Analysis

  • max time kernel
    149s
  • max time network
    143s
  • platform
    windows10-1703_x64
  • resource
    win10-20240221-en
  • resource tags

    arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
  • submitted
    24-02-2024 13:14

General

  • Target

    joker.exe

  • Size

    65KB

  • MD5

    49c80674d3bf97ed0574c1cd6f625983

  • SHA1

    fc7b6be05918098cafd1bf273f3da25d8735b95d

  • SHA256

    fc4a9a452313a34724e59b38bf3a2a04898219c139705d0966959f75232246c2

  • SHA512

    0fdd468b8361e8f9fce386ced3bcd1c78f60e98e42e067cf9cd62ec95172b0f232943d7d75474b5a2fc0e88ac39480f43485233e289d28d60301699a1ecf9604

  • SSDEEP

    1536:q0JN9XygoN36toQviFw1g3kAtlcBnvAHfLteF3nLrB9z3nFaF9bJS9vM:qA9XygoN36toQviFC4kAtqBnYfWl9z1a

Score
8/10

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
  • Drops startup file 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 4 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 8 IoCs
  • Checks SCSI registry key(s) 3 TTPs 55 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Kills process with taskkill 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 63 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\joker.exe
    "C:\Users\Admin\AppData\Local\Temp\joker.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4708
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /F /IM wscript.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:820
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /F /IM cmd.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1804
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Drops startup file
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:888
  • \??\c:\windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:5076
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:1860
  • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
    1⤵
    • Drops file in Windows directory
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2868
  • \??\c:\windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1328
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:4928
  • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
    1⤵
    • Drops file in Windows directory
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4852

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

    Filesize

    985B

    MD5

    0eb1f3bcd6fd9af6d79af7d1b8ba4aa6

    SHA1

    e09887c0df81aff7c5aee95dba86427c7e079d68

    SHA256

    a032957e38b39f57b3f86e95de76d6c18bbbb5575d5598ff121801922ec218a3

    SHA512

    a2900f62fe9b23b420613d07713693b825c01494ae156322e7b82f54bb8c9a1876e765e02a1cd94cf82a9b78614de00dd0f5fc61abd6887942f5d8fdce0b0585

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\1601268389\3877292338.pri

    Filesize

    162KB

    MD5

    0d02b03a068d671348931cc20c048422

    SHA1

    67b6deacf1303acfcbab0b158157fdc03a02c8d5

    SHA256

    44f4263d65889ea8f0db3c6e31a956a4664e9200aba2612c9be7016feeb323c0

    SHA512

    805e7b4fafed39dec5ecc2ede0c65b6e103e6757e0bd43ecdce7c00932f59e3e7a68d2ea0818244dfeb691b022c1ccca590a3f4239f99e1cd8a29ba66daed358

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\4183903823\810424605.pri

    Filesize

    2KB

    MD5

    a2942665b12ed000cd2ac95adef8e0cc

    SHA1

    ac194f8d30f659131d1c73af8d44e81eccab7fde

    SHA256

    bdc5de6c42c523a333c26160d212c62385b03f5ebdae5aa8c5d025ff3f8aa374

    SHA512

    4e5ba962ba97656974c390b45302d60f4c82d604feb6199d44e80497a40d0b0a9fd119ca17ac184809ca0821ab6813292892c433ed7277f65c275f37a96070b9

  • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\8CJ1AR61\microsoft.windows[1].xml

    Filesize

    97B

    MD5

    de200f323ae76d0009389dff6ae07446

    SHA1

    3169fc9e2b9300231271e245dad6ba67d6d4cae9

    SHA256

    f71cc4c5168a3f95056d609e533a1a4b9dfb9b7b25e9148c277bfe30b774b1e8

    SHA512

    0cc679490077edf659793e224f2f16bb995189347bd7faaec2b69ac00a7e0c6bb114d85adf86e7eeeb938cf4d35bf484dde775dd947f3241b10249401f64174e

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.url

    Filesize

    177B

    MD5

    76dd620e52b8b0fa5e899f75d4068de8

    SHA1

    3edf03fdcf1fe2ec9d9c14c001f32c3a1c416495

    SHA256

    29e81c5ca686df794d55460d3e13bb2eafa68815e4c896d27f1e76aded6e51b4

    SHA512

    31ba5a49fb5e3efb7ceccc598cea9ef8ba2120dfb31e52d987c8864a3c8da6d6fee8e497c8bcdf1cacb0e0b7c8763707dc9e38df988383fda094dcbb6df983a5

  • memory/1860-19-0x0000000002C20000-0x0000000002C21000-memory.dmp

    Filesize

    4KB

  • memory/2868-27-0x000001D459AA0000-0x000001D459AC0000-memory.dmp

    Filesize

    128KB

  • memory/2868-30-0x000001D459C20000-0x000001D459C40000-memory.dmp

    Filesize

    128KB

  • memory/4708-16-0x0000000000700000-0x0000000000710000-memory.dmp

    Filesize

    64KB

  • memory/4708-0-0x0000000073A20000-0x0000000073FD0000-memory.dmp

    Filesize

    5.7MB

  • memory/4708-15-0x0000000073A20000-0x0000000073FD0000-memory.dmp

    Filesize

    5.7MB

  • memory/4708-13-0x0000000073A20000-0x0000000073FD0000-memory.dmp

    Filesize

    5.7MB

  • memory/4708-2-0x0000000000700000-0x0000000000710000-memory.dmp

    Filesize

    64KB

  • memory/4708-1-0x0000000073A20000-0x0000000073FD0000-memory.dmp

    Filesize

    5.7MB

  • memory/4852-73-0x000001AB3F290000-0x000001AB3F2B0000-memory.dmp

    Filesize

    128KB

  • memory/4928-62-0x00000000021C0000-0x00000000021C1000-memory.dmp

    Filesize

    4KB