pony | eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c

Analysis

max time kernel
186s
max time network
221s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 04:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
Size

134KB
MD5

0e087a29f6694524e66020d9454ccdb9
SHA1

10e5050f1975938399827be5dab35e5d01cb0c89
SHA256

eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c
SHA512

9e9c8bb4c3c577a41d930356c8b2d0a9eba0f0692b7e654053b2af478471c1b36db78cd33d2d5b800e661d5a5752e53448fbd299bdc670da5091e704ec10a1af
SSDEEP

3072:LlMyoAdZDhDOdtgXwDEi5xZgrdkkeRQHadg/wb:pvomDhi8wgiXZgrulk/

Score

10^/10

pony collection persistence rat spyware stealer upx

Malware Config

Extracted

Family

pony

http://d-mmoney.favcc1.com/gate.php

Attributes

payload_url
http://d-mmoney.favcc1.com/shit.exe

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Executes dropped EXE 4 IoCs

Processes:

IpOverUsbSvrc.exeatiesrx.exeIpOverUsbSvrc.exeIpOverUsbSvrc.exe

pid process

3044 IpOverUsbSvrc.exe
1736 atiesrx.exe
4104 IpOverUsbSvrc.exe
2420 IpOverUsbSvrc.exe

pid	process
3044	IpOverUsbSvrc.exe
1736	atiesrx.exe
4104	IpOverUsbSvrc.exe
2420	IpOverUsbSvrc.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3108-135-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/3108-137-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/3108-138-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/3108-139-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/3108-151-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exeatiesrx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	atiesrx.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

IpOverUsbSvrc.exeIpOverUsbSvrc.exeIpOverUsbSvrc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Multimedia Class Scheduler = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\IpOverUsbSvrc.exe"	IpOverUsbSvrc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Multimedia Class Scheduler = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\IpOverUsbSvrc.exe"	IpOverUsbSvrc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Multimedia Class Scheduler = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\IpOverUsbSvrc.exe"	IpOverUsbSvrc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe

description	pid	process	target process
PID 3288 set thread context of 3108	3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe	vbc.exe

Drops file in Windows directory 1 IoCs

Processes:

dw20.exe

description ioc process

File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	dw20.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exeIpOverUsbSvrc.exeIpOverUsbSvrc.exe

pid	process
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3044	IpOverUsbSvrc.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
4104	IpOverUsbSvrc.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
4104	IpOverUsbSvrc.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
4104	IpOverUsbSvrc.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

Processes:

eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exevbc.exeIpOverUsbSvrc.exedw20.exeIpOverUsbSvrc.exeatiesrx.exeIpOverUsbSvrc.exe

description	pid	process
Token: SeDebugPrivilege	3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
Token: SeImpersonatePrivilege	3108	vbc.exe
Token: SeTcbPrivilege	3108	vbc.exe
Token: SeChangeNotifyPrivilege	3108	vbc.exe
Token: SeCreateTokenPrivilege	3108	vbc.exe
Token: SeBackupPrivilege	3108	vbc.exe
Token: SeRestorePrivilege	3108	vbc.exe
Token: SeIncreaseQuotaPrivilege	3108	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	3108	vbc.exe
Token: SeDebugPrivilege	3044	IpOverUsbSvrc.exe
Token: SeImpersonatePrivilege	3108	vbc.exe
Token: SeTcbPrivilege	3108	vbc.exe
Token: SeChangeNotifyPrivilege	3108	vbc.exe
Token: SeCreateTokenPrivilege	3108	vbc.exe
Token: SeBackupPrivilege	3108	vbc.exe
Token: SeRestorePrivilege	3108	vbc.exe
Token: SeIncreaseQuotaPrivilege	3108	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	3108	vbc.exe
Token: SeRestorePrivilege	3444	dw20.exe
Token: SeBackupPrivilege	3444	dw20.exe
Token: SeBackupPrivilege	3444	dw20.exe
Token: SeBackupPrivilege	3444	dw20.exe
Token: SeBackupPrivilege	3444	dw20.exe
Token: SeImpersonatePrivilege	3108	vbc.exe
Token: SeTcbPrivilege	3108	vbc.exe
Token: SeChangeNotifyPrivilege	3108	vbc.exe
Token: SeCreateTokenPrivilege	3108	vbc.exe
Token: SeBackupPrivilege	3108	vbc.exe
Token: SeRestorePrivilege	3108	vbc.exe
Token: SeIncreaseQuotaPrivilege	3108	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	3108	vbc.exe
Token: SeImpersonatePrivilege	3108	vbc.exe
Token: SeTcbPrivilege	3108	vbc.exe
Token: SeChangeNotifyPrivilege	3108	vbc.exe
Token: SeCreateTokenPrivilege	3108	vbc.exe
Token: SeBackupPrivilege	3108	vbc.exe
Token: SeRestorePrivilege	3108	vbc.exe
Token: SeIncreaseQuotaPrivilege	3108	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	3108	vbc.exe
Token: SeImpersonatePrivilege	3108	vbc.exe
Token: SeTcbPrivilege	3108	vbc.exe
Token: SeChangeNotifyPrivilege	3108	vbc.exe
Token: SeCreateTokenPrivilege	3108	vbc.exe
Token: SeBackupPrivilege	3108	vbc.exe
Token: SeRestorePrivilege	3108	vbc.exe
Token: SeIncreaseQuotaPrivilege	3108	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	3108	vbc.exe
Token: SeImpersonatePrivilege	3108	vbc.exe
Token: SeTcbPrivilege	3108	vbc.exe
Token: SeChangeNotifyPrivilege	3108	vbc.exe
Token: SeCreateTokenPrivilege	3108	vbc.exe
Token: SeBackupPrivilege	3108	vbc.exe
Token: SeRestorePrivilege	3108	vbc.exe
Token: SeIncreaseQuotaPrivilege	3108	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	3108	vbc.exe
Token: SeDebugPrivilege	4104	IpOverUsbSvrc.exe
Token: SeDebugPrivilege	1736	atiesrx.exe
Token: SeDebugPrivilege	2420	IpOverUsbSvrc.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exeIpOverUsbSvrc.exevbc.exeatiesrx.exe

