pony | 38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99

General

Target

38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
Size

698KB
MD5

0937ad49912c231a7b996268a685a5a3
SHA1

4d9abdc517ecdb57cd259f0e9cd64a8090a4ba44
SHA256

38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99
SHA512

ee1cef0019199cd41a5e2b3ff875be719355caf6d93aca29d8184135978f47dde561c39206858097b8e8ef57eeb946ec620312fb14cbc4c9664c7330304d114d

Score

10^/10

pony evasion rat spyware stealer

Malware Config

Extracted

Family

pony

C2

http://lasgidivibescontrol.com/onyyy/panel/gate.php

Attributes

payload_url
http://lasgidivibescontrol.com/shit.exe

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe

Suspicious use of SetThreadContext 26 IoCs

Processes:

38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe

description	pid	process	target process
PID 1192 set thread context of 1528	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	curl.exe
PID 1192 set thread context of 4860	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	RMActivate_ssp.exe
PID 1192 set thread context of 4480	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	bitsadmin.exe
PID 1192 set thread context of 4516	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	reg.exe
PID 1192 set thread context of 5076	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	netiougc.exe
PID 1192 set thread context of 4648	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	recover.exe
PID 1192 set thread context of 664	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	w32tm.exe
PID 1192 set thread context of 3652	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	where.exe
PID 1192 set thread context of 212	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	cttunesvr.exe
PID 1192 set thread context of 1728	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	ktmutil.exe
PID 1192 set thread context of 4304	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	winrshost.exe
PID 1192 set thread context of 3260	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	TSTheme.exe
PID 1192 set thread context of 4224	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	unregmp2.exe
PID 1192 set thread context of 1444	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	fsutil.exe
PID 1192 set thread context of 2252	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	bootcfg.exe
PID 1192 set thread context of 2480	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	extrac32.exe
PID 1192 set thread context of 3844	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	resmon.exe
PID 1192 set thread context of 4564	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	dxdiag.exe
PID 1192 set thread context of 3568	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	dccw.exe
PID 1192 set thread context of 2576	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	ieUnatt.exe
PID 1192 set thread context of 4528	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	user.exe
PID 1192 set thread context of 3392	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	net.exe
PID 1192 set thread context of 3336	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	runonce.exe
PID 1192 set thread context of 3888	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	taskkill.exe
PID 1192 set thread context of 4960	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	prevhost.exe
PID 1192 set thread context of 1220	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	rekeywiz.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3888 taskkill.exe
Runs net.exe

pid	process
3888	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe

pid	process
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.execurl.exeRMActivate_ssp.exebitsadmin.exereg.exenetiougc.exerecover.exew32tm.exewhere.exe

description	pid	process
Token: SeDebugPrivilege	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
Token: SeImpersonatePrivilege	1528	curl.exe
Token: SeTcbPrivilege	1528	curl.exe
Token: SeChangeNotifyPrivilege	1528	curl.exe
Token: SeCreateTokenPrivilege	1528	curl.exe
Token: SeBackupPrivilege	1528	curl.exe
Token: SeRestorePrivilege	1528	curl.exe
Token: SeIncreaseQuotaPrivilege	1528	curl.exe
Token: SeAssignPrimaryTokenPrivilege	1528	curl.exe
Token: SeImpersonatePrivilege	4860	RMActivate_ssp.exe
Token: SeTcbPrivilege	4860	RMActivate_ssp.exe
Token: SeChangeNotifyPrivilege	4860	RMActivate_ssp.exe
Token: SeCreateTokenPrivilege	4860	RMActivate_ssp.exe
Token: SeBackupPrivilege	4860	RMActivate_ssp.exe
Token: SeRestorePrivilege	4860	RMActivate_ssp.exe
Token: SeIncreaseQuotaPrivilege	4860	RMActivate_ssp.exe
Token: SeAssignPrimaryTokenPrivilege	4860	RMActivate_ssp.exe
Token: SeImpersonatePrivilege	4480	bitsadmin.exe
Token: SeTcbPrivilege	4480	bitsadmin.exe
Token: SeChangeNotifyPrivilege	4480	bitsadmin.exe
Token: SeCreateTokenPrivilege	4480	bitsadmin.exe
Token: SeBackupPrivilege	4480	bitsadmin.exe
Token: SeRestorePrivilege	4480	bitsadmin.exe
Token: SeIncreaseQuotaPrivilege	4480	bitsadmin.exe
Token: SeAssignPrimaryTokenPrivilege	4480	bitsadmin.exe
Token: SeImpersonatePrivilege	4516	reg.exe
Token: SeTcbPrivilege	4516	reg.exe
Token: SeChangeNotifyPrivilege	4516	reg.exe
Token: SeCreateTokenPrivilege	4516	reg.exe
Token: SeBackupPrivilege	4516	reg.exe
Token: SeRestorePrivilege	4516	reg.exe
Token: SeIncreaseQuotaPrivilege	4516	reg.exe
Token: SeAssignPrimaryTokenPrivilege	4516	reg.exe
Token: SeImpersonatePrivilege	5076	netiougc.exe
Token: SeTcbPrivilege	5076	netiougc.exe
Token: SeChangeNotifyPrivilege	5076	netiougc.exe
Token: SeCreateTokenPrivilege	5076	netiougc.exe
Token: SeBackupPrivilege	5076	netiougc.exe
Token: SeRestorePrivilege	5076	netiougc.exe
Token: SeIncreaseQuotaPrivilege	5076	netiougc.exe
Token: SeAssignPrimaryTokenPrivilege	5076	netiougc.exe
Token: SeImpersonatePrivilege	4648	recover.exe
Token: SeTcbPrivilege	4648	recover.exe
Token: SeChangeNotifyPrivilege	4648	recover.exe
Token: SeCreateTokenPrivilege	4648	recover.exe
Token: SeBackupPrivilege	4648	recover.exe
Token: SeRestorePrivilege	4648	recover.exe
Token: SeIncreaseQuotaPrivilege	4648	recover.exe
Token: SeAssignPrimaryTokenPrivilege	4648	recover.exe
Token: SeImpersonatePrivilege	664	w32tm.exe
Token: SeTcbPrivilege	664	w32tm.exe
Token: SeChangeNotifyPrivilege	664	w32tm.exe
Token: SeCreateTokenPrivilege	664	w32tm.exe
Token: SeBackupPrivilege	664	w32tm.exe
Token: SeRestorePrivilege	664	w32tm.exe
Token: SeIncreaseQuotaPrivilege	664	w32tm.exe
Token: SeAssignPrimaryTokenPrivilege	664	w32tm.exe
Token: SeImpersonatePrivilege	3652	where.exe
Token: SeTcbPrivilege	3652	where.exe
Token: SeChangeNotifyPrivilege	3652	where.exe
Token: SeCreateTokenPrivilege	3652	where.exe
Token: SeBackupPrivilege	3652	where.exe
Token: SeRestorePrivilege	3652	where.exe
Token: SeIncreaseQuotaPrivilege	3652	where.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe

description	pid	process	target process
PID 1192 wrote to memory of 1528	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	curl.exe
PID 1192 wrote to memory of 1528	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	curl.exe
PID 1192 wrote to memory of 1528	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	curl.exe
PID 1192 wrote to memory of 1528	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	curl.exe
PID 1192 wrote to memory of 1528	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	curl.exe
PID 1192 wrote to memory of 1528	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	curl.exe
PID 1192 wrote to memory of 1528	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	curl.exe
PID 1192 wrote to memory of 1528	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	curl.exe
PID 1192 wrote to memory of 1528	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	curl.exe
PID 1192 wrote to memory of 1212	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	TokenBrokerCookies.exe
PID 1192 wrote to memory of 1212	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	TokenBrokerCookies.exe
PID 1192 wrote to memory of 1212	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	TokenBrokerCookies.exe
PID 1192 wrote to memory of 4860	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	RMActivate_ssp.exe
PID 1192 wrote to memory of 4860	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	RMActivate_ssp.exe
PID 1192 wrote to memory of 4860	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	RMActivate_ssp.exe
PID 1192 wrote to memory of 4860	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	RMActivate_ssp.exe
PID 1192 wrote to memory of 4860	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	RMActivate_ssp.exe
PID 1192 wrote to memory of 4860	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	RMActivate_ssp.exe
PID 1192 wrote to memory of 4860	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	RMActivate_ssp.exe
PID 1192 wrote to memory of 4860	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	RMActivate_ssp.exe
PID 1192 wrote to memory of 4860	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	RMActivate_ssp.exe
PID 1192 wrote to memory of 4480	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	bitsadmin.exe
PID 1192 wrote to memory of 4480	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	bitsadmin.exe
PID 1192 wrote to memory of 4480	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	bitsadmin.exe
PID 1192 wrote to memory of 4480	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	bitsadmin.exe
PID 1192 wrote to memory of 4480	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	bitsadmin.exe
PID 1192 wrote to memory of 4480	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	bitsadmin.exe
PID 1192 wrote to memory of 4480	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	bitsadmin.exe
PID 1192 wrote to memory of 4480	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	bitsadmin.exe
PID 1192 wrote to memory of 4480	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	bitsadmin.exe
PID 1192 wrote to memory of 4516	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	reg.exe
PID 1192 wrote to memory of 4516	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	reg.exe
PID 1192 wrote to memory of 4516	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	reg.exe
PID 1192 wrote to memory of 4516	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	reg.exe
PID 1192 wrote to memory of 4516	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	reg.exe
PID 1192 wrote to memory of 4516	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	reg.exe
PID 1192 wrote to memory of 4516	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	reg.exe
PID 1192 wrote to memory of 4516	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	reg.exe
PID 1192 wrote to memory of 4516	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	reg.exe
PID 1192 wrote to memory of 5076	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	netiougc.exe
PID 1192 wrote to memory of 5076	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	netiougc.exe
PID 1192 wrote to memory of 5076	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	netiougc.exe
PID 1192 wrote to memory of 5076	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	netiougc.exe
PID 1192 wrote to memory of 5076	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	netiougc.exe
PID 1192 wrote to memory of 5076	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	netiougc.exe
PID 1192 wrote to memory of 5076	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	netiougc.exe
PID 1192 wrote to memory of 5076	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	netiougc.exe
PID 1192 wrote to memory of 5076	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	netiougc.exe
PID 1192 wrote to memory of 4648	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	recover.exe
PID 1192 wrote to memory of 4648	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	recover.exe
PID 1192 wrote to memory of 4648	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	recover.exe
PID 1192 wrote to memory of 4648	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	recover.exe
PID 1192 wrote to memory of 4648	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	recover.exe
PID 1192 wrote to memory of 4648	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	recover.exe
PID 1192 wrote to memory of 4648	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	recover.exe
PID 1192 wrote to memory of 4648	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	recover.exe
PID 1192 wrote to memory of 4648	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	recover.exe
PID 1192 wrote to memory of 664	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	w32tm.exe
PID 1192 wrote to memory of 664	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	w32tm.exe
PID 1192 wrote to memory of 664	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	w32tm.exe
PID 1192 wrote to memory of 664	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	w32tm.exe
PID 1192 wrote to memory of 664	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	w32tm.exe
PID 1192 wrote to memory of 664	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	w32tm.exe
PID 1192 wrote to memory of 664	1192	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	w32tm.exe

C:\Users\Admin\AppData\Local\Temp\38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
"C:\Users\Admin\AppData\Local\Temp\38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\SysWOW64\curl.exe
"C:\Windows\SysWOW64\curl.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Windows\SysWOW64\TokenBrokerCookies.exe
"C:\Windows\SysWOW64\TokenBrokerCookies.exe"
2⤵
PID:1212

C:\Windows\SysWOW64\RMActivate_ssp.exe
"C:\Windows\SysWOW64\RMActivate_ssp.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4860

C:\Windows\SysWOW64\bitsadmin.exe
"C:\Windows\SysWOW64\bitsadmin.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Windows\SysWOW64\reg.exe
"C:\Windows\SysWOW64\reg.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4516

C:\Windows\SysWOW64\netiougc.exe
"C:\Windows\SysWOW64\netiougc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5076

C:\Windows\SysWOW64\recover.exe
"C:\Windows\SysWOW64\recover.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4648

C:\Windows\SysWOW64\w32tm.exe
"C:\Windows\SysWOW64\w32tm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:664

C:\Windows\SysWOW64\where.exe
"C:\Windows\SysWOW64\where.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3652

C:\Windows\SysWOW64\cttunesvr.exe
"C:\Windows\SysWOW64\cttunesvr.exe"
2⤵
PID:212

C:\Windows\SysWOW64\ktmutil.exe
"C:\Windows\SysWOW64\ktmutil.exe"
2⤵
PID:1728

C:\Windows\SysWOW64\winrshost.exe
"C:\Windows\SysWOW64\winrshost.exe"
2⤵
PID:4304

C:\Windows\SysWOW64\cmdl32.exe
"C:\Windows\SysWOW64\cmdl32.exe"
2⤵
PID:4288

C:\Windows\SysWOW64\TSTheme.exe
"C:\Windows\SysWOW64\TSTheme.exe"
2⤵
PID:3260

C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\SysWOW64\unregmp2.exe"
2⤵
PID:4224

C:\Windows\SysWOW64\find.exe
"C:\Windows\SysWOW64\find.exe"
2⤵
PID:4204

C:\Windows\SysWOW64\fsutil.exe
"C:\Windows\SysWOW64\fsutil.exe"
2⤵
PID:1444

C:\Windows\SysWOW64\bootcfg.exe
"C:\Windows\SysWOW64\bootcfg.exe"
2⤵
PID:2252

C:\Windows\SysWOW64\extrac32.exe
"C:\Windows\SysWOW64\extrac32.exe"
2⤵
PID:2480

C:\Windows\SysWOW64\resmon.exe
"C:\Windows\SysWOW64\resmon.exe"
2⤵
PID:3844

C:\Windows\SysWOW64\dxdiag.exe
"C:\Windows\SysWOW64\dxdiag.exe"
2⤵
PID:4564

C:\Windows\SysWOW64\dccw.exe
"C:\Windows\SysWOW64\dccw.exe"
2⤵
PID:3568

C:\Windows\SysWOW64\ieUnatt.exe
"C:\Windows\SysWOW64\ieUnatt.exe"
2⤵
PID:2576

C:\Windows\SysWOW64\user.exe
"C:\Windows\SysWOW64\user.exe"
2⤵
PID:4528

C:\Windows\SysWOW64\net.exe
"C:\Windows\SysWOW64\net.exe"
2⤵
PID:3392

C:\Windows\SysWOW64\runonce.exe
"C:\Windows\SysWOW64\runonce.exe"
2⤵
PID:3336

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\SysWOW64\taskkill.exe"
2⤵
- Kills process with taskkill
PID:3888

C:\Windows\SysWOW64\prevhost.exe
"C:\Windows\SysWOW64\prevhost.exe"
2⤵
PID:4960

C:\Windows\SysWOW64\user.exe
"C:\Windows\SysWOW64\user.exe"
2⤵
PID:2524

C:\Windows\SysWOW64\rekeywiz.exe
"C:\Windows\SysWOW64\rekeywiz.exe"
2⤵
PID:1220

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

2

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/212-179-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/212-175-0x0000000000000000-mapping.dmp

Download
memory/664-169-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/664-165-0x0000000000000000-mapping.dmp

Download
memory/1192-130-0x0000000000D00000-0x0000000000DB4000-memory.dmp

Filesize
720KB

Download
memory/1192-131-0x0000000005780000-0x000000000581C000-memory.dmp

Filesize
624KB

Download
memory/1192-132-0x00000000071B0000-0x0000000007754000-memory.dmp

Filesize
5.6MB

Download
memory/1192-133-0x0000000006CF0000-0x0000000006D56000-memory.dmp

Filesize
408KB

Download
memory/1212-139-0x0000000000000000-mapping.dmp

Download
memory/1220-261-0x0000000000000000-mapping.dmp

Download
memory/1444-202-0x0000000000000000-mapping.dmp

Download
memory/1444-206-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1528-138-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1528-134-0x0000000000000000-mapping.dmp

Download
memory/1528-135-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1528-137-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1728-184-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1728-180-0x0000000000000000-mapping.dmp

Download
memory/2252-207-0x0000000000000000-mapping.dmp

Download
memory/2480-211-0x0000000000000000-mapping.dmp

Download
memory/2480-215-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2524-260-0x0000000000000000-mapping.dmp

Download
memory/2576-235-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2576-231-0x0000000000000000-mapping.dmp

Download
memory/3260-194-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3260-195-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3260-191-0x0000000000000000-mapping.dmp

Download
memory/3336-246-0x0000000000000000-mapping.dmp

Download
memory/3392-241-0x0000000000000000-mapping.dmp

Download
memory/3392-245-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3568-226-0x0000000000000000-mapping.dmp

Download
memory/3568-230-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3652-170-0x0000000000000000-mapping.dmp

Download
memory/3652-174-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3844-216-0x0000000000000000-mapping.dmp

Download
memory/3844-220-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3888-250-0x0000000000000000-mapping.dmp

Download
memory/3888-254-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4204-201-0x0000000000000000-mapping.dmp

Download
memory/4224-200-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4224-196-0x0000000000000000-mapping.dmp

Download
memory/4288-190-0x0000000000000000-mapping.dmp

Download
memory/4304-189-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4304-185-0x0000000000000000-mapping.dmp

Download
memory/4480-149-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4480-145-0x0000000000000000-mapping.dmp

Download
memory/4516-154-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4516-150-0x0000000000000000-mapping.dmp

Download
memory/4528-236-0x0000000000000000-mapping.dmp

Download
memory/4528-240-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4564-221-0x0000000000000000-mapping.dmp

Download
memory/4564-225-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4648-164-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4648-160-0x0000000000000000-mapping.dmp

Download
memory/4860-144-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4860-143-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4860-140-0x0000000000000000-mapping.dmp

Download
memory/4960-255-0x0000000000000000-mapping.dmp

Download
memory/4960-259-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/5076-155-0x0000000000000000-mapping.dmp

Download
memory/5076-159-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads