size
65KB
-
MD5
a85056ecfbf94af8efaa2e9dcec8ebb1
-
SHA1
f081275fbbdddad10689e185a750e1fd1ca0d0e5
-
SHA256
e00d04dcc4489101599f86df3956673c2ebcb8adbf05fb603266b91e9336b955
-
SHA512
c510e21e4d5b2b8fb2e7e902f74a6befbe20896490e607d640a2611020f20cede1d154e894fde5be8a6a2e564d2d7eb6d741d9b3ef21cdbefc5abdbc6a056fa9
-
SSDEEP
1536:yw10jQoN36tKQviFw1ufGqBnvALfLteF3nLrB9z3nWaF9bJS9vM:yw10jQoN36tKQviFCe1BnAfWl9zGaF9Z
Score
7/10
Malware Config
Signatures
-
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe JOKE.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.url JOKE.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe JOKE.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\JOKE.exe\" .." JOKE.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\JOKE.exe\" .." JOKE.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
flow ioc 1 2.tcp.eu.ngrok.io -
Kills process with taskkill 2 IoCs
pid Process 1316 TASKKILL.exe 4736 TASKKILL.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe 4376 JOKE.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4376 JOKE.exe Token: SeDebugPrivilege 4736 TASKKILL.exe Token: SeDebugPrivilege 1316 TASKKILL.exe Token: 33 4376 JOKE.exe Token: SeIncBasePriorityPrivilege 4376 JOKE.exe Token: 33 4376 JOKE.exe Token: SeIncBasePriorityPrivilege 4376 JOKE.exe Token: 33 4376 JOKE.exe Token: SeIncBasePriorityPrivilege 4376 JOKE.exe Token: 33 4376 JOKE.exe Token: SeIncBasePriorityPrivilege 4376 JOKE.exe Token: 33 4376 JOKE.exe Token: SeIncBasePriorityPrivilege 4376 JOKE.exe Token: 33 4376 JOKE.exe Token: SeIncBasePriorityPrivilege 4376 JOKE.exe Token: 33 4376 JOKE.exe Token: SeIncBasePriorityPrivilege 4376 JOKE.exe Token: 33 4376 JOKE.exe Token: SeIncBasePriorityPrivilege 4376 JOKE.exe Token: 33 4376 JOKE.exe Token: SeIncBasePriorityPrivilege 4376 JOKE.exe Token: 33 4376 JOKE.exe Token: SeIncBasePriorityPrivilege 4376 JOKE.exe Token: 33 4376 JOKE.exe Token: SeIncBasePriorityPrivilege 4376 JOKE.exe Token: 33 4376 JOKE.exe Token: SeIncBasePriorityPrivilege 4376 JOKE.exe Token: 33 4376 JOKE.exe Token: SeIncBasePriorityPrivilege 4376 JOKE.exe Token: 33 4376 JOKE.exe Token: SeIncBasePriorityPrivilege 4376 JOKE.exe Token: 33 4376 JOKE.exe Token: SeIncBasePriorityPrivilege 4376 JOKE.exe Token: 33 4376 JOKE.exe Token: SeIncBasePriorityPrivilege 4376 JOKE.exe Token: 33 4376 JOKE.exe Token: SeIncBasePriorityPrivilege 4376 JOKE.exe Token: 33 4376 JOKE.exe Token: SeIncBasePriorityPrivilege 4376 JOKE.exe Token: 33 4376 JOKE.exe Token: SeIncBasePriorityPrivilege 4376 JOKE.exe Token: 33 4376 JOKE.exe Token: SeIncBasePriorityPrivilege 4376 JOKE.exe Token: 33 4376 JOKE.exe Token: SeIncBasePriorityPrivilege 4376 JOKE.exe Token: 33 4376 JOKE.exe Token: SeIncBasePriorityPrivilege 4376 JOKE.exe Token: 33 4376 JOKE.exe Token: SeIncBasePriorityPrivilege 4376 JOKE.exe Token: 33 4376 JOKE.exe Token: SeIncBasePriorityPrivilege 4376 JOKE.exe Token: 33 4376 JOKE.exe Token: SeIncBasePriorityPrivilege 4376 JOKE.exe Token: 33 4376 JOKE.exe Token: SeIncBasePriorityPrivilege 4376 JOKE.exe Token: 33 4376 JOKE.exe Token: SeIncBasePriorityPrivilege 4376 JOKE.exe Token: 33 4376 JOKE.exe Token: SeIncBasePriorityPrivilege 4376 JOKE.exe Token: 33 4376 JOKE.exe Token: SeIncBasePriorityPrivilege 4376 JOKE.exe Token: 33 4376 JOKE.exe Token: SeIncBasePriorityPrivilege 4376 JOKE.exe Token: 33 4376 JOKE.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4376 wrote to memory of 1316 4376 JOKE.exe 81 PID 4376 wrote to memory of 1316 4376 JOKE.exe 81 PID 4376 wrote to memory of 1316 4376 JOKE.exe 81 PID 4376 wrote to memory of 4736 4376 JOKE.exe 82 PID 4376 wrote to memory of 4736 4376 JOKE.exe 82 PID 4376 wrote to memory of 4736 4376 JOKE.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\JOKE.exe"C:\Users\Admin\AppData\Local\Temp\JOKE.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM wscript.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1316
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM cmd.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4736
-