pony | 1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972

Analysis

max time kernel
116s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 07:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.exe
Size

596KB
MD5

b09a08656becc46cf4f0547926f90cf8
SHA1

0b6f000fad78f9d9082344c724c0a2637046080e
SHA256

1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972
SHA512

cf77f7ee2720836db3f9480d244e5f3b9ed38e5ff981ae1b25c58e031571a6681886e5665c66b5303baf5880f9b75e3267e6a323c5cd18e0849bcb731bbf52de
SSDEEP

12288:ko0ZjcnNr3Sh4Ybgob0vSZcVm/IMnfiNAKrq4HMklp8W6Q1F:kPZjcnxY4eIvFMIQ6Pr7n

Score

10^/10

pony collection discovery rat spyware stealer upx

Malware Config

Extracted

Family

pony

http://orangeisabitch.net16.net/gate.php

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Executes dropped EXE 1 IoCs

Processes:

ufZKjp.exe

pid process

1756 ufZKjp.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1528-64-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1528-66-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1528-67-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1528-70-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1528-71-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1528-74-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1696-85-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1696-87-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1696-88-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1696-91-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1696-92-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1696-94-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1912-105-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1528-106-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1696-107-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1696-108-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1296 cmd.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

1056 icacls.exe

pid	process
1296	cmd.exe

pid	process
1056	icacls.exe

Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

svchost.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	svchost.exe

Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

svchost.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	svchost.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

ufZKjp.exesvchost.exe

description	pid	process	target process
PID 1756 set thread context of 1528	1756	ufZKjp.exe	svchost.exe
PID 1528 set thread context of 1696	1528	svchost.exe	svchost.exe
PID 1528 set thread context of 1912	1528	svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

972 schtasks.exe

pid	process
972	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

ufZKjp.exesvchost.exe

pid	process
1756	ufZKjp.exe
1756	ufZKjp.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exesvchost.exe

description	pid	process
Token: SeImpersonatePrivilege	1696	svchost.exe
Token: SeTcbPrivilege	1696	svchost.exe
Token: SeChangeNotifyPrivilege	1696	svchost.exe
Token: SeCreateTokenPrivilege	1696	svchost.exe
Token: SeBackupPrivilege	1696	svchost.exe
Token: SeRestorePrivilege	1696	svchost.exe
Token: SeIncreaseQuotaPrivilege	1696	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1696	svchost.exe
Token: SeImpersonatePrivilege	1912	svchost.exe
Token: SeTcbPrivilege	1912	svchost.exe
Token: SeChangeNotifyPrivilege	1912	svchost.exe
Token: SeCreateTokenPrivilege	1912	svchost.exe
Token: SeBackupPrivilege	1912	svchost.exe
Token: SeRestorePrivilege	1912	svchost.exe
Token: SeIncreaseQuotaPrivilege	1912	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1912	svchost.exe
Token: SeImpersonatePrivilege	1912	svchost.exe
Token: SeTcbPrivilege	1912	svchost.exe
Token: SeChangeNotifyPrivilege	1912	svchost.exe
Token: SeCreateTokenPrivilege	1912	svchost.exe
Token: SeBackupPrivilege	1912	svchost.exe
Token: SeRestorePrivilege	1912	svchost.exe
Token: SeIncreaseQuotaPrivilege	1912	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1912	svchost.exe
Token: SeImpersonatePrivilege	1912	svchost.exe
Token: SeTcbPrivilege	1912	svchost.exe
Token: SeChangeNotifyPrivilege	1912	svchost.exe
Token: SeCreateTokenPrivilege	1912	svchost.exe
Token: SeBackupPrivilege	1912	svchost.exe
Token: SeRestorePrivilege	1912	svchost.exe
Token: SeIncreaseQuotaPrivilege	1912	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1912	svchost.exe
Token: SeImpersonatePrivilege	1912	svchost.exe
Token: SeTcbPrivilege	1912	svchost.exe
Token: SeChangeNotifyPrivilege	1912	svchost.exe
Token: SeCreateTokenPrivilege	1912	svchost.exe
Token: SeBackupPrivilege	1912	svchost.exe
Token: SeRestorePrivilege	1912	svchost.exe
Token: SeIncreaseQuotaPrivilege	1912	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1912	svchost.exe
Token: SeImpersonatePrivilege	1696	svchost.exe
Token: SeTcbPrivilege	1696	svchost.exe
Token: SeChangeNotifyPrivilege	1696	svchost.exe
Token: SeCreateTokenPrivilege	1696	svchost.exe
Token: SeBackupPrivilege	1696	svchost.exe
Token: SeRestorePrivilege	1696	svchost.exe
Token: SeIncreaseQuotaPrivilege	1696	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1696	svchost.exe
Token: SeImpersonatePrivilege	1696	svchost.exe
Token: SeTcbPrivilege	1696	svchost.exe
Token: SeChangeNotifyPrivilege	1696	svchost.exe
Token: SeCreateTokenPrivilege	1696	svchost.exe
Token: SeBackupPrivilege	1696	svchost.exe
Token: SeRestorePrivilege	1696	svchost.exe
Token: SeIncreaseQuotaPrivilege	1696	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1696	svchost.exe
Token: SeImpersonatePrivilege	1696	svchost.exe
Token: SeTcbPrivilege	1696	svchost.exe
Token: SeChangeNotifyPrivilege	1696	svchost.exe
Token: SeCreateTokenPrivilege	1696	svchost.exe
Token: SeBackupPrivilege	1696	svchost.exe
Token: SeRestorePrivilege	1696	svchost.exe
Token: SeIncreaseQuotaPrivilege	1696	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1696	svchost.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.exe

