pony | 7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0

Analysis

max time kernel
126s
max time network
50s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 07:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe
Size

596KB
MD5

3bd0f5a04952c1f522e51b509c12a370
SHA1

0c788da376cc061c393d9deec22b759c195020fb
SHA256

7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0
SHA512

838184f5f20ec29fda8965447be81eb254fb5f49c1468a83654a868ee7d8fcce75d651252f1781e3998810658d489498b5de2bd76c59c1f0cd051d671b05ad23
SSDEEP

12288:ko0ZjcnNr3SP4Ybgob0vSZcVm/IMnfiNAKrObQnOxTYS:kPZjcnx64eIvFMIQ6PrOcnCYS

Score

10^/10

pony collection discovery rat spyware stealer upx

Malware Config

Extracted

Family

pony

http://osinachi.site40.net/helo/gate.php

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Executes dropped EXE 1 IoCs

Processes:

bCnqnn.exe

pid process

948 bCnqnn.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1512-64-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1512-66-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1512-67-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1512-70-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1512-71-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1512-74-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1064-85-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1064-87-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1064-88-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1064-91-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1064-92-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1064-94-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1544-105-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1064-108-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1512-109-0x0000000000400000-0x0000000000459000-memory.dmp	upx

Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

904 cmd.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

1348 icacls.exe

pid	process
904	cmd.exe

pid	process
1348	icacls.exe

Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

svchost.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	svchost.exe

Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

svchost.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	svchost.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

bCnqnn.exesvchost.exe

description	pid	process	target process
PID 948 set thread context of 1512	948	bCnqnn.exe	svchost.exe
PID 1512 set thread context of 1064	1512	svchost.exe	svchost.exe
PID 1512 set thread context of 1544	1512	svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

624 schtasks.exe

pid	process
624	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

bCnqnn.exesvchost.exe

pid	process
948	bCnqnn.exe
948	bCnqnn.exe
1512	svchost.exe
1512	svchost.exe
1512	svchost.exe
1512	svchost.exe
1512	svchost.exe
1512	svchost.exe
1512	svchost.exe
1512	svchost.exe
1512	svchost.exe
1512	svchost.exe
1512	svchost.exe
1512	svchost.exe
1512	svchost.exe
1512	svchost.exe
1512	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exesvchost.exe

