pony | 390d7472201e8ea9bdc6c7fa2b4ab1f6faca02071f1f997037cc5f52759a9cb6

resource	yara_rule
behavioral13/files/0x000300000001abd3-55.dat	Nirsoft
behavioral13/files/0x000300000001abd3-56.dat	Nirsoft
behavioral13/files/0x000300000001abd3-59.dat	Nirsoft
behavioral13/files/0x000300000001abd3-60.dat	Nirsoft
behavioral13/files/0x000300000001abd3-63.dat	Nirsoft
behavioral13/files/0x000300000001abd3-64.dat	Nirsoft

Executes dropped EXE 16 IoCs

pid	Process
4076	keygen-pr.exe
2100	keygen-step-3.exe
3276	keygen-step-4.exe
1004	key.exe
1828	whhw.exe
8	key.exe
1836	setup.upx.exe
2236	id6.exe
1028	Setup.exe
3768	Setup.tmp
2320	searzar.exe
1140	hjjgaa.exe
2156	jfiag_gg.exe
3956	jfiag_gg.exe
908	jfiag_gg.exe
3552	jfiag_gg.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral13/files/0x000200000001abe0-27.dat	upx
behavioral13/files/0x000200000001abe0-28.dat	upx
behavioral13/files/0x000100000001abea-45.dat	upx
behavioral13/files/0x000100000001abea-46.dat	upx
behavioral13/files/0x000300000001abd3-51.dat	upx
behavioral13/files/0x000300000001abd3-52.dat	upx

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral13/files/0x000100000001abda-48.dat	vmprotect
behavioral13/files/0x000100000001abda-49.dat	vmprotect

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kissq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kissq.exe"	hjjgaa.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
32	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1004 set thread context of 8	1004	key.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
3840	PING.EXE
3860	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1004	key.exe
1004	key.exe
3768	Setup.tmp
3768	Setup.tmp
3956	jfiag_gg.exe
3956	jfiag_gg.exe
908	jfiag_gg.exe
908	jfiag_gg.exe
3552	jfiag_gg.exe
3552	jfiag_gg.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeImpersonatePrivilege	1004	key.exe
Token: SeTcbPrivilege	1004	key.exe
Token: SeChangeNotifyPrivilege	1004	key.exe
Token: SeCreateTokenPrivilege	1004	key.exe
Token: SeBackupPrivilege	1004	key.exe
Token: SeRestorePrivilege	1004	key.exe
Token: SeIncreaseQuotaPrivilege	1004	key.exe
Token: SeAssignPrimaryTokenPrivilege	1004	key.exe
Token: SeImpersonatePrivilege	1004	key.exe
Token: SeTcbPrivilege	1004	key.exe
Token: SeChangeNotifyPrivilege	1004	key.exe
Token: SeCreateTokenPrivilege	1004	key.exe
Token: SeBackupPrivilege	1004	key.exe
Token: SeRestorePrivilege	1004	key.exe
Token: SeIncreaseQuotaPrivilege	1004	key.exe
Token: SeAssignPrimaryTokenPrivilege	1004	key.exe
Token: SeImpersonatePrivilege	1004	key.exe
Token: SeTcbPrivilege	1004	key.exe
Token: SeChangeNotifyPrivilege	1004	key.exe
Token: SeCreateTokenPrivilege	1004	key.exe
Token: SeBackupPrivilege	1004	key.exe
Token: SeRestorePrivilege	1004	key.exe
Token: SeIncreaseQuotaPrivilege	1004	key.exe
Token: SeAssignPrimaryTokenPrivilege	1004	key.exe
Token: SeImpersonatePrivilege	1004	key.exe
Token: SeTcbPrivilege	1004	key.exe
Token: SeChangeNotifyPrivilege	1004	key.exe
Token: SeCreateTokenPrivilege	1004	key.exe
Token: SeBackupPrivilege	1004	key.exe
Token: SeRestorePrivilege	1004	key.exe
Token: SeIncreaseQuotaPrivilege	1004	key.exe
Token: SeAssignPrimaryTokenPrivilege	1004	key.exe
Token: SeImpersonatePrivilege	1004	key.exe
Token: SeTcbPrivilege	1004	key.exe
Token: SeChangeNotifyPrivilege	1004	key.exe
Token: SeCreateTokenPrivilege	1004	key.exe
Token: SeBackupPrivilege	1004	key.exe
Token: SeRestorePrivilege	1004	key.exe
Token: SeIncreaseQuotaPrivilege	1004	key.exe
Token: SeAssignPrimaryTokenPrivilege	1004	key.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3768	Setup.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2236	id6.exe
2236	id6.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 644 wrote to memory of 3584	644	Lonelyscreen.1.2.9.keygen.by.Paradox.exe	78
PID 644 wrote to memory of 3584	644	Lonelyscreen.1.2.9.keygen.by.Paradox.exe	78
PID 644 wrote to memory of 3584	644	Lonelyscreen.1.2.9.keygen.by.Paradox.exe	78
PID 3584 wrote to memory of 4076	3584	cmd.exe	81
PID 3584 wrote to memory of 4076	3584	cmd.exe	81
PID 3584 wrote to memory of 4076	3584	cmd.exe	81
PID 3584 wrote to memory of 2100	3584	cmd.exe	82
PID 3584 wrote to memory of 2100	3584	cmd.exe	82
PID 3584 wrote to memory of 2100	3584	cmd.exe	82
PID 2100 wrote to memory of 2148	2100	keygen-step-3.exe	83
PID 2100 wrote to memory of 2148	2100	keygen-step-3.exe	83
PID 2100 wrote to memory of 2148	2100	keygen-step-3.exe	83
PID 3584 wrote to memory of 3276	3584	cmd.exe	84
PID 3584 wrote to memory of 3276	3584	cmd.exe	84
PID 3584 wrote to memory of 3276	3584	cmd.exe	84
PID 2148 wrote to memory of 3840	2148	cmd.exe	86
PID 2148 wrote to memory of 3840	2148	cmd.exe	86
PID 2148 wrote to memory of 3840	2148	cmd.exe	86
PID 4076 wrote to memory of 1004	4076	keygen-pr.exe	87
PID 4076 wrote to memory of 1004	4076	keygen-pr.exe	87
PID 4076 wrote to memory of 1004	4076	keygen-pr.exe	87
PID 3276 wrote to memory of 1828	3276	keygen-step-4.exe	88
PID 3276 wrote to memory of 1828	3276	keygen-step-4.exe	88
PID 3276 wrote to memory of 1828	3276	keygen-step-4.exe	88
PID 1004 wrote to memory of 8	1004	key.exe	89
PID 1004 wrote to memory of 8	1004	key.exe	89
PID 1004 wrote to memory of 8	1004	key.exe	89
PID 1004 wrote to memory of 8	1004	key.exe	89
PID 1004 wrote to memory of 8	1004	key.exe	89
PID 1004 wrote to memory of 8	1004	key.exe	89
PID 1004 wrote to memory of 8	1004	key.exe	89
PID 1004 wrote to memory of 8	1004	key.exe	89
PID 1004 wrote to memory of 8	1004	key.exe	89
PID 1004 wrote to memory of 8	1004	key.exe	89
PID 1004 wrote to memory of 8	1004	key.exe	89
PID 1004 wrote to memory of 8	1004	key.exe	89
PID 1004 wrote to memory of 8	1004	key.exe	89
PID 1004 wrote to memory of 8	1004	key.exe	89
PID 1004 wrote to memory of 8	1004	key.exe	89
PID 1828 wrote to memory of 1836	1828	whhw.exe	91
PID 1828 wrote to memory of 1836	1828	whhw.exe	91
PID 1828 wrote to memory of 1836	1828	whhw.exe	91
PID 1836 wrote to memory of 912	1836	setup.upx.exe	92
PID 1836 wrote to memory of 912	1836	setup.upx.exe	92
PID 1836 wrote to memory of 912	1836	setup.upx.exe	92
PID 912 wrote to memory of 3860	912	cmd.exe	94
PID 912 wrote to memory of 3860	912	cmd.exe	94
PID 912 wrote to memory of 3860	912	cmd.exe	94
PID 3276 wrote to memory of 2236	3276	keygen-step-4.exe	96
PID 3276 wrote to memory of 2236	3276	keygen-step-4.exe	96
PID 3276 wrote to memory of 2236	3276	keygen-step-4.exe	96
PID 3276 wrote to memory of 1028	3276	keygen-step-4.exe	98
PID 3276 wrote to memory of 1028	3276	keygen-step-4.exe	98
PID 3276 wrote to memory of 1028	3276	keygen-step-4.exe	98
PID 1028 wrote to memory of 3768	1028	Setup.exe	99
PID 1028 wrote to memory of 3768	1028	Setup.exe	99
PID 1028 wrote to memory of 3768	1028	Setup.exe	99
PID 3768 wrote to memory of 2320	3768	Setup.tmp	100
PID 3768 wrote to memory of 2320	3768	Setup.tmp	100
PID 3768 wrote to memory of 2320	3768	Setup.tmp	100
PID 3276 wrote to memory of 1140	3276	keygen-step-4.exe	101
PID 3276 wrote to memory of 1140	3276	keygen-step-4.exe	101
PID 3276 wrote to memory of 1140	3276	keygen-step-4.exe	101
PID 1140 wrote to memory of 2156	1140	hjjgaa.exe	102

C:\Users\Admin\AppData\Local\Temp\Lonelyscreen.1.2.9.keygen.by.Paradox\Lonelyscreen.1.2.9.keygen.by.Paradox.exe
"C:\Users\Admin\AppData\Local\Temp\Lonelyscreen.1.2.9.keygen.by.Paradox\Lonelyscreen.1.2.9.keygen.by.Paradox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3584
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
    keygen-pr.exe -p83fsase3Ge
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4076
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1004
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
        5⤵
        Executes dropped EXE
        
        PID:8
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
    keygen-step-3.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2100
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2148
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        Runs ping.exe
        
        PID:3840
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
    keygen-step-4.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3276
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\whhw.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\whhw.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1828
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX3\setup.upx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\setup.upx.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1836
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX3\setup.upx.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:912
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        7⤵
        Runs ping.exe
        
        PID:3860
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\id6.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\id6.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2236
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1028
    - - C:\Users\Admin\AppData\Local\Temp\is-U3I3J.tmp\Setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-U3I3J.tmp\Setup.tmp" /SL5="$30242,1223153,733696,C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:3768
      - C:\Users\Admin\AppData\Local\Temp\RarSFX2\searzar\searzar.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX2\searzar\searzar.exe"
        6⤵
        Executes dropped EXE
        
        PID:2320
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1140
    - - C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
        5⤵
        Executes dropped EXE
        
        PID:2156
    - - C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3956
    - - C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:908
    - - C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/8-23-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/8-29-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/2236-36-0x0000000010000000-0x00000000100E3000-memory.dmp

Filesize
908KB

Download