pid	process
1632	1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.exe
1632	1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.exe
1632	1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.exe
1632	1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.exe

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.exe

pid	process
1632	1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.exe
1632	1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.exe
1632	1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.exe
1632	1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

1528 svchost.exe

pid	process
1528	svchost.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.execmd.exeufZKjp.exesvchost.execmd.exetaskeng.exeWScript.exeWScript.exe

description	pid	process	target process
PID 1632 wrote to memory of 1296	1632	1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.exe	cmd.exe
PID 1632 wrote to memory of 1296	1632	1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.exe	cmd.exe
PID 1632 wrote to memory of 1296	1632	1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.exe	cmd.exe
PID 1632 wrote to memory of 1296	1632	1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.exe	cmd.exe
PID 1296 wrote to memory of 1756	1296	cmd.exe	ufZKjp.exe
PID 1296 wrote to memory of 1756	1296	cmd.exe	ufZKjp.exe
PID 1296 wrote to memory of 1756	1296	cmd.exe	ufZKjp.exe
PID 1296 wrote to memory of 1756	1296	cmd.exe	ufZKjp.exe
PID 1756 wrote to memory of 1528	1756	ufZKjp.exe	svchost.exe
PID 1756 wrote to memory of 1528	1756	ufZKjp.exe	svchost.exe
PID 1756 wrote to memory of 1528	1756	ufZKjp.exe	svchost.exe
PID 1756 wrote to memory of 1528	1756	ufZKjp.exe	svchost.exe
PID 1756 wrote to memory of 1528	1756	ufZKjp.exe	svchost.exe
PID 1756 wrote to memory of 1528	1756	ufZKjp.exe	svchost.exe
PID 1756 wrote to memory of 1528	1756	ufZKjp.exe	svchost.exe
PID 1756 wrote to memory of 1528	1756	ufZKjp.exe	svchost.exe
PID 1528 wrote to memory of 1728	1528	svchost.exe	schtasks.exe
PID 1528 wrote to memory of 1728	1528	svchost.exe	schtasks.exe
PID 1528 wrote to memory of 1728	1528	svchost.exe	schtasks.exe
PID 1528 wrote to memory of 1728	1528	svchost.exe	schtasks.exe
PID 1528 wrote to memory of 972	1528	svchost.exe	schtasks.exe
PID 1528 wrote to memory of 972	1528	svchost.exe	schtasks.exe
PID 1528 wrote to memory of 972	1528	svchost.exe	schtasks.exe
PID 1528 wrote to memory of 972	1528	svchost.exe	schtasks.exe
PID 1528 wrote to memory of 1888	1528	svchost.exe	cmd.exe
PID 1528 wrote to memory of 1888	1528	svchost.exe	cmd.exe
PID 1528 wrote to memory of 1888	1528	svchost.exe	cmd.exe
PID 1528 wrote to memory of 1888	1528	svchost.exe	cmd.exe
PID 1888 wrote to memory of 1056	1888	cmd.exe	icacls.exe
PID 1888 wrote to memory of 1056	1888	cmd.exe	icacls.exe
PID 1888 wrote to memory of 1056	1888	cmd.exe	icacls.exe
PID 1888 wrote to memory of 1056	1888	cmd.exe	icacls.exe
PID 1528 wrote to memory of 1696	1528	svchost.exe	svchost.exe
PID 1528 wrote to memory of 1696	1528	svchost.exe	svchost.exe
PID 1528 wrote to memory of 1696	1528	svchost.exe	svchost.exe
PID 1528 wrote to memory of 1696	1528	svchost.exe	svchost.exe
PID 1528 wrote to memory of 1696	1528	svchost.exe	svchost.exe
PID 1528 wrote to memory of 1696	1528	svchost.exe	svchost.exe
PID 1528 wrote to memory of 1696	1528	svchost.exe	svchost.exe
PID 1528 wrote to memory of 1696	1528	svchost.exe	svchost.exe
PID 1528 wrote to memory of 1912	1528	svchost.exe	svchost.exe
PID 1528 wrote to memory of 1912	1528	svchost.exe	svchost.exe
PID 1528 wrote to memory of 1912	1528	svchost.exe	svchost.exe
PID 1528 wrote to memory of 1912	1528	svchost.exe	svchost.exe
PID 1528 wrote to memory of 1912	1528	svchost.exe	svchost.exe
PID 1528 wrote to memory of 1912	1528	svchost.exe	svchost.exe
PID 1528 wrote to memory of 1912	1528	svchost.exe	svchost.exe
PID 1528 wrote to memory of 1912	1528	svchost.exe	svchost.exe
PID 1720 wrote to memory of 1376	1720	taskeng.exe	WScript.exe
PID 1720 wrote to memory of 1376	1720	taskeng.exe	WScript.exe
PID 1720 wrote to memory of 1376	1720	taskeng.exe	WScript.exe
PID 1376 wrote to memory of 1756	1376	WScript.exe	cmd.exe
PID 1376 wrote to memory of 1756	1376	WScript.exe	cmd.exe
PID 1376 wrote to memory of 1756	1376	WScript.exe	cmd.exe
PID 1720 wrote to memory of 2032	1720	taskeng.exe	WScript.exe
PID 1720 wrote to memory of 2032	1720	taskeng.exe	WScript.exe
PID 1720 wrote to memory of 2032	1720	taskeng.exe	WScript.exe
PID 2032 wrote to memory of 452	2032	WScript.exe	cmd.exe
PID 2032 wrote to memory of 452	2032	WScript.exe	cmd.exe
PID 2032 wrote to memory of 452	2032	WScript.exe	cmd.exe

outlook_win_path 1 IoCs

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	svchost.exe

C:\Users\Admin\AppData\Local\Temp\1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.exe
"C:\Users\Admin\AppData\Local\Temp\1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ufZKjp.exe INRpVM
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1296

C:\Users\Admin\AppData\Local\Temp\ufZKjp.exe
C:\Users\Admin\AppData\Local\Temp\ufZKjp.exe INRpVM
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn WindowsUpdateinrpvm0x8429524
5⤵
PID:1728

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn WindowsUpdateinrpvm0x8429525 /tr "C:\ProgramData\inrpvm\jcCBsf.vbs" /RL HIGHEST
5⤵
- Creates scheduled task(s)
PID:972

C:\Windows\SysWOW64\cmd.exe
cmd /c icacls "C:\ProgramData\inrpvm" /deny %username%:F
5⤵
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\inrpvm" /deny Admin:F
6⤵
- Modifies file permissions
PID:1056

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
5⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
PID:1696

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
5⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\system32\taskeng.exe
taskeng.exe {E4D9C16F-1FA5-4069-BCF4-84E8F0C9D84D} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\inrpvm\jcCBsf.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\inrpvm\\ufZKjp.exe C:\ProgramData\inrpvm\\INRpVM
3⤵
PID:1756

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\inrpvm\jcCBsf.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\inrpvm\\ufZKjp.exe C:\ProgramData\inrpvm\\INRpVM
3⤵
PID:452

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\inrpvm\INRpVM
Filesize
7KB

MD5
8b6b5bb58abe252c0690506e05102e99

SHA1
174d719bbbbae1e7a89d342c70ebc162769287b9

SHA256
542a63f17deed9808021404219009bc7c63d4354e0fb28cb073e514f8bdf8ad4

SHA512
88adf4b9a805b320fb6e1aa9d2d77f452d77d9f8fd06f8afcb000d8c9a037c59c163c794aa1f6c88c1fc138a6713f40fc686332c6e2b51e4ea28647432d5db69

Download Submit
C:\ProgramData\inrpvm\jcCBsf.vbs
Filesize
274B

MD5
5e958cf47a58511aaa084af53bfa83ab

SHA1
2c3c6890a26f29078c1972acbb1ce24900dacc49

SHA256
8bcc296210a193880cd7d84c2d03956f746dac34ad6df7243cd448de9565ecef

SHA512
21be62d1da31c56271567d7e0c03a831375ac5ea544f53504d576c63c64133da67bf574f5c9749a4ecf0f954f9278215fc6e88c4cd89e802ee875944ffaf0981

Download Submit
C:\ProgramData\inrpvm\ufZKjp.exe
Filesize
510KB

MD5
01d151ccd2a75bd713b8ce81d6509eb8

SHA1
c751680d504bece45dc84e363e9e976fe77a8eac

SHA256
a4d4dbf9e9124dbd055115706f2a2bfc8816b66cc5f52a148602f9fb0203b801

SHA512
8d49a4d97ef38fe5c6bb875d3bc387fade75f9a5d06a494b6a8c9d87840aa3d7cd87343e6aad268a27a9a33390bef7cd8e10d8ebe1df9f7d1ba6a68fe844107d

Download Submit
C:\ProgramData\inrpvm\vujVHJ.txt
Filesize
235KB

MD5
ad733659b0fa0ca5bb21c4de23d291e7

SHA1
4ea03e36ad34f8fb43ea390fe662e069dec598e5

SHA256
9c7d314ddc390b3805916fc6bf809663a9777c0560cd042b768c07a2006c55ce

SHA512
692ae106b6ba48929ebfb081718b30c9fb6efd5cb3c1e1d7fbc92665267b0812e17f0912b1897ba0a58792cd9c6f040ecc12c64fd9fd1619b1d7ce5bf3cd3811

Download Submit
C:\Users\Admin\AppData\Local\Temp\INRpVM
Filesize
7KB

MD5
8b6b5bb58abe252c0690506e05102e99

SHA1
174d719bbbbae1e7a89d342c70ebc162769287b9

SHA256
542a63f17deed9808021404219009bc7c63d4354e0fb28cb073e514f8bdf8ad4

SHA512
88adf4b9a805b320fb6e1aa9d2d77f452d77d9f8fd06f8afcb000d8c9a037c59c163c794aa1f6c88c1fc138a6713f40fc686332c6e2b51e4ea28647432d5db69

Download Submit
C:\Users\Admin\AppData\Local\Temp\ufZKjp.exe
Filesize
510KB

MD5
01d151ccd2a75bd713b8ce81d6509eb8

SHA1
c751680d504bece45dc84e363e9e976fe77a8eac

SHA256
a4d4dbf9e9124dbd055115706f2a2bfc8816b66cc5f52a148602f9fb0203b801

SHA512
8d49a4d97ef38fe5c6bb875d3bc387fade75f9a5d06a494b6a8c9d87840aa3d7cd87343e6aad268a27a9a33390bef7cd8e10d8ebe1df9f7d1ba6a68fe844107d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ufZKjp.exe
Filesize
510KB

MD5
01d151ccd2a75bd713b8ce81d6509eb8

SHA1
c751680d504bece45dc84e363e9e976fe77a8eac

SHA256
a4d4dbf9e9124dbd055115706f2a2bfc8816b66cc5f52a148602f9fb0203b801

SHA512
8d49a4d97ef38fe5c6bb875d3bc387fade75f9a5d06a494b6a8c9d87840aa3d7cd87343e6aad268a27a9a33390bef7cd8e10d8ebe1df9f7d1ba6a68fe844107d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vujVHJ.txt
Filesize
235KB

MD5
ad733659b0fa0ca5bb21c4de23d291e7

SHA1
4ea03e36ad34f8fb43ea390fe662e069dec598e5

SHA256
9c7d314ddc390b3805916fc6bf809663a9777c0560cd042b768c07a2006c55ce

SHA512
692ae106b6ba48929ebfb081718b30c9fb6efd5cb3c1e1d7fbc92665267b0812e17f0912b1897ba0a58792cd9c6f040ecc12c64fd9fd1619b1d7ce5bf3cd3811

Download Submit
\Users\Admin\AppData\Local\Temp\ufZKjp.exe
Filesize
510KB

MD5
01d151ccd2a75bd713b8ce81d6509eb8

SHA1
c751680d504bece45dc84e363e9e976fe77a8eac

SHA256
a4d4dbf9e9124dbd055115706f2a2bfc8816b66cc5f52a148602f9fb0203b801

SHA512
8d49a4d97ef38fe5c6bb875d3bc387fade75f9a5d06a494b6a8c9d87840aa3d7cd87343e6aad268a27a9a33390bef7cd8e10d8ebe1df9f7d1ba6a68fe844107d

Download Submit
memory/452-115-0x0000000000000000-mapping.dmp

Download
memory/972-77-0x0000000000000000-mapping.dmp

Download
memory/1056-79-0x0000000000000000-mapping.dmp

Download
memory/1296-55-0x0000000000000000-mapping.dmp

Download
memory/1376-110-0x0000000000000000-mapping.dmp

Download
memory/1528-66-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1528-74-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1528-64-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1528-71-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1528-106-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1528-70-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1528-68-0x00000000004574F0-mapping.dmp

Download
memory/1528-67-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1528-63-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1632-54-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download
memory/1696-88-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1696-107-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1696-87-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1696-84-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1696-89-0x000000000041AEF0-mapping.dmp

Download
memory/1696-91-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1696-92-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1696-94-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1696-85-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1696-108-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1720-109-0x000007FEFBF41000-0x000007FEFBF43000-memory.dmp

Filesize
8KB

Download
memory/1728-76-0x0000000000000000-mapping.dmp

Download
memory/1756-112-0x0000000000000000-mapping.dmp

Download
memory/1756-58-0x0000000000000000-mapping.dmp

Download
memory/1888-78-0x0000000000000000-mapping.dmp

Download
memory/1912-105-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1912-100-0x000000000041AEF0-mapping.dmp

Download
memory/2032-113-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads