Analysis
-
max time kernel
186s -
max time network
221s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 04:08
Static task
static1
Behavioral task
behavioral1
Sample
eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
Resource
win10v2004-20221111-en
General
-
Target
eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe
-
Size
134KB
-
MD5
0e087a29f6694524e66020d9454ccdb9
-
SHA1
10e5050f1975938399827be5dab35e5d01cb0c89
-
SHA256
eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c
-
SHA512
9e9c8bb4c3c577a41d930356c8b2d0a9eba0f0692b7e654053b2af478471c1b36db78cd33d2d5b800e661d5a5752e53448fbd299bdc670da5091e704ec10a1af
-
SSDEEP
3072:LlMyoAdZDhDOdtgXwDEi5xZgrdkkeRQHadg/wb:pvomDhi8wgiXZgrulk/
Malware Config
Extracted
pony
http://d-mmoney.favcc1.com/gate.php
-
payload_url
http://d-mmoney.favcc1.com/shit.exe
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
IpOverUsbSvrc.exeatiesrx.exeIpOverUsbSvrc.exeIpOverUsbSvrc.exepid process 3044 IpOverUsbSvrc.exe 1736 atiesrx.exe 4104 IpOverUsbSvrc.exe 2420 IpOverUsbSvrc.exe -
Processes:
resource yara_rule behavioral2/memory/3108-135-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/3108-137-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/3108-138-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/3108-139-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/3108-151-0x0000000000400000-0x000000000041C000-memory.dmp upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exeatiesrx.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation atiesrx.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook vbc.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
IpOverUsbSvrc.exeIpOverUsbSvrc.exeIpOverUsbSvrc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Multimedia Class Scheduler = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\IpOverUsbSvrc.exe" IpOverUsbSvrc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Multimedia Class Scheduler = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\IpOverUsbSvrc.exe" IpOverUsbSvrc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Multimedia Class Scheduler = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\IpOverUsbSvrc.exe" IpOverUsbSvrc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exedescription pid process target process PID 3288 set thread context of 3108 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe vbc.exe -
Drops file in Windows directory 1 IoCs
Processes:
dw20.exedescription ioc process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exeIpOverUsbSvrc.exeIpOverUsbSvrc.exepid process 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3044 IpOverUsbSvrc.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 4104 IpOverUsbSvrc.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 4104 IpOverUsbSvrc.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 4104 IpOverUsbSvrc.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe -
Suspicious use of AdjustPrivilegeToken 58 IoCs
Processes:
eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exevbc.exeIpOverUsbSvrc.exedw20.exeIpOverUsbSvrc.exeatiesrx.exeIpOverUsbSvrc.exedescription pid process Token: SeDebugPrivilege 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe Token: SeImpersonatePrivilege 3108 vbc.exe Token: SeTcbPrivilege 3108 vbc.exe Token: SeChangeNotifyPrivilege 3108 vbc.exe Token: SeCreateTokenPrivilege 3108 vbc.exe Token: SeBackupPrivilege 3108 vbc.exe Token: SeRestorePrivilege 3108 vbc.exe Token: SeIncreaseQuotaPrivilege 3108 vbc.exe Token: SeAssignPrimaryTokenPrivilege 3108 vbc.exe Token: SeDebugPrivilege 3044 IpOverUsbSvrc.exe Token: SeImpersonatePrivilege 3108 vbc.exe Token: SeTcbPrivilege 3108 vbc.exe Token: SeChangeNotifyPrivilege 3108 vbc.exe Token: SeCreateTokenPrivilege 3108 vbc.exe Token: SeBackupPrivilege 3108 vbc.exe Token: SeRestorePrivilege 3108 vbc.exe Token: SeIncreaseQuotaPrivilege 3108 vbc.exe Token: SeAssignPrimaryTokenPrivilege 3108 vbc.exe Token: SeRestorePrivilege 3444 dw20.exe Token: SeBackupPrivilege 3444 dw20.exe Token: SeBackupPrivilege 3444 dw20.exe Token: SeBackupPrivilege 3444 dw20.exe Token: SeBackupPrivilege 3444 dw20.exe Token: SeImpersonatePrivilege 3108 vbc.exe Token: SeTcbPrivilege 3108 vbc.exe Token: SeChangeNotifyPrivilege 3108 vbc.exe Token: SeCreateTokenPrivilege 3108 vbc.exe Token: SeBackupPrivilege 3108 vbc.exe Token: SeRestorePrivilege 3108 vbc.exe Token: SeIncreaseQuotaPrivilege 3108 vbc.exe Token: SeAssignPrimaryTokenPrivilege 3108 vbc.exe Token: SeImpersonatePrivilege 3108 vbc.exe Token: SeTcbPrivilege 3108 vbc.exe Token: SeChangeNotifyPrivilege 3108 vbc.exe Token: SeCreateTokenPrivilege 3108 vbc.exe Token: SeBackupPrivilege 3108 vbc.exe Token: SeRestorePrivilege 3108 vbc.exe Token: SeIncreaseQuotaPrivilege 3108 vbc.exe Token: SeAssignPrimaryTokenPrivilege 3108 vbc.exe Token: SeImpersonatePrivilege 3108 vbc.exe Token: SeTcbPrivilege 3108 vbc.exe Token: SeChangeNotifyPrivilege 3108 vbc.exe Token: SeCreateTokenPrivilege 3108 vbc.exe Token: SeBackupPrivilege 3108 vbc.exe Token: SeRestorePrivilege 3108 vbc.exe Token: SeIncreaseQuotaPrivilege 3108 vbc.exe Token: SeAssignPrimaryTokenPrivilege 3108 vbc.exe Token: SeImpersonatePrivilege 3108 vbc.exe Token: SeTcbPrivilege 3108 vbc.exe Token: SeChangeNotifyPrivilege 3108 vbc.exe Token: SeCreateTokenPrivilege 3108 vbc.exe Token: SeBackupPrivilege 3108 vbc.exe Token: SeRestorePrivilege 3108 vbc.exe Token: SeIncreaseQuotaPrivilege 3108 vbc.exe Token: SeAssignPrimaryTokenPrivilege 3108 vbc.exe Token: SeDebugPrivilege 4104 IpOverUsbSvrc.exe Token: SeDebugPrivilege 1736 atiesrx.exe Token: SeDebugPrivilege 2420 IpOverUsbSvrc.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exeIpOverUsbSvrc.exevbc.exeatiesrx.exedescription pid process target process PID 3288 wrote to memory of 3108 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe vbc.exe PID 3288 wrote to memory of 3108 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe vbc.exe PID 3288 wrote to memory of 3108 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe vbc.exe PID 3288 wrote to memory of 3108 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe vbc.exe PID 3288 wrote to memory of 3108 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe vbc.exe PID 3288 wrote to memory of 3108 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe vbc.exe PID 3288 wrote to memory of 3108 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe vbc.exe PID 3288 wrote to memory of 3044 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe IpOverUsbSvrc.exe PID 3288 wrote to memory of 3044 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe IpOverUsbSvrc.exe PID 3288 wrote to memory of 3044 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe IpOverUsbSvrc.exe PID 3044 wrote to memory of 3444 3044 IpOverUsbSvrc.exe dw20.exe PID 3044 wrote to memory of 3444 3044 IpOverUsbSvrc.exe dw20.exe PID 3044 wrote to memory of 3444 3044 IpOverUsbSvrc.exe dw20.exe PID 3044 wrote to memory of 1736 3044 IpOverUsbSvrc.exe atiesrx.exe PID 3044 wrote to memory of 1736 3044 IpOverUsbSvrc.exe atiesrx.exe PID 3044 wrote to memory of 1736 3044 IpOverUsbSvrc.exe atiesrx.exe PID 3108 wrote to memory of 1188 3108 vbc.exe cmd.exe PID 3108 wrote to memory of 1188 3108 vbc.exe cmd.exe PID 3108 wrote to memory of 1188 3108 vbc.exe cmd.exe PID 3288 wrote to memory of 4104 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe IpOverUsbSvrc.exe PID 3288 wrote to memory of 4104 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe IpOverUsbSvrc.exe PID 3288 wrote to memory of 4104 3288 eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe IpOverUsbSvrc.exe PID 1736 wrote to memory of 2420 1736 atiesrx.exe IpOverUsbSvrc.exe PID 1736 wrote to memory of 2420 1736 atiesrx.exe IpOverUsbSvrc.exe PID 1736 wrote to memory of 2420 1736 atiesrx.exe IpOverUsbSvrc.exe -
outlook_win_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe"C:\Users\Admin\AppData\Local\Temp\eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:3108 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240681781.bat" "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" "3⤵PID:1188
-
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe"C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 6483⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:3444 -
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exeC:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe"C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2420 -
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe"C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4104
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\IpOverUsbSvrc.exe.logFilesize
224B
MD5c19eb8c8e7a40e6b987f9d2ee952996e
SHA16fc3049855bc9100643e162511673c6df0f28bfb
SHA256677e9e30350df17e2bc20fa9f7d730e9f7cc6e870d6520a345f5f7dc5b31f58a
SHA512860713b4a787c2189ed12a47d4b68b60ac00c7a253cae52dd4eb9276dacafeae3a81906b6d0742c8ecfdfaa255777c445beb7c2a532f3c677a9903237ac97596
-
C:\Users\Admin\AppData\Local\Temp\240681781.batFilesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exeFilesize
8KB
MD554fbde415453f5c9089b49e65bd5f8e7
SHA1d77b86631f629b52bbebc6e08fbf60c78e8ceab0
SHA2567d31b70e949833d9f78199848b14307e41da511ca4915c20a8ca61ee8eeeedbf
SHA51290dbbb3986ab3f4dda4292b580bfac7c97bbf20f68d0be0af271b9bc5e22a4abc326baaf284be005c6460ecc2187b6ca5d015fab55be3b242122436fcf3ee5ed
-
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exeFilesize
8KB
MD554fbde415453f5c9089b49e65bd5f8e7
SHA1d77b86631f629b52bbebc6e08fbf60c78e8ceab0
SHA2567d31b70e949833d9f78199848b14307e41da511ca4915c20a8ca61ee8eeeedbf
SHA51290dbbb3986ab3f4dda4292b580bfac7c97bbf20f68d0be0af271b9bc5e22a4abc326baaf284be005c6460ecc2187b6ca5d015fab55be3b242122436fcf3ee5ed
-
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exeFilesize
8KB
MD554fbde415453f5c9089b49e65bd5f8e7
SHA1d77b86631f629b52bbebc6e08fbf60c78e8ceab0
SHA2567d31b70e949833d9f78199848b14307e41da511ca4915c20a8ca61ee8eeeedbf
SHA51290dbbb3986ab3f4dda4292b580bfac7c97bbf20f68d0be0af271b9bc5e22a4abc326baaf284be005c6460ecc2187b6ca5d015fab55be3b242122436fcf3ee5ed
-
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exeFilesize
8KB
MD554fbde415453f5c9089b49e65bd5f8e7
SHA1d77b86631f629b52bbebc6e08fbf60c78e8ceab0
SHA2567d31b70e949833d9f78199848b14307e41da511ca4915c20a8ca61ee8eeeedbf
SHA51290dbbb3986ab3f4dda4292b580bfac7c97bbf20f68d0be0af271b9bc5e22a4abc326baaf284be005c6460ecc2187b6ca5d015fab55be3b242122436fcf3ee5ed
-
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exeFilesize
8KB
MD554fbde415453f5c9089b49e65bd5f8e7
SHA1d77b86631f629b52bbebc6e08fbf60c78e8ceab0
SHA2567d31b70e949833d9f78199848b14307e41da511ca4915c20a8ca61ee8eeeedbf
SHA51290dbbb3986ab3f4dda4292b580bfac7c97bbf20f68d0be0af271b9bc5e22a4abc326baaf284be005c6460ecc2187b6ca5d015fab55be3b242122436fcf3ee5ed
-
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exeFilesize
134KB
MD50e087a29f6694524e66020d9454ccdb9
SHA110e5050f1975938399827be5dab35e5d01cb0c89
SHA256eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c
SHA5129e9c8bb4c3c577a41d930356c8b2d0a9eba0f0692b7e654053b2af478471c1b36db78cd33d2d5b800e661d5a5752e53448fbd299bdc670da5091e704ec10a1af
-
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exeFilesize
134KB
MD50e087a29f6694524e66020d9454ccdb9
SHA110e5050f1975938399827be5dab35e5d01cb0c89
SHA256eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c
SHA5129e9c8bb4c3c577a41d930356c8b2d0a9eba0f0692b7e654053b2af478471c1b36db78cd33d2d5b800e661d5a5752e53448fbd299bdc670da5091e704ec10a1af
-
memory/1188-149-0x0000000000000000-mapping.dmp
-
memory/1736-156-0x0000000074D80000-0x0000000075331000-memory.dmpFilesize
5.7MB
-
memory/1736-144-0x0000000000000000-mapping.dmp
-
memory/1736-148-0x0000000074D80000-0x0000000075331000-memory.dmpFilesize
5.7MB
-
memory/2420-160-0x0000000000000000-mapping.dmp
-
memory/2420-164-0x0000000074D80000-0x0000000075331000-memory.dmpFilesize
5.7MB
-
memory/2420-165-0x0000000074D80000-0x0000000075331000-memory.dmpFilesize
5.7MB
-
memory/3044-140-0x0000000000000000-mapping.dmp
-
memory/3044-152-0x0000000074D80000-0x0000000075331000-memory.dmpFilesize
5.7MB
-
memory/3044-147-0x0000000074D80000-0x0000000075331000-memory.dmpFilesize
5.7MB
-
memory/3108-138-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/3108-151-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/3108-134-0x0000000000000000-mapping.dmp
-
memory/3108-135-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/3108-137-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/3108-139-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/3288-133-0x0000000074D80000-0x0000000075331000-memory.dmpFilesize
5.7MB
-
memory/3288-132-0x0000000074D80000-0x0000000075331000-memory.dmpFilesize
5.7MB
-
memory/3288-159-0x0000000074D80000-0x0000000075331000-memory.dmpFilesize
5.7MB
-
memory/3444-143-0x0000000000000000-mapping.dmp
-
memory/4104-158-0x0000000074D80000-0x0000000075331000-memory.dmpFilesize
5.7MB
-
memory/4104-157-0x0000000074D80000-0x0000000075331000-memory.dmpFilesize
5.7MB
-
memory/4104-155-0x0000000074D80000-0x0000000075331000-memory.dmpFilesize
5.7MB
-
memory/4104-153-0x0000000000000000-mapping.dmp