description	pid	process
Token: SeImpersonatePrivilege	1064	svchost.exe
Token: SeTcbPrivilege	1064	svchost.exe
Token: SeChangeNotifyPrivilege	1064	svchost.exe
Token: SeCreateTokenPrivilege	1064	svchost.exe
Token: SeBackupPrivilege	1064	svchost.exe
Token: SeRestorePrivilege	1064	svchost.exe
Token: SeIncreaseQuotaPrivilege	1064	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1064	svchost.exe
Token: SeImpersonatePrivilege	1544	svchost.exe
Token: SeTcbPrivilege	1544	svchost.exe
Token: SeChangeNotifyPrivilege	1544	svchost.exe
Token: SeCreateTokenPrivilege	1544	svchost.exe
Token: SeBackupPrivilege	1544	svchost.exe
Token: SeRestorePrivilege	1544	svchost.exe
Token: SeIncreaseQuotaPrivilege	1544	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1544	svchost.exe
Token: SeImpersonatePrivilege	1544	svchost.exe
Token: SeTcbPrivilege	1544	svchost.exe
Token: SeChangeNotifyPrivilege	1544	svchost.exe
Token: SeCreateTokenPrivilege	1544	svchost.exe
Token: SeBackupPrivilege	1544	svchost.exe
Token: SeRestorePrivilege	1544	svchost.exe
Token: SeIncreaseQuotaPrivilege	1544	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1544	svchost.exe
Token: SeImpersonatePrivilege	1544	svchost.exe
Token: SeTcbPrivilege	1544	svchost.exe
Token: SeChangeNotifyPrivilege	1544	svchost.exe
Token: SeCreateTokenPrivilege	1544	svchost.exe
Token: SeBackupPrivilege	1544	svchost.exe
Token: SeRestorePrivilege	1544	svchost.exe
Token: SeIncreaseQuotaPrivilege	1544	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1544	svchost.exe
Token: SeImpersonatePrivilege	1544	svchost.exe
Token: SeTcbPrivilege	1544	svchost.exe
Token: SeChangeNotifyPrivilege	1544	svchost.exe
Token: SeCreateTokenPrivilege	1544	svchost.exe
Token: SeBackupPrivilege	1544	svchost.exe
Token: SeRestorePrivilege	1544	svchost.exe
Token: SeIncreaseQuotaPrivilege	1544	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1544	svchost.exe
Token: SeImpersonatePrivilege	1064	svchost.exe
Token: SeTcbPrivilege	1064	svchost.exe
Token: SeChangeNotifyPrivilege	1064	svchost.exe
Token: SeCreateTokenPrivilege	1064	svchost.exe
Token: SeBackupPrivilege	1064	svchost.exe
Token: SeRestorePrivilege	1064	svchost.exe
Token: SeIncreaseQuotaPrivilege	1064	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1064	svchost.exe
Token: SeImpersonatePrivilege	1064	svchost.exe
Token: SeTcbPrivilege	1064	svchost.exe
Token: SeChangeNotifyPrivilege	1064	svchost.exe
Token: SeCreateTokenPrivilege	1064	svchost.exe
Token: SeBackupPrivilege	1064	svchost.exe
Token: SeRestorePrivilege	1064	svchost.exe
Token: SeIncreaseQuotaPrivilege	1064	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1064	svchost.exe
Token: SeImpersonatePrivilege	1064	svchost.exe
Token: SeTcbPrivilege	1064	svchost.exe
Token: SeChangeNotifyPrivilege	1064	svchost.exe
Token: SeCreateTokenPrivilege	1064	svchost.exe
Token: SeBackupPrivilege	1064	svchost.exe
Token: SeRestorePrivilege	1064	svchost.exe
Token: SeIncreaseQuotaPrivilege	1064	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1064	svchost.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe

pid	process
1956	7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe
1956	7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe
1956	7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe
1956	7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe

pid	process
1956	7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe
1956	7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe
1956	7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe
1956	7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

1512 svchost.exe

pid	process
1512	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.execmd.exebCnqnn.exesvchost.execmd.exetaskeng.exeWScript.exeWScript.exeWScript.exe

