Analysis
-
max time kernel
524s -
max time network
530s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system -
submitted
24-02-2024 04:03
Behavioral task
behavioral1
Sample
JOKE.exe
Resource
win10-20240221-en
7 signatures
600 seconds
General
-
Target
JOKE.exe
-
Size
65KB
-
MD5
a85056ecfbf94af8efaa2e9dcec8ebb1
-
SHA1
f081275fbbdddad10689e185a750e1fd1ca0d0e5
-
SHA256
e00d04dcc4489101599f86df3956673c2ebcb8adbf05fb603266b91e9336b955
-
SHA512
c510e21e4d5b2b8fb2e7e902f74a6befbe20896490e607d640a2611020f20cede1d154e894fde5be8a6a2e564d2d7eb6d741d9b3ef21cdbefc5abdbc6a056fa9
-
SSDEEP
1536:yw10jQoN36tKQviFw1ufGqBnvALfLteF3nLrB9z3nWaF9bJS9vM:yw10jQoN36tKQviFCe1BnAfWl9zGaF9Z
Score
7/10
Malware Config
Signatures
-
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe JOKE.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.url JOKE.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe JOKE.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\JOKE.exe\" .." JOKE.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\JOKE.exe\" .." JOKE.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
flow ioc 2 2.tcp.eu.ngrok.io 25 2.tcp.eu.ngrok.io 119 2.tcp.eu.ngrok.io 136 2.tcp.eu.ngrok.io 30 2.tcp.eu.ngrok.io 56 2.tcp.eu.ngrok.io 78 2.tcp.eu.ngrok.io 99 2.tcp.eu.ngrok.io 152 2.tcp.eu.ngrok.io -
Kills process with taskkill 2 IoCs
pid Process 764 TASKKILL.exe 4624 TASKKILL.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe 4904 JOKE.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4904 JOKE.exe Token: SeDebugPrivilege 764 TASKKILL.exe Token: SeDebugPrivilege 4624 TASKKILL.exe Token: 33 4904 JOKE.exe Token: SeIncBasePriorityPrivilege 4904 JOKE.exe Token: 33 4904 JOKE.exe Token: SeIncBasePriorityPrivilege 4904 JOKE.exe Token: 33 4904 JOKE.exe Token: SeIncBasePriorityPrivilege 4904 JOKE.exe Token: 33 4904 JOKE.exe Token: SeIncBasePriorityPrivilege 4904 JOKE.exe Token: 33 4904 JOKE.exe Token: SeIncBasePriorityPrivilege 4904 JOKE.exe Token: 33 4904 JOKE.exe Token: SeIncBasePriorityPrivilege 4904 JOKE.exe Token: 33 4904 JOKE.exe Token: SeIncBasePriorityPrivilege 4904 JOKE.exe Token: 33 4904 JOKE.exe Token: SeIncBasePriorityPrivilege 4904 JOKE.exe Token: 33 4904 JOKE.exe Token: SeIncBasePriorityPrivilege 4904 JOKE.exe Token: 33 4904 JOKE.exe Token: SeIncBasePriorityPrivilege 4904 JOKE.exe Token: 33 4904 JOKE.exe Token: SeIncBasePriorityPrivilege 4904 JOKE.exe Token: 33 4904 JOKE.exe Token: SeIncBasePriorityPrivilege 4904 JOKE.exe Token: 33 4904 JOKE.exe Token: SeIncBasePriorityPrivilege 4904 JOKE.exe Token: 33 4904 JOKE.exe Token: SeIncBasePriorityPrivilege 4904 JOKE.exe Token: 33 4904 JOKE.exe Token: SeIncBasePriorityPrivilege 4904 JOKE.exe Token: 33 4904 JOKE.exe Token: SeIncBasePriorityPrivilege 4904 JOKE.exe Token: 33 4904 JOKE.exe Token: SeIncBasePriorityPrivilege 4904 JOKE.exe Token: 33 4904 JOKE.exe Token: SeIncBasePriorityPrivilege 4904 JOKE.exe Token: 33 4904 JOKE.exe Token: SeIncBasePriorityPrivilege 4904 JOKE.exe Token: 33 4904 JOKE.exe Token: SeIncBasePriorityPrivilege 4904 JOKE.exe Token: 33 4904 JOKE.exe Token: SeIncBasePriorityPrivilege 4904 JOKE.exe Token: 33 4904 JOKE.exe Token: SeIncBasePriorityPrivilege 4904 JOKE.exe Token: 33 4904 JOKE.exe Token: SeIncBasePriorityPrivilege 4904 JOKE.exe Token: 33 4904 JOKE.exe Token: SeIncBasePriorityPrivilege 4904 JOKE.exe Token: 33 4904 JOKE.exe Token: SeIncBasePriorityPrivilege 4904 JOKE.exe Token: 33 4904 JOKE.exe Token: SeIncBasePriorityPrivilege 4904 JOKE.exe Token: 33 4904 JOKE.exe Token: SeIncBasePriorityPrivilege 4904 JOKE.exe Token: 33 4904 JOKE.exe Token: SeIncBasePriorityPrivilege 4904 JOKE.exe Token: 33 4904 JOKE.exe Token: SeIncBasePriorityPrivilege 4904 JOKE.exe Token: 33 4904 JOKE.exe Token: SeIncBasePriorityPrivilege 4904 JOKE.exe Token: 33 4904 JOKE.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4904 wrote to memory of 4624 4904 JOKE.exe 75 PID 4904 wrote to memory of 4624 4904 JOKE.exe 75 PID 4904 wrote to memory of 4624 4904 JOKE.exe 75 PID 4904 wrote to memory of 764 4904 JOKE.exe 72 PID 4904 wrote to memory of 764 4904 JOKE.exe 72 PID 4904 wrote to memory of 764 4904 JOKE.exe 72
Processes
-
C:\Users\Admin\AppData\Local\Temp\JOKE.exe"C:\Users\Admin\AppData\Local\Temp\JOKE.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM cmd.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:764
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM wscript.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4624
-