description	pid	process	target process
PID 3288 wrote to memory of 3108	3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe	vbc.exe
PID 3288 wrote to memory of 3108	3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe	vbc.exe
PID 3288 wrote to memory of 3108	3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe	vbc.exe
PID 3288 wrote to memory of 3108	3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe	vbc.exe
PID 3288 wrote to memory of 3108	3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe	vbc.exe
PID 3288 wrote to memory of 3108	3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe	vbc.exe
PID 3288 wrote to memory of 3108	3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe	vbc.exe
PID 3288 wrote to memory of 3044	3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe	IpOverUsbSvrc.exe
PID 3288 wrote to memory of 3044	3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe	IpOverUsbSvrc.exe
PID 3288 wrote to memory of 3044	3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe	IpOverUsbSvrc.exe
PID 3044 wrote to memory of 3444	3044	IpOverUsbSvrc.exe	dw20.exe
PID 3044 wrote to memory of 3444	3044	IpOverUsbSvrc.exe	dw20.exe
PID 3044 wrote to memory of 3444	3044	IpOverUsbSvrc.exe	dw20.exe
PID 3044 wrote to memory of 1736	3044	IpOverUsbSvrc.exe	atiesrx.exe
PID 3044 wrote to memory of 1736	3044	IpOverUsbSvrc.exe	atiesrx.exe
PID 3044 wrote to memory of 1736	3044	IpOverUsbSvrc.exe	atiesrx.exe
PID 3108 wrote to memory of 1188	3108	vbc.exe	cmd.exe
PID 3108 wrote to memory of 1188	3108	vbc.exe	cmd.exe
PID 3108 wrote to memory of 1188	3108	vbc.exe	cmd.exe
PID 3288 wrote to memory of 4104	3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe	IpOverUsbSvrc.exe
PID 3288 wrote to memory of 4104	3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe	IpOverUsbSvrc.exe
PID 3288 wrote to memory of 4104	3288	eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe	IpOverUsbSvrc.exe
PID 1736 wrote to memory of 2420	1736	atiesrx.exe	IpOverUsbSvrc.exe
PID 1736 wrote to memory of 2420	1736	atiesrx.exe	IpOverUsbSvrc.exe
PID 1736 wrote to memory of 2420	1736	atiesrx.exe	IpOverUsbSvrc.exe

outlook_win_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

C:\Users\Admin\AppData\Local\Temp\eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
"C:\Users\Admin\AppData\Local\Temp\eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3288

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:3108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240681781.bat" "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" "
3⤵
PID:1188

C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 648
3⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:3444

C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736

C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\IpOverUsbSvrc.exe.log
Filesize
224B

MD5
c19eb8c8e7a40e6b987f9d2ee952996e

SHA1
6fc3049855bc9100643e162511673c6df0f28bfb

SHA256
677e9e30350df17e2bc20fa9f7d730e9f7cc6e870d6520a345f5f7dc5b31f58a

SHA512
860713b4a787c2189ed12a47d4b68b60ac00c7a253cae52dd4eb9276dacafeae3a81906b6d0742c8ecfdfaa255777c445beb7c2a532f3c677a9903237ac97596

Download Submit
C:\Users\Admin\AppData\Local\Temp\240681781.bat
Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe
Filesize
8KB

MD5
54fbde415453f5c9089b49e65bd5f8e7

SHA1
d77b86631f629b52bbebc6e08fbf60c78e8ceab0

SHA256
7d31b70e949833d9f78199848b14307e41da511ca4915c20a8ca61ee8eeeedbf

SHA512
90dbbb3986ab3f4dda4292b580bfac7c97bbf20f68d0be0af271b9bc5e22a4abc326baaf284be005c6460ecc2187b6ca5d015fab55be3b242122436fcf3ee5ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe
Filesize
8KB

MD5
54fbde415453f5c9089b49e65bd5f8e7

SHA1
d77b86631f629b52bbebc6e08fbf60c78e8ceab0

SHA256
7d31b70e949833d9f78199848b14307e41da511ca4915c20a8ca61ee8eeeedbf

SHA512
90dbbb3986ab3f4dda4292b580bfac7c97bbf20f68d0be0af271b9bc5e22a4abc326baaf284be005c6460ecc2187b6ca5d015fab55be3b242122436fcf3ee5ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe
Filesize
8KB

MD5
54fbde415453f5c9089b49e65bd5f8e7

SHA1
d77b86631f629b52bbebc6e08fbf60c78e8ceab0

SHA256
7d31b70e949833d9f78199848b14307e41da511ca4915c20a8ca61ee8eeeedbf

SHA512
90dbbb3986ab3f4dda4292b580bfac7c97bbf20f68d0be0af271b9bc5e22a4abc326baaf284be005c6460ecc2187b6ca5d015fab55be3b242122436fcf3ee5ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe
Filesize
8KB

MD5
54fbde415453f5c9089b49e65bd5f8e7

SHA1
d77b86631f629b52bbebc6e08fbf60c78e8ceab0

SHA256
7d31b70e949833d9f78199848b14307e41da511ca4915c20a8ca61ee8eeeedbf

SHA512
90dbbb3986ab3f4dda4292b580bfac7c97bbf20f68d0be0af271b9bc5e22a4abc326baaf284be005c6460ecc2187b6ca5d015fab55be3b242122436fcf3ee5ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe
Filesize
8KB

MD5
54fbde415453f5c9089b49e65bd5f8e7

SHA1
d77b86631f629b52bbebc6e08fbf60c78e8ceab0

SHA256
7d31b70e949833d9f78199848b14307e41da511ca4915c20a8ca61ee8eeeedbf

SHA512
90dbbb3986ab3f4dda4292b580bfac7c97bbf20f68d0be0af271b9bc5e22a4abc326baaf284be005c6460ecc2187b6ca5d015fab55be3b242122436fcf3ee5ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
Filesize
134KB

MD5
0e087a29f6694524e66020d9454ccdb9

SHA1
10e5050f1975938399827be5dab35e5d01cb0c89

SHA256
eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c

SHA512
9e9c8bb4c3c577a41d930356c8b2d0a9eba0f0692b7e654053b2af478471c1b36db78cd33d2d5b800e661d5a5752e53448fbd299bdc670da5091e704ec10a1af

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
Filesize
134KB

MD5
0e087a29f6694524e66020d9454ccdb9

SHA1
10e5050f1975938399827be5dab35e5d01cb0c89

SHA256
eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c

SHA512
9e9c8bb4c3c577a41d930356c8b2d0a9eba0f0692b7e654053b2af478471c1b36db78cd33d2d5b800e661d5a5752e53448fbd299bdc670da5091e704ec10a1af

Download Submit
memory/1188-149-0x0000000000000000-mapping.dmp

Download
memory/1736-156-0x0000000074D80000-0x0000000075331000-memory.dmp

Filesize
5.7MB

Download
memory/1736-144-0x0000000000000000-mapping.dmp

Download
memory/1736-148-0x0000000074D80000-0x0000000075331000-memory.dmp

Filesize
5.7MB

Download
memory/2420-160-0x0000000000000000-mapping.dmp

Download
memory/2420-164-0x0000000074D80000-0x0000000075331000-memory.dmp

Filesize
5.7MB

Download
memory/2420-165-0x0000000074D80000-0x0000000075331000-memory.dmp

Filesize
5.7MB

Download
memory/3044-140-0x0000000000000000-mapping.dmp

Download
memory/3044-152-0x0000000074D80000-0x0000000075331000-memory.dmp

Filesize
5.7MB

Download
memory/3044-147-0x0000000074D80000-0x0000000075331000-memory.dmp

Filesize
5.7MB

Download
memory/3108-138-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3108-151-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3108-134-0x0000000000000000-mapping.dmp

Download
memory/3108-135-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3108-137-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3108-139-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3288-133-0x0000000074D80000-0x0000000075331000-memory.dmp

Filesize
5.7MB

Download
memory/3288-132-0x0000000074D80000-0x0000000075331000-memory.dmp

Filesize
5.7MB

Download
memory/3288-159-0x0000000074D80000-0x0000000075331000-memory.dmp

Filesize
5.7MB

Download
memory/3444-143-0x0000000000000000-mapping.dmp

Download
memory/4104-158-0x0000000074D80000-0x0000000075331000-memory.dmp

Filesize
5.7MB

Download
memory/4104-157-0x0000000074D80000-0x0000000075331000-memory.dmp

Filesize
5.7MB

Download
memory/4104-155-0x0000000074D80000-0x0000000075331000-memory.dmp

Filesize
5.7MB

Download
memory/4104-153-0x0000000000000000-mapping.dmp

Download