pony | 87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d

Analysis

max time kernel
173s
max time network
168s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 21:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe
Size

549KB
MD5

6b50e5b32b3937cbb107825a144f7bc8
SHA1

492171452790445697106f1e8463cf74f8fc8b62
SHA256

87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d
SHA512

8fe177ec002f63fce2ebb24c1292a3b810207b022f9fb42f310a625b2d7fc6bfb5360ad9dd1e06eb881a025e8f929682b3942fab2c80cd1c347abc808f8aba04
SSDEEP

12288:8ooGf9Y1Jop3A3IoCoj7+vjQxfibQQwwo:B+wp31Xoj79Kbbwj

Score

10^/10

pony collection discovery persistence rat spyware stealer upx

Malware Config

Extracted

Family

pony

http://www.indianmoneybag.in/wordpress/wp-content/themes/twentyfourteen/css/php/gate.php

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Executes dropped EXE 4 IoCs

Processes:

OGOAN.exeeliwd.exeOGOAN.exeeliwd.exe

pid process

1784 OGOAN.exe
468 eliwd.exe
1688 OGOAN.exe
1368 eliwd.exe

pid	process
1784	OGOAN.exe
468	eliwd.exe
1688	OGOAN.exe
1368	eliwd.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\OGOAN.exe	upx
C:\Users\Admin\AppData\Local\Temp\OGOAN.exe	upx
\Users\Admin\AppData\Local\Temp\OGOAN.exe	upx
behavioral1/memory/1784-67-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1784-69-0x0000000000400000-0x000000000041D000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\OGOAN.exe	upx
\Users\Admin\AppData\Local\Temp\OGOAN.exe	upx
\Users\Admin\AppData\Local\Temp\OGOAN.exe	upx
C:\Users\Admin\AppData\Local\Temp\OGOAN.exe	upx
behavioral1/memory/1688-87-0x0000000000400000-0x000000000041D000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\OGOAN.exe	upx
behavioral1/memory/1688-132-0x0000000000400000-0x000000000041D000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\OGOAN.exe	upx
behavioral1/memory/1688-413-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

952 cmd.exe

pid	process
952	cmd.exe

Loads dropped DLL 8 IoCs

Processes:

87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exeeliwd.exeeliwd.exe

pid	process
1572	87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe
1572	87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe
944	87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe
944	87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe
468	eliwd.exe
468	eliwd.exe
1368	eliwd.exe
1368	eliwd.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

OGOAN.exeOGOAN.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	OGOAN.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	OGOAN.exe

Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

OGOAN.exeOGOAN.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OGOAN.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OGOAN.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

eliwd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\Currentversion\Run	eliwd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\Currentversion\Run	eliwd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ukumepvyn = "C:\\Users\\Admin\\AppData\\Roaming\\Diasu\\eliwd.exe"	eliwd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 4 IoCs

Processes:

87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exeeliwd.exe87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exeOGOAN.exe

description	pid	process	target process
PID 1572 set thread context of 944	1572	87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe	87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe
PID 468 set thread context of 1368	468	eliwd.exe	eliwd.exe
PID 944 set thread context of 952	944	87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe	cmd.exe
PID 1688 set thread context of 304	1688	OGOAN.exe	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy	87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\76750757-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

eliwd.exe

pid	process
1368	eliwd.exe
1368	eliwd.exe
1368	eliwd.exe
1368	eliwd.exe
1368	eliwd.exe
1368	eliwd.exe
1368	eliwd.exe
1368	eliwd.exe
1368	eliwd.exe
1368	eliwd.exe
1368	eliwd.exe
1368	eliwd.exe
1368	eliwd.exe
1368	eliwd.exe
1368	eliwd.exe
1368	eliwd.exe
1368	eliwd.exe
1368	eliwd.exe
1368	eliwd.exe
1368	eliwd.exe
1368	eliwd.exe
1368	eliwd.exe
1368	eliwd.exe
1368	eliwd.exe
1368	eliwd.exe
1368	eliwd.exe
1368	eliwd.exe
1368	eliwd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exeOGOAN.exeOGOAN.exe

description	pid	process
Token: SeSecurityPrivilege	944	87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe
Token: SeSecurityPrivilege	944	87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe
Token: SeImpersonatePrivilege	1784	OGOAN.exe
Token: SeTcbPrivilege	1784	OGOAN.exe
Token: SeChangeNotifyPrivilege	1784	OGOAN.exe
Token: SeCreateTokenPrivilege	1784	OGOAN.exe
Token: SeBackupPrivilege	1784	OGOAN.exe
Token: SeRestorePrivilege	1784	OGOAN.exe
Token: SeIncreaseQuotaPrivilege	1784	OGOAN.exe
Token: SeAssignPrimaryTokenPrivilege	1784	OGOAN.exe
Token: SeImpersonatePrivilege	1784	OGOAN.exe
Token: SeTcbPrivilege	1784	OGOAN.exe
Token: SeChangeNotifyPrivilege	1784	OGOAN.exe
Token: SeCreateTokenPrivilege	1784	OGOAN.exe
Token: SeBackupPrivilege	1784	OGOAN.exe
Token: SeRestorePrivilege	1784	OGOAN.exe
Token: SeIncreaseQuotaPrivilege	1784	OGOAN.exe
Token: SeAssignPrimaryTokenPrivilege	1784	OGOAN.exe
Token: SeImpersonatePrivilege	1784	OGOAN.exe
Token: SeTcbPrivilege	1784	OGOAN.exe
Token: SeChangeNotifyPrivilege	1784	OGOAN.exe
Token: SeCreateTokenPrivilege	1784	OGOAN.exe
Token: SeBackupPrivilege	1784	OGOAN.exe
Token: SeRestorePrivilege	1784	OGOAN.exe
Token: SeIncreaseQuotaPrivilege	1784	OGOAN.exe
Token: SeAssignPrimaryTokenPrivilege	1784	OGOAN.exe
Token: SeImpersonatePrivilege	1784	OGOAN.exe
Token: SeTcbPrivilege	1784	OGOAN.exe
Token: SeChangeNotifyPrivilege	1784	OGOAN.exe
Token: SeCreateTokenPrivilege	1784	OGOAN.exe
Token: SeBackupPrivilege	1784	OGOAN.exe
Token: SeRestorePrivilege	1784	OGOAN.exe
Token: SeIncreaseQuotaPrivilege	1784	OGOAN.exe
Token: SeAssignPrimaryTokenPrivilege	1784	OGOAN.exe
Token: SeImpersonatePrivilege	1688	OGOAN.exe
Token: SeTcbPrivilege	1688	OGOAN.exe
Token: SeChangeNotifyPrivilege	1688	OGOAN.exe
Token: SeCreateTokenPrivilege	1688	OGOAN.exe
Token: SeBackupPrivilege	1688	OGOAN.exe
Token: SeRestorePrivilege	1688	OGOAN.exe
Token: SeIncreaseQuotaPrivilege	1688	OGOAN.exe
Token: SeAssignPrimaryTokenPrivilege	1688	OGOAN.exe
Token: SeSecurityPrivilege	944	87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe
Token: SeSecurityPrivilege	944	87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe
Token: SeSecurityPrivilege	1688	OGOAN.exe
Token: SeSecurityPrivilege	1688	OGOAN.exe
Token: SeImpersonatePrivilege	1688	OGOAN.exe
Token: SeTcbPrivilege	1688	OGOAN.exe
Token: SeChangeNotifyPrivilege	1688	OGOAN.exe
Token: SeCreateTokenPrivilege	1688	OGOAN.exe
Token: SeBackupPrivilege	1688	OGOAN.exe
Token: SeRestorePrivilege	1688	OGOAN.exe
Token: SeIncreaseQuotaPrivilege	1688	OGOAN.exe
Token: SeAssignPrimaryTokenPrivilege	1688	OGOAN.exe
Token: SeImpersonatePrivilege	1688	OGOAN.exe
Token: SeTcbPrivilege	1688	OGOAN.exe
Token: SeChangeNotifyPrivilege	1688	OGOAN.exe
Token: SeCreateTokenPrivilege	1688	OGOAN.exe
Token: SeBackupPrivilege	1688	OGOAN.exe
Token: SeRestorePrivilege	1688	OGOAN.exe
Token: SeIncreaseQuotaPrivilege	1688	OGOAN.exe
Token: SeAssignPrimaryTokenPrivilege	1688	OGOAN.exe
Token: SeImpersonatePrivilege	1688	OGOAN.exe
Token: SeTcbPrivilege	1688	OGOAN.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WinMail.exe

pid process

960 WinMail.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

WinMail.exe

pid process

960 WinMail.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WinMail.exe

pid process

960 WinMail.exe

pid	process
960	WinMail.exe

pid	process
960	WinMail.exe

pid	process
960	WinMail.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exeeliwd.exeOGOAN.exeeliwd.exe

description	pid	process	target process
PID 1572 wrote to memory of 1784	1572	87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe	OGOAN.exe
PID 1572 wrote to memory of 1784	1572	87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe	OGOAN.exe
PID 1572 wrote to memory of 1784	1572	87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe	OGOAN.exe
PID 1572 wrote to memory of 1784	1572	87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe	OGOAN.exe
PID 1572 wrote to memory of 944	1572	87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe	87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe
PID 1572 wrote to memory of 944	1572	87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe	87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe
PID 1572 wrote to memory of 944	1572	87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe	87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe
PID 1572 wrote to memory of 944	1572	87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe	87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe
PID 1572 wrote to memory of 944	1572	87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe	87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe
PID 1572 wrote to memory of 944	1572	87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe	87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe
PID 944 wrote to memory of 468	944	87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe	eliwd.exe
PID 944 wrote to memory of 468	944	87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe	eliwd.exe
PID 944 wrote to memory of 468	944	87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe	eliwd.exe
PID 944 wrote to memory of 468	944	87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe	eliwd.exe
PID 468 wrote to memory of 1688	468	eliwd.exe	OGOAN.exe
PID 468 wrote to memory of 1688	468	eliwd.exe	OGOAN.exe
PID 468 wrote to memory of 1688	468	eliwd.exe	OGOAN.exe
PID 468 wrote to memory of 1688	468	eliwd.exe	OGOAN.exe
PID 468 wrote to memory of 1368	468	eliwd.exe	eliwd.exe
PID 468 wrote to memory of 1368	468	eliwd.exe	eliwd.exe
PID 468 wrote to memory of 1368	468	eliwd.exe	eliwd.exe
PID 468 wrote to memory of 1368	468	eliwd.exe	eliwd.exe
PID 468 wrote to memory of 1368	468	eliwd.exe	eliwd.exe
PID 468 wrote to memory of 1368	468	eliwd.exe	eliwd.exe
PID 1784 wrote to memory of 1208	1784	OGOAN.exe	cmd.exe
PID 1784 wrote to memory of 1208	1784	OGOAN.exe	cmd.exe
PID 1784 wrote to memory of 1208	1784	OGOAN.exe	cmd.exe
PID 1784 wrote to memory of 1208	1784	OGOAN.exe	cmd.exe
PID 1368 wrote to memory of 1128	1368	eliwd.exe	taskhost.exe
PID 1368 wrote to memory of 1128	1368	eliwd.exe	taskhost.exe
PID 1368 wrote to memory of 1128	1368	eliwd.exe	taskhost.exe
PID 1368 wrote to memory of 1128	1368	eliwd.exe	taskhost.exe
PID 1368 wrote to memory of 1128	1368	eliwd.exe	taskhost.exe
PID 1368 wrote to memory of 1224	1368	eliwd.exe	Dwm.exe
PID 1368 wrote to memory of 1224	1368	eliwd.exe	Dwm.exe
PID 1368 wrote to memory of 1224	1368	eliwd.exe	Dwm.exe
PID 1368 wrote to memory of 1224	1368	eliwd.exe	Dwm.exe
PID 1368 wrote to memory of 1224	1368	eliwd.exe	Dwm.exe
PID 1368 wrote to memory of 1256	1368	eliwd.exe	Explorer.EXE
PID 1368 wrote to memory of 1256	1368	eliwd.exe	Explorer.EXE
PID 1368 wrote to memory of 1256	1368	eliwd.exe	Explorer.EXE
PID 1368 wrote to memory of 1256	1368	eliwd.exe	Explorer.EXE
PID 1368 wrote to memory of 1256	1368	eliwd.exe	Explorer.EXE
PID 1368 wrote to memory of 1784	1368	eliwd.exe	OGOAN.exe
PID 1368 wrote to memory of 1784	1368	eliwd.exe	OGOAN.exe
PID 1368 wrote to memory of 1784	1368	eliwd.exe	OGOAN.exe
PID 1368 wrote to memory of 944	1368	eliwd.exe	87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe
PID 1368 wrote to memory of 944	1368	eliwd.exe	87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe
PID 1368 wrote to memory of 944	1368	eliwd.exe	87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe
PID 1368 wrote to memory of 944	1368	eliwd.exe	87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe
PID 1368 wrote to memory of 944	1368	eliwd.exe	87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe
PID 944 wrote to memory of 952	944	87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe	cmd.exe
PID 944 wrote to memory of 952	944	87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe	cmd.exe
PID 944 wrote to memory of 952	944	87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe	cmd.exe
PID 944 wrote to memory of 952	944	87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe	cmd.exe
PID 944 wrote to memory of 952	944	87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe	cmd.exe
PID 944 wrote to memory of 952	944	87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe	cmd.exe
PID 944 wrote to memory of 952	944	87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe	cmd.exe
PID 944 wrote to memory of 952	944	87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe	cmd.exe
PID 944 wrote to memory of 952	944	87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe	cmd.exe
PID 1368 wrote to memory of 1428	1368	eliwd.exe	DllHost.exe
PID 1368 wrote to memory of 1428	1368	eliwd.exe	DllHost.exe
PID 1368 wrote to memory of 1428	1368	eliwd.exe	DllHost.exe
PID 1368 wrote to memory of 1428	1368	eliwd.exe	DllHost.exe

outlook_win_path 1 IoCs

Processes:

OGOAN.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OGOAN.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe
"C:\Users\Admin\AppData\Local\Temp\87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1572

C:\Users\Admin\AppData\Local\Temp\OGOAN.exe
"C:\Users\Admin\AppData\Local\Temp\OGOAN.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7110587.bat" "C:\Users\Admin\AppData\Local\Temp\OGOAN.exe" "
4⤵
PID:1208

C:\Users\Admin\AppData\Local\Temp\87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe
"C:\Users\Admin\AppData\Local\Temp\87d837993cf1c55bb6d7c46f7e6c426388e249b477e141f96e539fa7e848955d.exe"
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:944

C:\Users\Admin\AppData\Roaming\Diasu\eliwd.exe
"C:\Users\Admin\AppData\Roaming\Diasu\eliwd.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:468

C:\Users\Admin\AppData\Local\Temp\OGOAN.exe
"C:\Users\Admin\AppData\Local\Temp\OGOAN.exe"
5⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
PID:1688

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7146343.bat" "C:\Users\Admin\AppData\Local\Temp\OGOAN.exe" "
6⤵
PID:304

C:\Users\Admin\AppData\Roaming\Diasu\eliwd.exe
"C:\Users\Admin\AppData\Roaming\Diasu\eliwd.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp13068920.bat"
4⤵
- Deletes itself
PID:952

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1224

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1428

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-494558984-16607652831172505596-1422579736-326155314-3198506601989283866-1838350108"
1⤵
PID:1568

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1458155536-8866086592128730883-9568459986273051474235761541278727536-333622766"
1⤵
PID:632

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:960

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1304

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:888

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1724

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:804

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1812

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:672

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7110587.bat
Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7146343.bat
Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OGOAN.exe
Filesize
34KB

MD5
a61e366717c34d2625ab397896811314

SHA1
357ce1cbcbf5be365b1feca1c1ef748bd433f253

SHA256
4702ca95176a3052a1dbfc5a4f4690c4fc80303c555603e7664766ee0c9588a5

SHA512
ead51f5ca804e7e616dc418a3d1e5b4fba1192934df0595f7bd121a973aba117f256ab40582ced2987dceaf5fd84df30d02e78d2e1b9591a39d4a89a522db882

Download Submit
C:\Users\Admin\AppData\Local\Temp\OGOAN.exe
Filesize
34KB

MD5
a61e366717c34d2625ab397896811314

SHA1
357ce1cbcbf5be365b1feca1c1ef748bd433f253

SHA256
4702ca95176a3052a1dbfc5a4f4690c4fc80303c555603e7664766ee0c9588a5

SHA512
ead51f5ca804e7e616dc418a3d1e5b4fba1192934df0595f7bd121a973aba117f256ab40582ced2987dceaf5fd84df30d02e78d2e1b9591a39d4a89a522db882

Download Submit
C:\Users\Admin\AppData\Local\Temp\OGOAN.exe
Filesize
34KB

MD5
a61e366717c34d2625ab397896811314

SHA1
357ce1cbcbf5be365b1feca1c1ef748bd433f253

SHA256
4702ca95176a3052a1dbfc5a4f4690c4fc80303c555603e7664766ee0c9588a5

SHA512
ead51f5ca804e7e616dc418a3d1e5b4fba1192934df0595f7bd121a973aba117f256ab40582ced2987dceaf5fd84df30d02e78d2e1b9591a39d4a89a522db882

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp13068920.bat
Filesize
307B

MD5
d2f7c092c8f679f93279937fa442e507

SHA1
407e5891ef55053f2aea3edb9743134551ba8252

SHA256
a6b3f94635ccaebf6cee170cddc68bb6bf3ff5673ec8b93b872d1e447ff9c889

SHA512
c9b5188f786a9bc5f437452a0a05e07f943105e37567a6b4cfcfda1e52361fc8199c40c42b6ab0deda69e4fd59fd1c1e4098d94a88de02f0eaa8c8e71aea40ff

Download Submit
C:\Users\Admin\AppData\Roaming\Diasu\eliwd.exe
Filesize
549KB

MD5
45f3bf6f7da0b90d63825d824c777174

SHA1
3a22a4ea580d77ed5737fcc60a22afecec7f8de4

SHA256
1cbebaaf4cb64238d419b680d2ba8cec0b367286f182b317265df1775fc98e7a

SHA512
ba9e8e94818b28b82aab3c20660a46fce3c37cd5f28b173d78b7886a0bd561bd7e99ccd204e5ea0d9e751308800c2033cb906c8e46b8745bb7e69fbcb72eae28

Download Submit
C:\Users\Admin\AppData\Roaming\Diasu\eliwd.exe
Filesize
549KB

MD5
45f3bf6f7da0b90d63825d824c777174

SHA1
3a22a4ea580d77ed5737fcc60a22afecec7f8de4

SHA256
1cbebaaf4cb64238d419b680d2ba8cec0b367286f182b317265df1775fc98e7a

SHA512
ba9e8e94818b28b82aab3c20660a46fce3c37cd5f28b173d78b7886a0bd561bd7e99ccd204e5ea0d9e751308800c2033cb906c8e46b8745bb7e69fbcb72eae28

Download Submit
C:\Users\Admin\AppData\Roaming\Diasu\eliwd.exe
Filesize
549KB

MD5
45f3bf6f7da0b90d63825d824c777174

SHA1
3a22a4ea580d77ed5737fcc60a22afecec7f8de4

SHA256
1cbebaaf4cb64238d419b680d2ba8cec0b367286f182b317265df1775fc98e7a

SHA512
ba9e8e94818b28b82aab3c20660a46fce3c37cd5f28b173d78b7886a0bd561bd7e99ccd204e5ea0d9e751308800c2033cb906c8e46b8745bb7e69fbcb72eae28

Download Submit
C:\Users\Admin\AppData\Roaming\Keihv\ychao.gyt
Filesize
421B

MD5
8e2342142008e0383c6f268f1fc7fa34

SHA1
09051ec68e5926eecffe106d3be4dee5a8dd4e1e

SHA256
10c1159a745a90a8d631b9b2703a663be658a5a6bd24967cf3098012ca2d8ea0

SHA512
75ce6f3c528137ed5cb3f4cc39b881710d28ca899b49979409e084a00d54bf3164d6a2971d608c62efee41c5a179c775e41a0c941b6485a5b670e04d256fcbdf

Download Submit
C:\Users\Admin\AppData\Roaming\Keihv\ychao.gyt
Filesize
4KB

MD5
f752b812fec510225d95342643195ca6

SHA1
3c4ad7d89835a181deabb0c813e9b652e7e24a40

SHA256
e2a3e9953a0e982290740be48afd86cb31d2cb9e71ef2fb5aa39dca2874492be

SHA512
294430e9c320c2eb6be87f7f6aec59f57d0840c65db5d5a91e202764d01c7a94c416a770bafc4d870e09e916d062856482e7307b5b054ba75aaa0f1ac0eca17d

Download Submit
C:\Users\Admin\AppData\Roaming\Keihv\ychao.gyt
Filesize
5KB

MD5
8d5f97fc669810e15081c5e7c63d7bca

SHA1
6ad5aecd1aca36eddce461bc6502557de99f2a6e

SHA256
fc46d4efe407938805fb3a2dd1b7a84c4ce61031df284f3bd1e6cd525dcdf209

SHA512
1bc1a2f116ccc91ec25a0733b0ce8af06a6c01395de7dfc3562b84c85186e0676647304c2ece2c637a8be92bc1ddd971499a20a7b22d0340f85403ea18171357

Download Submit
\Users\Admin\AppData\Local\Temp\OGOAN.exe
Filesize
34KB

MD5
a61e366717c34d2625ab397896811314

SHA1
357ce1cbcbf5be365b1feca1c1ef748bd433f253

SHA256
4702ca95176a3052a1dbfc5a4f4690c4fc80303c555603e7664766ee0c9588a5

SHA512
ead51f5ca804e7e616dc418a3d1e5b4fba1192934df0595f7bd121a973aba117f256ab40582ced2987dceaf5fd84df30d02e78d2e1b9591a39d4a89a522db882

Download Submit
\Users\Admin\AppData\Local\Temp\OGOAN.exe
Filesize
34KB

MD5
a61e366717c34d2625ab397896811314

SHA1
357ce1cbcbf5be365b1feca1c1ef748bd433f253

SHA256
4702ca95176a3052a1dbfc5a4f4690c4fc80303c555603e7664766ee0c9588a5

SHA512
ead51f5ca804e7e616dc418a3d1e5b4fba1192934df0595f7bd121a973aba117f256ab40582ced2987dceaf5fd84df30d02e78d2e1b9591a39d4a89a522db882

Download Submit
\Users\Admin\AppData\Local\Temp\OGOAN.exe
Filesize
34KB

MD5
a61e366717c34d2625ab397896811314

SHA1
357ce1cbcbf5be365b1feca1c1ef748bd433f253

SHA256
4702ca95176a3052a1dbfc5a4f4690c4fc80303c555603e7664766ee0c9588a5

SHA512
ead51f5ca804e7e616dc418a3d1e5b4fba1192934df0595f7bd121a973aba117f256ab40582ced2987dceaf5fd84df30d02e78d2e1b9591a39d4a89a522db882

Download Submit
\Users\Admin\AppData\Local\Temp\OGOAN.exe
Filesize
34KB

MD5
a61e366717c34d2625ab397896811314

SHA1
357ce1cbcbf5be365b1feca1c1ef748bd433f253

SHA256
4702ca95176a3052a1dbfc5a4f4690c4fc80303c555603e7664766ee0c9588a5

SHA512
ead51f5ca804e7e616dc418a3d1e5b4fba1192934df0595f7bd121a973aba117f256ab40582ced2987dceaf5fd84df30d02e78d2e1b9591a39d4a89a522db882

Download Submit
\Users\Admin\AppData\Local\Temp\OGOAN.exe
Filesize
34KB

MD5
a61e366717c34d2625ab397896811314

SHA1
357ce1cbcbf5be365b1feca1c1ef748bd433f253

SHA256
4702ca95176a3052a1dbfc5a4f4690c4fc80303c555603e7664766ee0c9588a5

SHA512
ead51f5ca804e7e616dc418a3d1e5b4fba1192934df0595f7bd121a973aba117f256ab40582ced2987dceaf5fd84df30d02e78d2e1b9591a39d4a89a522db882

Download Submit
\Users\Admin\AppData\Local\Temp\OGOAN.exe
Filesize
34KB

MD5
a61e366717c34d2625ab397896811314

SHA1
357ce1cbcbf5be365b1feca1c1ef748bd433f253

SHA256
4702ca95176a3052a1dbfc5a4f4690c4fc80303c555603e7664766ee0c9588a5

SHA512
ead51f5ca804e7e616dc418a3d1e5b4fba1192934df0595f7bd121a973aba117f256ab40582ced2987dceaf5fd84df30d02e78d2e1b9591a39d4a89a522db882

Download Submit
\Users\Admin\AppData\Roaming\Diasu\eliwd.exe
Filesize
549KB

MD5
45f3bf6f7da0b90d63825d824c777174

SHA1
3a22a4ea580d77ed5737fcc60a22afecec7f8de4

SHA256
1cbebaaf4cb64238d419b680d2ba8cec0b367286f182b317265df1775fc98e7a

SHA512
ba9e8e94818b28b82aab3c20660a46fce3c37cd5f28b173d78b7886a0bd561bd7e99ccd204e5ea0d9e751308800c2033cb906c8e46b8745bb7e69fbcb72eae28

Download Submit
\Users\Admin\AppData\Roaming\Diasu\eliwd.exe
Filesize
549KB

MD5
45f3bf6f7da0b90d63825d824c777174

SHA1
3a22a4ea580d77ed5737fcc60a22afecec7f8de4

SHA256
1cbebaaf4cb64238d419b680d2ba8cec0b367286f182b317265df1775fc98e7a

SHA512
ba9e8e94818b28b82aab3c20660a46fce3c37cd5f28b173d78b7886a0bd561bd7e99ccd204e5ea0d9e751308800c2033cb906c8e46b8745bb7e69fbcb72eae28

Download Submit
memory/304-556-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/304-594-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/304-410-0x0000000000069BF5-mapping.dmp

Download
memory/468-85-0x00000000025B0000-0x00000000025CD000-memory.dmp

Filesize
116KB

Download
memory/468-72-0x0000000000000000-mapping.dmp

Download
memory/944-59-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/944-399-0x0000000000350000-0x000000000038B000-memory.dmp

Filesize
236KB

Download
memory/944-66-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/944-68-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/944-62-0x000000000042B055-mapping.dmp

Download
memory/944-398-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/944-124-0x0000000000350000-0x00000000003DA000-memory.dmp

Filesize
552KB

Download
memory/944-122-0x0000000000350000-0x000000000038B000-memory.dmp

Filesize
236KB

Download
memory/944-121-0x0000000000350000-0x000000000038B000-memory.dmp

Filesize
236KB

Download
memory/944-120-0x0000000000350000-0x000000000038B000-memory.dmp

Filesize
236KB

Download
memory/944-119-0x0000000000350000-0x000000000038B000-memory.dmp

Filesize
236KB

Download
memory/944-118-0x0000000000350000-0x000000000038B000-memory.dmp

Filesize
236KB

Download
memory/944-63-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/952-129-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/952-127-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/952-585-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/952-402-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/952-134-0x0000000000069BF5-mapping.dmp

Download
memory/952-131-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/952-130-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/1128-95-0x0000000001E90000-0x0000000001ECB000-memory.dmp

Filesize
236KB

Download
memory/1128-98-0x0000000001E90000-0x0000000001ECB000-memory.dmp

Filesize
236KB

Download
memory/1128-96-0x0000000001E90000-0x0000000001ECB000-memory.dmp

Filesize
236KB

Download
memory/1128-97-0x0000000001E90000-0x0000000001ECB000-memory.dmp

Filesize
236KB

Download
memory/1208-92-0x0000000000000000-mapping.dmp

Download
memory/1224-104-0x00000000001A0000-0x00000000001DB000-memory.dmp

Filesize
236KB

Download
memory/1224-101-0x00000000001A0000-0x00000000001DB000-memory.dmp

Filesize
236KB

Download
memory/1224-103-0x00000000001A0000-0x00000000001DB000-memory.dmp

Filesize
236KB

Download
memory/1224-102-0x00000000001A0000-0x00000000001DB000-memory.dmp

Filesize
236KB

Download
memory/1256-110-0x00000000029F0000-0x0000000002A2B000-memory.dmp

Filesize
236KB

Download
memory/1256-109-0x00000000029F0000-0x0000000002A2B000-memory.dmp

Filesize
236KB

Download
memory/1256-107-0x00000000029F0000-0x0000000002A2B000-memory.dmp

Filesize
236KB

Download
memory/1256-108-0x00000000029F0000-0x0000000002A2B000-memory.dmp

Filesize
236KB

Download
memory/1368-91-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1368-557-0x0000000000290000-0x00000000002AD000-memory.dmp

Filesize
116KB

Download
memory/1368-400-0x0000000000290000-0x00000000002AD000-memory.dmp

Filesize
116KB

Download
memory/1368-584-0x0000000000290000-0x00000000002AD000-memory.dmp

Filesize
116KB

Download
memory/1368-86-0x000000000042B055-mapping.dmp

Download
memory/1368-123-0x0000000000290000-0x00000000002AD000-memory.dmp

Filesize
116KB

Download
memory/1428-139-0x0000000003A50000-0x0000000003A8B000-memory.dmp

Filesize
236KB

Download
memory/1428-138-0x0000000003A50000-0x0000000003A8B000-memory.dmp

Filesize
236KB

Download
memory/1428-137-0x0000000003A50000-0x0000000003A8B000-memory.dmp

Filesize
236KB

Download
memory/1428-136-0x0000000003A50000-0x0000000003A8B000-memory.dmp

Filesize
236KB

Download
memory/1572-54-0x00000000758C1000-0x00000000758C3000-memory.dmp

Filesize
8KB

Download
memory/1688-145-0x0000000002B60000-0x0000000002B9B000-memory.dmp

Filesize
236KB

Download
memory/1688-132-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1688-147-0x0000000002B60000-0x0000000002B9B000-memory.dmp

Filesize
236KB

Download
memory/1688-401-0x0000000002B60000-0x0000000002B9B000-memory.dmp

Filesize
236KB

Download
memory/1688-146-0x0000000002B60000-0x0000000002B9B000-memory.dmp

Filesize
236KB

Download
memory/1688-144-0x0000000002B60000-0x0000000002B9B000-memory.dmp

Filesize
236KB

Download
memory/1688-414-0x0000000002B60000-0x0000000002B9B000-memory.dmp

Filesize
236KB

Download
memory/1688-413-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1688-143-0x0000000002B60000-0x0000000002B9B000-memory.dmp

Filesize
236KB

Download
memory/1688-149-0x0000000002B60000-0x0000000002B9B000-memory.dmp

Filesize
236KB

Download
memory/1688-78-0x0000000000000000-mapping.dmp

Download
memory/1688-87-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1784-114-0x0000000000910000-0x000000000094B000-memory.dmp

Filesize
236KB

Download
memory/1784-115-0x0000000000910000-0x000000000094B000-memory.dmp

Filesize
236KB

Download
memory/1784-69-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1784-67-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1784-57-0x0000000000000000-mapping.dmp

Download