description	pid	process	target process
PID 1956 wrote to memory of 904	1956	7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe	cmd.exe
PID 1956 wrote to memory of 904	1956	7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe	cmd.exe
PID 1956 wrote to memory of 904	1956	7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe	cmd.exe
PID 1956 wrote to memory of 904	1956	7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe	cmd.exe
PID 904 wrote to memory of 948	904	cmd.exe	bCnqnn.exe
PID 904 wrote to memory of 948	904	cmd.exe	bCnqnn.exe
PID 904 wrote to memory of 948	904	cmd.exe	bCnqnn.exe
PID 904 wrote to memory of 948	904	cmd.exe	bCnqnn.exe
PID 948 wrote to memory of 1512	948	bCnqnn.exe	svchost.exe
PID 948 wrote to memory of 1512	948	bCnqnn.exe	svchost.exe
PID 948 wrote to memory of 1512	948	bCnqnn.exe	svchost.exe
PID 948 wrote to memory of 1512	948	bCnqnn.exe	svchost.exe
PID 948 wrote to memory of 1512	948	bCnqnn.exe	svchost.exe
PID 948 wrote to memory of 1512	948	bCnqnn.exe	svchost.exe
PID 948 wrote to memory of 1512	948	bCnqnn.exe	svchost.exe
PID 948 wrote to memory of 1512	948	bCnqnn.exe	svchost.exe
PID 1512 wrote to memory of 1924	1512	svchost.exe	schtasks.exe
PID 1512 wrote to memory of 1924	1512	svchost.exe	schtasks.exe
PID 1512 wrote to memory of 1924	1512	svchost.exe	schtasks.exe
PID 1512 wrote to memory of 1924	1512	svchost.exe	schtasks.exe
PID 1512 wrote to memory of 624	1512	svchost.exe	schtasks.exe
PID 1512 wrote to memory of 624	1512	svchost.exe	schtasks.exe
PID 1512 wrote to memory of 624	1512	svchost.exe	schtasks.exe
PID 1512 wrote to memory of 624	1512	svchost.exe	schtasks.exe
PID 1512 wrote to memory of 1688	1512	svchost.exe	cmd.exe
PID 1512 wrote to memory of 1688	1512	svchost.exe	cmd.exe
PID 1512 wrote to memory of 1688	1512	svchost.exe	cmd.exe
PID 1512 wrote to memory of 1688	1512	svchost.exe	cmd.exe
PID 1688 wrote to memory of 1348	1688	cmd.exe	icacls.exe
PID 1688 wrote to memory of 1348	1688	cmd.exe	icacls.exe
PID 1688 wrote to memory of 1348	1688	cmd.exe	icacls.exe
PID 1688 wrote to memory of 1348	1688	cmd.exe	icacls.exe
PID 1512 wrote to memory of 1064	1512	svchost.exe	svchost.exe
PID 1512 wrote to memory of 1064	1512	svchost.exe	svchost.exe
PID 1512 wrote to memory of 1064	1512	svchost.exe	svchost.exe
PID 1512 wrote to memory of 1064	1512	svchost.exe	svchost.exe
PID 1512 wrote to memory of 1064	1512	svchost.exe	svchost.exe
PID 1512 wrote to memory of 1064	1512	svchost.exe	svchost.exe
PID 1512 wrote to memory of 1064	1512	svchost.exe	svchost.exe
PID 1512 wrote to memory of 1064	1512	svchost.exe	svchost.exe
PID 1512 wrote to memory of 1544	1512	svchost.exe	svchost.exe
PID 1512 wrote to memory of 1544	1512	svchost.exe	svchost.exe
PID 1512 wrote to memory of 1544	1512	svchost.exe	svchost.exe
PID 1512 wrote to memory of 1544	1512	svchost.exe	svchost.exe
PID 1512 wrote to memory of 1544	1512	svchost.exe	svchost.exe
PID 1512 wrote to memory of 1544	1512	svchost.exe	svchost.exe
PID 1512 wrote to memory of 1544	1512	svchost.exe	svchost.exe
PID 1512 wrote to memory of 1544	1512	svchost.exe	svchost.exe
PID 892 wrote to memory of 1340	892	taskeng.exe	WScript.exe
PID 892 wrote to memory of 1340	892	taskeng.exe	WScript.exe
PID 892 wrote to memory of 1340	892	taskeng.exe	WScript.exe
PID 1340 wrote to memory of 1416	1340	WScript.exe	cmd.exe
PID 1340 wrote to memory of 1416	1340	WScript.exe	cmd.exe
PID 1340 wrote to memory of 1416	1340	WScript.exe	cmd.exe
PID 892 wrote to memory of 1964	892	taskeng.exe	WScript.exe
PID 892 wrote to memory of 1964	892	taskeng.exe	WScript.exe
PID 892 wrote to memory of 1964	892	taskeng.exe	WScript.exe
PID 1964 wrote to memory of 108	1964	WScript.exe	cmd.exe
PID 1964 wrote to memory of 108	1964	WScript.exe	cmd.exe
PID 1964 wrote to memory of 108	1964	WScript.exe	cmd.exe
PID 892 wrote to memory of 1992	892	taskeng.exe	WScript.exe
PID 892 wrote to memory of 1992	892	taskeng.exe	WScript.exe
PID 892 wrote to memory of 1992	892	taskeng.exe	WScript.exe
PID 1992 wrote to memory of 1676	1992	WScript.exe	cmd.exe

outlook_win_path 1 IoCs

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	svchost.exe

C:\Users\Admin\AppData\Local\Temp\7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe
"C:\Users\Admin\AppData\Local\Temp\7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bCnqnn.exe PjGWZk
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:904

C:\Users\Admin\AppData\Local\Temp\bCnqnn.exe
C:\Users\Admin\AppData\Local\Temp\bCnqnn.exe PjGWZk
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn WindowsUpdatepjgwzk0x8429524
5⤵
PID:1924

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn WindowsUpdatepjgwzk0x8429525 /tr "C:\ProgramData\pjgwzk\QyQhwE.vbs" /RL HIGHEST
5⤵
- Creates scheduled task(s)
PID:624

C:\Windows\SysWOW64\cmd.exe
cmd /c icacls "C:\ProgramData\pjgwzk" /deny %username%:F
5⤵
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\pjgwzk" /deny Admin:F
6⤵
- Modifies file permissions
PID:1348

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
5⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
PID:1064

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
5⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Windows\system32\taskeng.exe
taskeng.exe {94C32210-879B-4FC5-A014-E629C8470BA9} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:892

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\pjgwzk\QyQhwE.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\pjgwzk\\bCnqnn.exe C:\ProgramData\pjgwzk\\PjGWZk
3⤵
PID:1416

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\pjgwzk\QyQhwE.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\pjgwzk\\bCnqnn.exe C:\ProgramData\pjgwzk\\PjGWZk
3⤵
PID:108

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\pjgwzk\QyQhwE.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\pjgwzk\\bCnqnn.exe C:\ProgramData\pjgwzk\\PjGWZk
3⤵
PID:1676

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\pjgwzk\DRxCLH.txt
Filesize
235KB

MD5
6dfceb0fdc7b6958a79935c14bf91b57

SHA1
ab47d02095a048dbd68b15c569ae1ba52ec075a7

SHA256
3fb850a10aceabd25719ce1c75602f65c3708df58a62b4ebac5624f9711cfd05

SHA512
f182122c2f256e3dc9e2062a30858f56430b91178493bdeac2a341612e42ecdab29d071649b53247fa9f74443a89461848632ef221fc5b868233dffa77462267

Download Submit
C:\ProgramData\pjgwzk\PjGWZk
Filesize
7KB

MD5
121df8c2cc00e500a6f33cae4efd3e83

SHA1
c50fdb4557fd29b8da3418bbd970dacebdd2ba3a

SHA256
1c67c07d32e8522feae55034d67cbdf9a895b1306cc8da6730476f10389361e6

SHA512
c1afc91180d39c7032db1b2bc417fb901ae718cc141a02758037d6c783529012cff6acba90947ad18c1a75315d6279ada684c3335f00e68a6b406f5cbdd6fb34

Download Submit
C:\ProgramData\pjgwzk\QyQhwE.vbs
Filesize
274B

MD5
343c3ab8edd666ae4e44d266dc9611e5

SHA1
6167154c295c26716c25f60b58c833aa0db6cf56

SHA256
7a98d15cb760c591ee075ac9f302b9d44a2dc56e53179f77042d29352f96e8a3

SHA512
168890b6dd9db80b01176ee07a0e6b2976141886016b92254404f66063bc8402271b9e0212dcf121c0ad4bf8f23a9df5142ad5e2adda05079468485ac0c6647d

Download Submit
C:\ProgramData\pjgwzk\bCnqnn.exe
Filesize
510KB

MD5
01d151ccd2a75bd713b8ce81d6509eb8

SHA1
c751680d504bece45dc84e363e9e976fe77a8eac

SHA256
a4d4dbf9e9124dbd055115706f2a2bfc8816b66cc5f52a148602f9fb0203b801

SHA512
8d49a4d97ef38fe5c6bb875d3bc387fade75f9a5d06a494b6a8c9d87840aa3d7cd87343e6aad268a27a9a33390bef7cd8e10d8ebe1df9f7d1ba6a68fe844107d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRxCLH.txt
Filesize
235KB

MD5
6dfceb0fdc7b6958a79935c14bf91b57

SHA1
ab47d02095a048dbd68b15c569ae1ba52ec075a7

SHA256
3fb850a10aceabd25719ce1c75602f65c3708df58a62b4ebac5624f9711cfd05

SHA512
f182122c2f256e3dc9e2062a30858f56430b91178493bdeac2a341612e42ecdab29d071649b53247fa9f74443a89461848632ef221fc5b868233dffa77462267

Download Submit
C:\Users\Admin\AppData\Local\Temp\PjGWZk
Filesize
7KB

MD5
121df8c2cc00e500a6f33cae4efd3e83

SHA1
c50fdb4557fd29b8da3418bbd970dacebdd2ba3a

SHA256
1c67c07d32e8522feae55034d67cbdf9a895b1306cc8da6730476f10389361e6

SHA512
c1afc91180d39c7032db1b2bc417fb901ae718cc141a02758037d6c783529012cff6acba90947ad18c1a75315d6279ada684c3335f00e68a6b406f5cbdd6fb34

Download Submit
C:\Users\Admin\AppData\Local\Temp\bCnqnn.exe
Filesize
510KB

MD5
01d151ccd2a75bd713b8ce81d6509eb8

SHA1
c751680d504bece45dc84e363e9e976fe77a8eac

SHA256
a4d4dbf9e9124dbd055115706f2a2bfc8816b66cc5f52a148602f9fb0203b801

SHA512
8d49a4d97ef38fe5c6bb875d3bc387fade75f9a5d06a494b6a8c9d87840aa3d7cd87343e6aad268a27a9a33390bef7cd8e10d8ebe1df9f7d1ba6a68fe844107d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bCnqnn.exe
Filesize
510KB

MD5
01d151ccd2a75bd713b8ce81d6509eb8

SHA1
c751680d504bece45dc84e363e9e976fe77a8eac

SHA256
a4d4dbf9e9124dbd055115706f2a2bfc8816b66cc5f52a148602f9fb0203b801

SHA512
8d49a4d97ef38fe5c6bb875d3bc387fade75f9a5d06a494b6a8c9d87840aa3d7cd87343e6aad268a27a9a33390bef7cd8e10d8ebe1df9f7d1ba6a68fe844107d

Download Submit
\Users\Admin\AppData\Local\Temp\bCnqnn.exe
Filesize
510KB

MD5
01d151ccd2a75bd713b8ce81d6509eb8

SHA1
c751680d504bece45dc84e363e9e976fe77a8eac

SHA256
a4d4dbf9e9124dbd055115706f2a2bfc8816b66cc5f52a148602f9fb0203b801

SHA512
8d49a4d97ef38fe5c6bb875d3bc387fade75f9a5d06a494b6a8c9d87840aa3d7cd87343e6aad268a27a9a33390bef7cd8e10d8ebe1df9f7d1ba6a68fe844107d

Download Submit
memory/108-114-0x0000000000000000-mapping.dmp

Download
memory/624-77-0x0000000000000000-mapping.dmp

Download
memory/892-106-0x000007FEFBF21000-0x000007FEFBF23000-memory.dmp

Filesize
8KB

Download
memory/904-55-0x0000000000000000-mapping.dmp

Download
memory/948-58-0x0000000000000000-mapping.dmp

Download
memory/1064-92-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1064-108-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1064-94-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1064-91-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1064-88-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1064-89-0x000000000041AF00-mapping.dmp

Download
memory/1064-87-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1064-85-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1064-84-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1340-107-0x0000000000000000-mapping.dmp

Download
memory/1348-79-0x0000000000000000-mapping.dmp

Download
memory/1416-111-0x0000000000000000-mapping.dmp

Download
memory/1512-67-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1512-68-0x0000000000457500-mapping.dmp

Download
memory/1512-70-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1512-63-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1512-71-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1512-109-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1512-74-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1512-66-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1512-64-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1544-105-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1544-100-0x000000000041AF00-mapping.dmp

Download
memory/1676-117-0x0000000000000000-mapping.dmp

Download
memory/1688-78-0x0000000000000000-mapping.dmp

Download
memory/1924-76-0x0000000000000000-mapping.dmp

Download
memory/1956-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download
memory/1964-112-0x0000000000000000-mapping.dmp

Download
memory/1992-115-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads