pony | 38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99

Analysis

max time kernel
144s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
21-05-2022 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
Size

698KB
MD5

0937ad49912c231a7b996268a685a5a3
SHA1

4d9abdc517ecdb57cd259f0e9cd64a8090a4ba44
SHA256

38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99
SHA512

ee1cef0019199cd41a5e2b3ff875be719355caf6d93aca29d8184135978f47dde561c39206858097b8e8ef57eeb946ec620312fb14cbc4c9664c7330304d114d

Score

10^/10

pony discovery evasion rat spyware stealer

Malware Config

Extracted

Family

pony

http://lasgidivibescontrol.com/onyyy/panel/gate.php

Attributes

payload_url
http://lasgidivibescontrol.com/shit.exe

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exe

pid process

384 takeown.exe

pid	process
384	takeown.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe

Suspicious use of SetThreadContext 24 IoCs

Processes:

38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe

description	pid	process	target process
PID 1860 set thread context of 1668	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	UserAccountControlSettings.exe
PID 1860 set thread context of 4820	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	cacls.exe
PID 1860 set thread context of 4136	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	RdpSa.exe
PID 1860 set thread context of 4700	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	rrinstaller.exe
PID 1860 set thread context of 4480	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	userinit.exe
PID 1860 set thread context of 4524	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	fltMC.exe
PID 1860 set thread context of 4612	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	fltMC.exe
PID 1860 set thread context of 1040	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	nslookup.exe
PID 1860 set thread context of 540	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	mshta.exe
PID 1860 set thread context of 3248	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	ndadmin.exe
PID 1860 set thread context of 3932	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	find.exe
PID 1860 set thread context of 2544	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	forfiles.exe
PID 1860 set thread context of 2192	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	UserAccountBroker.exe
PID 1860 set thread context of 1616	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	waitfor.exe
PID 1860 set thread context of 3648	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	RdpSaProxy.exe
PID 1860 set thread context of 2816	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	agentactivationruntimestarter.exe
PID 1860 set thread context of 3912	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	cmmon32.exe
PID 1860 set thread context of 3208	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	eventcreate.exe
PID 1860 set thread context of 976	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	HOSTNAME.EXE
PID 1860 set thread context of 396	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	mspaint.exe
PID 1860 set thread context of 5068	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	cleanmgr.exe
PID 1860 set thread context of 3856	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	extrac32.exe
PID 1860 set thread context of 2792	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	forfiles.exe
PID 1860 set thread context of 3640	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	typeperf.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4332 taskkill.exe

pid	process
4332	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe

pid	process
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exeUserAccountControlSettings.execacls.exeRdpSa.exerrinstaller.exeuserinit.exefltMC.exefltMC.exenslookup.exe

description	pid	process
Token: SeDebugPrivilege	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
Token: SeImpersonatePrivilege	1668	UserAccountControlSettings.exe
Token: SeTcbPrivilege	1668	UserAccountControlSettings.exe
Token: SeChangeNotifyPrivilege	1668	UserAccountControlSettings.exe
Token: SeCreateTokenPrivilege	1668	UserAccountControlSettings.exe
Token: SeBackupPrivilege	1668	UserAccountControlSettings.exe
Token: SeRestorePrivilege	1668	UserAccountControlSettings.exe
Token: SeIncreaseQuotaPrivilege	1668	UserAccountControlSettings.exe
Token: SeAssignPrimaryTokenPrivilege	1668	UserAccountControlSettings.exe
Token: SeImpersonatePrivilege	4820	cacls.exe
Token: SeTcbPrivilege	4820	cacls.exe
Token: SeChangeNotifyPrivilege	4820	cacls.exe
Token: SeCreateTokenPrivilege	4820	cacls.exe
Token: SeBackupPrivilege	4820	cacls.exe
Token: SeRestorePrivilege	4820	cacls.exe
Token: SeIncreaseQuotaPrivilege	4820	cacls.exe
Token: SeAssignPrimaryTokenPrivilege	4820	cacls.exe
Token: SeImpersonatePrivilege	4136	RdpSa.exe
Token: SeTcbPrivilege	4136	RdpSa.exe
Token: SeChangeNotifyPrivilege	4136	RdpSa.exe
Token: SeCreateTokenPrivilege	4136	RdpSa.exe
Token: SeBackupPrivilege	4136	RdpSa.exe
Token: SeRestorePrivilege	4136	RdpSa.exe
Token: SeIncreaseQuotaPrivilege	4136	RdpSa.exe
Token: SeAssignPrimaryTokenPrivilege	4136	RdpSa.exe
Token: SeImpersonatePrivilege	4700	rrinstaller.exe
Token: SeTcbPrivilege	4700	rrinstaller.exe
Token: SeChangeNotifyPrivilege	4700	rrinstaller.exe
Token: SeCreateTokenPrivilege	4700	rrinstaller.exe
Token: SeBackupPrivilege	4700	rrinstaller.exe
Token: SeRestorePrivilege	4700	rrinstaller.exe
Token: SeIncreaseQuotaPrivilege	4700	rrinstaller.exe
Token: SeAssignPrimaryTokenPrivilege	4700	rrinstaller.exe
Token: SeImpersonatePrivilege	4480	userinit.exe
Token: SeTcbPrivilege	4480	userinit.exe
Token: SeChangeNotifyPrivilege	4480	userinit.exe
Token: SeCreateTokenPrivilege	4480	userinit.exe
Token: SeBackupPrivilege	4480	userinit.exe
Token: SeRestorePrivilege	4480	userinit.exe
Token: SeIncreaseQuotaPrivilege	4480	userinit.exe
Token: SeAssignPrimaryTokenPrivilege	4480	userinit.exe
Token: SeImpersonatePrivilege	4524	fltMC.exe
Token: SeTcbPrivilege	4524	fltMC.exe
Token: SeChangeNotifyPrivilege	4524	fltMC.exe
Token: SeCreateTokenPrivilege	4524	fltMC.exe
Token: SeBackupPrivilege	4524	fltMC.exe
Token: SeRestorePrivilege	4524	fltMC.exe
Token: SeIncreaseQuotaPrivilege	4524	fltMC.exe
Token: SeAssignPrimaryTokenPrivilege	4524	fltMC.exe
Token: SeImpersonatePrivilege	4612	fltMC.exe
Token: SeTcbPrivilege	4612	fltMC.exe
Token: SeChangeNotifyPrivilege	4612	fltMC.exe
Token: SeCreateTokenPrivilege	4612	fltMC.exe
Token: SeBackupPrivilege	4612	fltMC.exe
Token: SeRestorePrivilege	4612	fltMC.exe
Token: SeIncreaseQuotaPrivilege	4612	fltMC.exe
Token: SeAssignPrimaryTokenPrivilege	4612	fltMC.exe
Token: SeImpersonatePrivilege	1040	nslookup.exe
Token: SeTcbPrivilege	1040	nslookup.exe
Token: SeChangeNotifyPrivilege	1040	nslookup.exe
Token: SeCreateTokenPrivilege	1040	nslookup.exe
Token: SeBackupPrivilege	1040	nslookup.exe
Token: SeRestorePrivilege	1040	nslookup.exe
Token: SeIncreaseQuotaPrivilege	1040	nslookup.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe

description	pid	process	target process
PID 1860 wrote to memory of 1668	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	UserAccountControlSettings.exe
PID 1860 wrote to memory of 1668	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	UserAccountControlSettings.exe
PID 1860 wrote to memory of 1668	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	UserAccountControlSettings.exe
PID 1860 wrote to memory of 1668	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	UserAccountControlSettings.exe
PID 1860 wrote to memory of 1668	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	UserAccountControlSettings.exe
PID 1860 wrote to memory of 1668	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	UserAccountControlSettings.exe
PID 1860 wrote to memory of 1668	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	UserAccountControlSettings.exe
PID 1860 wrote to memory of 1668	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	UserAccountControlSettings.exe
PID 1860 wrote to memory of 1668	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	UserAccountControlSettings.exe
PID 1860 wrote to memory of 4820	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	cacls.exe
PID 1860 wrote to memory of 4820	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	cacls.exe
PID 1860 wrote to memory of 4820	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	cacls.exe
PID 1860 wrote to memory of 4820	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	cacls.exe
PID 1860 wrote to memory of 4820	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	cacls.exe
PID 1860 wrote to memory of 4820	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	cacls.exe
PID 1860 wrote to memory of 4820	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	cacls.exe
PID 1860 wrote to memory of 4820	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	cacls.exe
PID 1860 wrote to memory of 4820	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	cacls.exe
PID 1860 wrote to memory of 4136	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	RdpSa.exe
PID 1860 wrote to memory of 4136	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	RdpSa.exe
PID 1860 wrote to memory of 4136	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	RdpSa.exe
PID 1860 wrote to memory of 4136	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	RdpSa.exe
PID 1860 wrote to memory of 4136	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	RdpSa.exe
PID 1860 wrote to memory of 4136	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	RdpSa.exe
PID 1860 wrote to memory of 4136	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	RdpSa.exe
PID 1860 wrote to memory of 4136	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	RdpSa.exe
PID 1860 wrote to memory of 4136	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	RdpSa.exe
PID 1860 wrote to memory of 4332	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	taskkill.exe
PID 1860 wrote to memory of 4332	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	taskkill.exe
PID 1860 wrote to memory of 4332	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	taskkill.exe
PID 1860 wrote to memory of 4324	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	wermgr.exe
PID 1860 wrote to memory of 4324	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	wermgr.exe
PID 1860 wrote to memory of 4324	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	wermgr.exe
PID 1860 wrote to memory of 4700	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	rrinstaller.exe
PID 1860 wrote to memory of 4700	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	rrinstaller.exe
PID 1860 wrote to memory of 4700	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	rrinstaller.exe
PID 1860 wrote to memory of 4700	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	rrinstaller.exe
PID 1860 wrote to memory of 4700	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	rrinstaller.exe
PID 1860 wrote to memory of 4700	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	rrinstaller.exe
PID 1860 wrote to memory of 4700	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	rrinstaller.exe
PID 1860 wrote to memory of 4700	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	rrinstaller.exe
PID 1860 wrote to memory of 4700	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	rrinstaller.exe
PID 1860 wrote to memory of 4480	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	userinit.exe
PID 1860 wrote to memory of 4480	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	userinit.exe
PID 1860 wrote to memory of 4480	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	userinit.exe
PID 1860 wrote to memory of 4480	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	userinit.exe
PID 1860 wrote to memory of 4480	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	userinit.exe
PID 1860 wrote to memory of 4480	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	userinit.exe
PID 1860 wrote to memory of 4480	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	userinit.exe
PID 1860 wrote to memory of 4480	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	userinit.exe
PID 1860 wrote to memory of 4480	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	userinit.exe
PID 1860 wrote to memory of 4524	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	fltMC.exe
PID 1860 wrote to memory of 4524	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	fltMC.exe
PID 1860 wrote to memory of 4524	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	fltMC.exe
PID 1860 wrote to memory of 4524	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	fltMC.exe
PID 1860 wrote to memory of 4524	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	fltMC.exe
PID 1860 wrote to memory of 4524	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	fltMC.exe
PID 1860 wrote to memory of 4524	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	fltMC.exe
PID 1860 wrote to memory of 4524	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	fltMC.exe
PID 1860 wrote to memory of 4524	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	fltMC.exe
PID 1860 wrote to memory of 4612	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	fltMC.exe
PID 1860 wrote to memory of 4612	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	fltMC.exe
PID 1860 wrote to memory of 4612	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	fltMC.exe
PID 1860 wrote to memory of 4612	1860	38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe	fltMC.exe

C:\Users\Admin\AppData\Local\Temp\38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe
"C:\Users\Admin\AppData\Local\Temp\38dfeabf5526511effa346e9ced2145d4d2b1ffbc065146d3869e27fc235cd99.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1860

C:\Windows\SysWOW64\UserAccountControlSettings.exe
"C:\Windows\SysWOW64\UserAccountControlSettings.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\SysWOW64\cacls.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4820

C:\Windows\SysWOW64\RdpSa.exe
"C:\Windows\SysWOW64\RdpSa.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4136

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\SysWOW64\taskkill.exe"
2⤵
- Kills process with taskkill
PID:4332

C:\Windows\SysWOW64\wermgr.exe
"C:\Windows\SysWOW64\wermgr.exe"
2⤵
PID:4324

C:\Windows\SysWOW64\rrinstaller.exe
"C:\Windows\SysWOW64\rrinstaller.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4700

C:\Windows\SysWOW64\userinit.exe
"C:\Windows\SysWOW64\userinit.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Windows\SysWOW64\fltMC.exe
"C:\Windows\SysWOW64\fltMC.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4524

C:\Windows\SysWOW64\fltMC.exe
"C:\Windows\SysWOW64\fltMC.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4612

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\SysWOW64\nslookup.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1040

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
2⤵
PID:540

C:\Windows\SysWOW64\ndadmin.exe
"C:\Windows\SysWOW64\ndadmin.exe"
2⤵
PID:3248

C:\Windows\SysWOW64\msra.exe
"C:\Windows\SysWOW64\msra.exe"
2⤵
PID:1520

C:\Windows\SysWOW64\find.exe
"C:\Windows\SysWOW64\find.exe"
2⤵
PID:3932

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\SysWOW64\forfiles.exe"
2⤵
PID:2544

C:\Windows\SysWOW64\SystemPropertiesComputerName.exe
"C:\Windows\SysWOW64\SystemPropertiesComputerName.exe"
2⤵
PID:1396

C:\Windows\SysWOW64\UserAccountBroker.exe
"C:\Windows\SysWOW64\UserAccountBroker.exe"
2⤵
PID:2192

C:\Windows\SysWOW64\waitfor.exe
"C:\Windows\SysWOW64\waitfor.exe"
2⤵
PID:1616

C:\Windows\SysWOW64\RdpSaProxy.exe
"C:\Windows\SysWOW64\RdpSaProxy.exe"
2⤵
PID:3648

C:\Windows\SysWOW64\agentactivationruntimestarter.exe
"C:\Windows\SysWOW64\agentactivationruntimestarter.exe"
2⤵
PID:2816

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
PID:3912

C:\Windows\SysWOW64\chkntfs.exe
"C:\Windows\SysWOW64\chkntfs.exe"
2⤵
PID:3824

C:\Windows\SysWOW64\eventcreate.exe
"C:\Windows\SysWOW64\eventcreate.exe"
2⤵
PID:3208

C:\Windows\SysWOW64\HOSTNAME.EXE
"C:\Windows\SysWOW64\HOSTNAME.EXE"
2⤵
PID:976

C:\Windows\SysWOW64\mspaint.exe
"C:\Windows\SysWOW64\mspaint.exe"
2⤵
PID:396

C:\Windows\SysWOW64\InfDefaultInstall.exe
"C:\Windows\SysWOW64\InfDefaultInstall.exe"
2⤵
PID:4204

C:\Windows\SysWOW64\CredentialUIBroker.exe
"C:\Windows\SysWOW64\CredentialUIBroker.exe"
2⤵
PID:1792

C:\Windows\SysWOW64\cleanmgr.exe
"C:\Windows\SysWOW64\cleanmgr.exe"
2⤵
PID:5068

C:\Windows\SysWOW64\extrac32.exe
"C:\Windows\SysWOW64\extrac32.exe"
2⤵
PID:3856

C:\Windows\SysWOW64\Register-CimProvider.exe
"C:\Windows\SysWOW64\Register-CimProvider.exe"
2⤵
PID:4920

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\SysWOW64\forfiles.exe"
2⤵
PID:2792

C:\Windows\SysWOW64\typeperf.exe
"C:\Windows\SysWOW64\typeperf.exe"
2⤵
PID:3640

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\SysWOW64\takeown.exe"
2⤵
- Modifies file permissions
PID:384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/384-261-0x0000000000000000-mapping.dmp

Download
memory/396-233-0x0000000000000000-mapping.dmp

Download
memory/396-237-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/540-180-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/540-176-0x0000000000000000-mapping.dmp

Download
memory/976-232-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/976-228-0x0000000000000000-mapping.dmp

Download
memory/1040-171-0x0000000000000000-mapping.dmp

Download
memory/1040-175-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1396-197-0x0000000000000000-mapping.dmp

Download
memory/1520-186-0x0000000000000000-mapping.dmp

Download
memory/1616-202-0x0000000000000000-mapping.dmp

Download
memory/1616-206-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1668-138-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1668-137-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1668-135-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1668-134-0x0000000000000000-mapping.dmp

Download
memory/1792-239-0x0000000000000000-mapping.dmp

Download
memory/1860-130-0x00000000005F0000-0x00000000006A4000-memory.dmp

Filesize
720KB

Download
memory/1860-131-0x0000000004FF0000-0x000000000508C000-memory.dmp

Filesize
624KB

Download
memory/1860-132-0x0000000006AA0000-0x0000000007044000-memory.dmp

Filesize
5.6MB

Download
memory/1860-262-0x0000000000EA0000-0x0000000000F32000-memory.dmp

Filesize
584KB

Download
memory/1860-133-0x00000000065E0000-0x0000000006646000-memory.dmp

Filesize
408KB

Download
memory/2192-198-0x0000000000000000-mapping.dmp

Download
memory/2192-201-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2544-196-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2544-192-0x0000000000000000-mapping.dmp

Download
memory/2792-255-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2792-251-0x0000000000000000-mapping.dmp

Download
memory/2816-216-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2816-215-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2816-212-0x0000000000000000-mapping.dmp

Download
memory/3208-223-0x0000000000000000-mapping.dmp

Download
memory/3208-227-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3248-185-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3248-181-0x0000000000000000-mapping.dmp

Download
memory/3640-256-0x0000000000000000-mapping.dmp

Download
memory/3640-260-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3648-207-0x0000000000000000-mapping.dmp

Download
memory/3648-211-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3824-222-0x0000000000000000-mapping.dmp

Download
memory/3856-245-0x0000000000000000-mapping.dmp

Download
memory/3856-249-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3912-221-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3912-217-0x0000000000000000-mapping.dmp

Download
memory/3932-190-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3932-187-0x0000000000000000-mapping.dmp

Download
memory/3932-191-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4136-144-0x0000000000000000-mapping.dmp

Download
memory/4136-148-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4204-238-0x0000000000000000-mapping.dmp

Download
memory/4324-150-0x0000000000000000-mapping.dmp

Download
memory/4332-149-0x0000000000000000-mapping.dmp

Download
memory/4480-156-0x0000000000000000-mapping.dmp

Download
memory/4480-160-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4524-165-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4524-161-0x0000000000000000-mapping.dmp

Download
memory/4612-166-0x0000000000000000-mapping.dmp

Download
memory/4612-169-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4612-170-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4700-155-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4700-151-0x0000000000000000-mapping.dmp

Download
memory/4820-143-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4820-139-0x0000000000000000-mapping.dmp

Download
memory/4920-250-0x0000000000000000-mapping.dmp

Download
memory/5068-240-0x0000000000000000-mapping.dmp

Download
memory/5068-244-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download