Analysis
-
max time kernel
170s -
max time network
191s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 08:38
Static task
static1
Behavioral task
behavioral1
Sample
42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90.exe
Resource
win10v2004-20220812-en
General
-
Target
42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90.exe
-
Size
1.9MB
-
MD5
15a9103d4b99fcd908c1048b02aeb8f8
-
SHA1
f7df8f1f0e1c5a2183f4e2d705e25588e63f67e0
-
SHA256
42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90
-
SHA512
b50e6237942aee5f40dc27dc69361ad468c689ce48e4703f0386f001da767794c29ba35fadf0bcb899c42778906021bb17b12f93ec218acfff9ee0d3de48c55a
-
SSDEEP
49152:2rzKZmTHjNLbRAGWe4cqPLylFyaJcrRUQ:UKZmTDNLbRAGocqPLylFyaJcrRUQ
Malware Config
Extracted
pony
http://usgroupe.ma/wp-admin/reet/gate.php
Signatures
-
Executes dropped EXE 8 IoCs
Processes:
Update.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exepid process 2148 Update.exe 4104 Update.exe 508 Update.exe 3964 Update.exe 1836 Update.exe 1772 Update.exe 2692 Update.exe 4328 Update.exe -
Processes:
resource yara_rule behavioral2/memory/4104-141-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/4104-144-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/4104-145-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/4104-147-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/4104-149-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/4104-152-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/508-158-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/508-159-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/508-161-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/1836-172-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/1836-174-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/1772-183-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/1772-185-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/2692-193-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/2692-195-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/4328-203-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/4328-205-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/3628-219-0x0000000000400000-0x0000000000420000-memory.dmp upx -
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation Update.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation Update.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation Update.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation Update.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation Update.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 6 IoCs
Processes:
Update.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Update.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Update.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Update.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Update.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Update.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Update.exe -
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
Processes:
Update.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Update.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Update.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Update.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Update.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Update.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Update.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Anti Virus = "C:\\Users\\Admin\\AppData\\Roaming\\Update.exe" reg.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90.exeUpdate.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Update.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Update.exe -
Suspicious use of SetThreadContext 7 IoCs
Processes:
Update.exedescription pid process target process PID 2148 set thread context of 4104 2148 Update.exe Update.exe PID 2148 set thread context of 508 2148 Update.exe Update.exe PID 2148 set thread context of 3964 2148 Update.exe Update.exe PID 2148 set thread context of 1836 2148 Update.exe Update.exe PID 2148 set thread context of 1772 2148 Update.exe Update.exe PID 2148 set thread context of 2692 2148 Update.exe Update.exe PID 2148 set thread context of 4328 2148 Update.exe Update.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90.exeUpdate.exepid process 5004 42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe 2148 Update.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90.exeUpdate.exeUpdate.exeUpdate.exedescription pid process Token: SeDebugPrivilege 5004 42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90.exe Token: SeDebugPrivilege 2148 Update.exe Token: SeImpersonatePrivilege 4104 Update.exe Token: SeTcbPrivilege 4104 Update.exe Token: SeChangeNotifyPrivilege 4104 Update.exe Token: SeCreateTokenPrivilege 4104 Update.exe Token: SeBackupPrivilege 4104 Update.exe Token: SeRestorePrivilege 4104 Update.exe Token: SeIncreaseQuotaPrivilege 4104 Update.exe Token: SeAssignPrimaryTokenPrivilege 4104 Update.exe Token: SeImpersonatePrivilege 4104 Update.exe Token: SeTcbPrivilege 4104 Update.exe Token: SeChangeNotifyPrivilege 4104 Update.exe Token: SeCreateTokenPrivilege 4104 Update.exe Token: SeBackupPrivilege 4104 Update.exe Token: SeRestorePrivilege 4104 Update.exe Token: SeIncreaseQuotaPrivilege 4104 Update.exe Token: SeAssignPrimaryTokenPrivilege 4104 Update.exe Token: SeImpersonatePrivilege 4104 Update.exe Token: SeTcbPrivilege 4104 Update.exe Token: SeChangeNotifyPrivilege 4104 Update.exe Token: SeCreateTokenPrivilege 4104 Update.exe Token: SeBackupPrivilege 4104 Update.exe Token: SeRestorePrivilege 4104 Update.exe Token: SeIncreaseQuotaPrivilege 4104 Update.exe Token: SeAssignPrimaryTokenPrivilege 4104 Update.exe Token: SeImpersonatePrivilege 4104 Update.exe Token: SeTcbPrivilege 4104 Update.exe Token: SeChangeNotifyPrivilege 4104 Update.exe Token: SeCreateTokenPrivilege 4104 Update.exe Token: SeBackupPrivilege 4104 Update.exe Token: SeRestorePrivilege 4104 Update.exe Token: SeIncreaseQuotaPrivilege 4104 Update.exe Token: SeAssignPrimaryTokenPrivilege 4104 Update.exe Token: SeImpersonatePrivilege 4104 Update.exe Token: SeTcbPrivilege 4104 Update.exe Token: SeChangeNotifyPrivilege 4104 Update.exe Token: SeCreateTokenPrivilege 4104 Update.exe Token: SeBackupPrivilege 4104 Update.exe Token: SeRestorePrivilege 4104 Update.exe Token: SeIncreaseQuotaPrivilege 4104 Update.exe Token: SeAssignPrimaryTokenPrivilege 4104 Update.exe Token: SeImpersonatePrivilege 4104 Update.exe Token: SeTcbPrivilege 4104 Update.exe Token: SeChangeNotifyPrivilege 4104 Update.exe Token: SeCreateTokenPrivilege 4104 Update.exe Token: SeBackupPrivilege 4104 Update.exe Token: SeRestorePrivilege 4104 Update.exe Token: SeIncreaseQuotaPrivilege 4104 Update.exe Token: SeAssignPrimaryTokenPrivilege 4104 Update.exe Token: SeImpersonatePrivilege 508 Update.exe Token: SeTcbPrivilege 508 Update.exe Token: SeChangeNotifyPrivilege 508 Update.exe Token: SeCreateTokenPrivilege 508 Update.exe Token: SeBackupPrivilege 508 Update.exe Token: SeRestorePrivilege 508 Update.exe Token: SeIncreaseQuotaPrivilege 508 Update.exe Token: SeAssignPrimaryTokenPrivilege 508 Update.exe Token: SeImpersonatePrivilege 508 Update.exe Token: SeTcbPrivilege 508 Update.exe Token: SeChangeNotifyPrivilege 508 Update.exe Token: SeCreateTokenPrivilege 508 Update.exe Token: SeBackupPrivilege 508 Update.exe Token: SeRestorePrivilege 508 Update.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90.execmd.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exedescription pid process target process PID 5004 wrote to memory of 4396 5004 42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90.exe cmd.exe PID 5004 wrote to memory of 4396 5004 42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90.exe cmd.exe PID 5004 wrote to memory of 4396 5004 42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90.exe cmd.exe PID 4396 wrote to memory of 2616 4396 cmd.exe reg.exe PID 4396 wrote to memory of 2616 4396 cmd.exe reg.exe PID 4396 wrote to memory of 2616 4396 cmd.exe reg.exe PID 5004 wrote to memory of 2148 5004 42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90.exe Update.exe PID 5004 wrote to memory of 2148 5004 42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90.exe Update.exe PID 5004 wrote to memory of 2148 5004 42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90.exe Update.exe PID 2148 wrote to memory of 4104 2148 Update.exe Update.exe PID 2148 wrote to memory of 4104 2148 Update.exe Update.exe PID 2148 wrote to memory of 4104 2148 Update.exe Update.exe PID 2148 wrote to memory of 4104 2148 Update.exe Update.exe PID 2148 wrote to memory of 4104 2148 Update.exe Update.exe PID 2148 wrote to memory of 4104 2148 Update.exe Update.exe PID 2148 wrote to memory of 4104 2148 Update.exe Update.exe PID 4104 wrote to memory of 4516 4104 Update.exe cmd.exe PID 4104 wrote to memory of 4516 4104 Update.exe cmd.exe PID 4104 wrote to memory of 4516 4104 Update.exe cmd.exe PID 2148 wrote to memory of 508 2148 Update.exe Update.exe PID 2148 wrote to memory of 508 2148 Update.exe Update.exe PID 2148 wrote to memory of 508 2148 Update.exe Update.exe PID 2148 wrote to memory of 508 2148 Update.exe Update.exe PID 2148 wrote to memory of 508 2148 Update.exe Update.exe PID 2148 wrote to memory of 508 2148 Update.exe Update.exe PID 2148 wrote to memory of 508 2148 Update.exe Update.exe PID 508 wrote to memory of 4428 508 Update.exe cmd.exe PID 508 wrote to memory of 4428 508 Update.exe cmd.exe PID 508 wrote to memory of 4428 508 Update.exe cmd.exe PID 2148 wrote to memory of 3964 2148 Update.exe Update.exe PID 2148 wrote to memory of 3964 2148 Update.exe Update.exe PID 2148 wrote to memory of 3964 2148 Update.exe Update.exe PID 2148 wrote to memory of 3964 2148 Update.exe Update.exe PID 2148 wrote to memory of 3964 2148 Update.exe Update.exe PID 2148 wrote to memory of 3964 2148 Update.exe Update.exe PID 2148 wrote to memory of 3964 2148 Update.exe Update.exe PID 2148 wrote to memory of 1836 2148 Update.exe Update.exe PID 2148 wrote to memory of 1836 2148 Update.exe Update.exe PID 2148 wrote to memory of 1836 2148 Update.exe Update.exe PID 2148 wrote to memory of 1836 2148 Update.exe Update.exe PID 2148 wrote to memory of 1836 2148 Update.exe Update.exe PID 2148 wrote to memory of 1836 2148 Update.exe Update.exe PID 2148 wrote to memory of 1836 2148 Update.exe Update.exe PID 1836 wrote to memory of 4388 1836 Update.exe cmd.exe PID 1836 wrote to memory of 4388 1836 Update.exe cmd.exe PID 1836 wrote to memory of 4388 1836 Update.exe cmd.exe PID 2148 wrote to memory of 1772 2148 Update.exe Update.exe PID 2148 wrote to memory of 1772 2148 Update.exe Update.exe PID 2148 wrote to memory of 1772 2148 Update.exe Update.exe PID 2148 wrote to memory of 1772 2148 Update.exe Update.exe PID 2148 wrote to memory of 1772 2148 Update.exe Update.exe PID 2148 wrote to memory of 1772 2148 Update.exe Update.exe PID 2148 wrote to memory of 1772 2148 Update.exe Update.exe PID 1772 wrote to memory of 4416 1772 Update.exe cmd.exe PID 1772 wrote to memory of 4416 1772 Update.exe cmd.exe PID 1772 wrote to memory of 4416 1772 Update.exe cmd.exe PID 2148 wrote to memory of 2692 2148 Update.exe Update.exe PID 2148 wrote to memory of 2692 2148 Update.exe Update.exe PID 2148 wrote to memory of 2692 2148 Update.exe Update.exe PID 2148 wrote to memory of 2692 2148 Update.exe Update.exe PID 2148 wrote to memory of 2692 2148 Update.exe Update.exe PID 2148 wrote to memory of 2692 2148 Update.exe Update.exe PID 2148 wrote to memory of 2692 2148 Update.exe Update.exe PID 2692 wrote to memory of 4872 2692 Update.exe cmd.exe -
outlook_win_path 1 IoCs
Processes:
Update.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Update.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90.exe"C:\Users\Admin\AppData\Local\Temp\42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90.exe"1⤵
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Anti Virus" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Update.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Anti Virus" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Update.exe"3⤵
- Adds Run key to start application
PID:2616 -
C:\Users\Admin\AppData\Roaming\Update.exe"C:\Users\Admin\AppData\Roaming\Update.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Users\Admin\AppData\Roaming\Update.exe"C:\Users\Admin\AppData\Roaming\Update.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240649203.bat" "C:\Users\Admin\AppData\Roaming\Update.exe" "4⤵PID:4516
-
C:\Users\Admin\AppData\Roaming\Update.exe"C:\Users\Admin\AppData\Roaming\Update.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:508 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240676703.bat" "C:\Users\Admin\AppData\Roaming\Update.exe" "4⤵PID:4428
-
C:\Users\Admin\AppData\Roaming\Update.exe"C:\Users\Admin\AppData\Roaming\Update.exe"3⤵
- Executes dropped EXE
PID:3964 -
C:\Users\Admin\AppData\Roaming\Update.exe"C:\Users\Admin\AppData\Roaming\Update.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240691953.bat" "C:\Users\Admin\AppData\Roaming\Update.exe" "4⤵PID:4388
-
C:\Users\Admin\AppData\Roaming\Update.exe"C:\Users\Admin\AppData\Roaming\Update.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240703750.bat" "C:\Users\Admin\AppData\Roaming\Update.exe" "4⤵PID:4416
-
C:\Users\Admin\AppData\Roaming\Update.exe"C:\Users\Admin\AppData\Roaming\Update.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240715937.bat" "C:\Users\Admin\AppData\Roaming\Update.exe" "4⤵PID:4872
-
C:\Users\Admin\AppData\Roaming\Update.exe"C:\Users\Admin\AppData\Roaming\Update.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- outlook_win_path
PID:4328 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240728000.bat" "C:\Users\Admin\AppData\Roaming\Update.exe" "4⤵PID:4232
-
C:\Users\Admin\AppData\Roaming\Update.exe"C:\Users\Admin\AppData\Roaming\Update.exe"3⤵PID:1812
-
C:\Users\Admin\AppData\Roaming\Update.exe"C:\Users\Admin\AppData\Roaming\Update.exe"3⤵PID:4236
-
C:\Users\Admin\AppData\Roaming\Update.exe"C:\Users\Admin\AppData\Roaming\Update.exe"3⤵PID:3628
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\240649203.batFilesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
C:\Users\Admin\AppData\Local\Temp\240676703.batFilesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
C:\Users\Admin\AppData\Local\Temp\240691953.batFilesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
C:\Users\Admin\AppData\Local\Temp\240703750.batFilesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
C:\Users\Admin\AppData\Local\Temp\240715937.batFilesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
C:\Users\Admin\AppData\Local\Temp\240728000.batFilesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
C:\Users\Admin\AppData\Roaming\Update.exeFilesize
1.9MB
MD515a9103d4b99fcd908c1048b02aeb8f8
SHA1f7df8f1f0e1c5a2183f4e2d705e25588e63f67e0
SHA25642f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90
SHA512b50e6237942aee5f40dc27dc69361ad468c689ce48e4703f0386f001da767794c29ba35fadf0bcb899c42778906021bb17b12f93ec218acfff9ee0d3de48c55a
-
C:\Users\Admin\AppData\Roaming\Update.exeFilesize
1.9MB
MD515a9103d4b99fcd908c1048b02aeb8f8
SHA1f7df8f1f0e1c5a2183f4e2d705e25588e63f67e0
SHA25642f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90
SHA512b50e6237942aee5f40dc27dc69361ad468c689ce48e4703f0386f001da767794c29ba35fadf0bcb899c42778906021bb17b12f93ec218acfff9ee0d3de48c55a
-
C:\Users\Admin\AppData\Roaming\Update.exeFilesize
1.9MB
MD515a9103d4b99fcd908c1048b02aeb8f8
SHA1f7df8f1f0e1c5a2183f4e2d705e25588e63f67e0
SHA25642f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90
SHA512b50e6237942aee5f40dc27dc69361ad468c689ce48e4703f0386f001da767794c29ba35fadf0bcb899c42778906021bb17b12f93ec218acfff9ee0d3de48c55a
-
C:\Users\Admin\AppData\Roaming\Update.exeFilesize
1.9MB
MD515a9103d4b99fcd908c1048b02aeb8f8
SHA1f7df8f1f0e1c5a2183f4e2d705e25588e63f67e0
SHA25642f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90
SHA512b50e6237942aee5f40dc27dc69361ad468c689ce48e4703f0386f001da767794c29ba35fadf0bcb899c42778906021bb17b12f93ec218acfff9ee0d3de48c55a
-
C:\Users\Admin\AppData\Roaming\Update.exeFilesize
1.9MB
MD515a9103d4b99fcd908c1048b02aeb8f8
SHA1f7df8f1f0e1c5a2183f4e2d705e25588e63f67e0
SHA25642f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90
SHA512b50e6237942aee5f40dc27dc69361ad468c689ce48e4703f0386f001da767794c29ba35fadf0bcb899c42778906021bb17b12f93ec218acfff9ee0d3de48c55a
-
C:\Users\Admin\AppData\Roaming\Update.exeFilesize
1.9MB
MD515a9103d4b99fcd908c1048b02aeb8f8
SHA1f7df8f1f0e1c5a2183f4e2d705e25588e63f67e0
SHA25642f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90
SHA512b50e6237942aee5f40dc27dc69361ad468c689ce48e4703f0386f001da767794c29ba35fadf0bcb899c42778906021bb17b12f93ec218acfff9ee0d3de48c55a
-
C:\Users\Admin\AppData\Roaming\Update.exeFilesize
1.9MB
MD515a9103d4b99fcd908c1048b02aeb8f8
SHA1f7df8f1f0e1c5a2183f4e2d705e25588e63f67e0
SHA25642f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90
SHA512b50e6237942aee5f40dc27dc69361ad468c689ce48e4703f0386f001da767794c29ba35fadf0bcb899c42778906021bb17b12f93ec218acfff9ee0d3de48c55a
-
C:\Users\Admin\AppData\Roaming\Update.exeFilesize
1.9MB
MD515a9103d4b99fcd908c1048b02aeb8f8
SHA1f7df8f1f0e1c5a2183f4e2d705e25588e63f67e0
SHA25642f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90
SHA512b50e6237942aee5f40dc27dc69361ad468c689ce48e4703f0386f001da767794c29ba35fadf0bcb899c42778906021bb17b12f93ec218acfff9ee0d3de48c55a
-
C:\Users\Admin\AppData\Roaming\Update.exeFilesize
1.9MB
MD515a9103d4b99fcd908c1048b02aeb8f8
SHA1f7df8f1f0e1c5a2183f4e2d705e25588e63f67e0
SHA25642f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90
SHA512b50e6237942aee5f40dc27dc69361ad468c689ce48e4703f0386f001da767794c29ba35fadf0bcb899c42778906021bb17b12f93ec218acfff9ee0d3de48c55a
-
C:\Users\Admin\AppData\Roaming\Update.exeFilesize
1.9MB
MD515a9103d4b99fcd908c1048b02aeb8f8
SHA1f7df8f1f0e1c5a2183f4e2d705e25588e63f67e0
SHA25642f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90
SHA512b50e6237942aee5f40dc27dc69361ad468c689ce48e4703f0386f001da767794c29ba35fadf0bcb899c42778906021bb17b12f93ec218acfff9ee0d3de48c55a
-
C:\Users\Admin\AppData\Roaming\Update.exeFilesize
1.9MB
MD515a9103d4b99fcd908c1048b02aeb8f8
SHA1f7df8f1f0e1c5a2183f4e2d705e25588e63f67e0
SHA25642f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90
SHA512b50e6237942aee5f40dc27dc69361ad468c689ce48e4703f0386f001da767794c29ba35fadf0bcb899c42778906021bb17b12f93ec218acfff9ee0d3de48c55a
-
C:\Users\Admin\AppData\Roaming\Update.exeFilesize
1.9MB
MD515a9103d4b99fcd908c1048b02aeb8f8
SHA1f7df8f1f0e1c5a2183f4e2d705e25588e63f67e0
SHA25642f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90
SHA512b50e6237942aee5f40dc27dc69361ad468c689ce48e4703f0386f001da767794c29ba35fadf0bcb899c42778906021bb17b12f93ec218acfff9ee0d3de48c55a
-
memory/508-161-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/508-159-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/508-153-0x0000000000000000-mapping.dmp
-
memory/508-158-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1772-183-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1772-185-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1772-176-0x0000000000000000-mapping.dmp
-
memory/1812-207-0x0000000000000000-mapping.dmp
-
memory/1812-208-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1836-166-0x0000000000000000-mapping.dmp
-
memory/1836-172-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1836-174-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2148-148-0x0000000074CA0000-0x0000000075251000-memory.dmpFilesize
5.7MB
-
memory/2148-146-0x0000000074CA0000-0x0000000075251000-memory.dmpFilesize
5.7MB
-
memory/2148-182-0x0000000000A39000-0x0000000000A3F000-memory.dmpFilesize
24KB
-
memory/2148-136-0x0000000000000000-mapping.dmp
-
memory/2616-135-0x0000000000000000-mapping.dmp
-
memory/2692-195-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2692-187-0x0000000000000000-mapping.dmp
-
memory/2692-193-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3628-219-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3628-213-0x0000000000000000-mapping.dmp
-
memory/3964-163-0x0000000000000000-mapping.dmp
-
memory/4104-141-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4104-145-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4104-149-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4104-152-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4104-140-0x0000000000000000-mapping.dmp
-
memory/4104-144-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4104-147-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4232-204-0x0000000000000000-mapping.dmp
-
memory/4236-210-0x0000000000000000-mapping.dmp
-
memory/4328-203-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4328-197-0x0000000000000000-mapping.dmp
-
memory/4328-205-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4388-173-0x0000000000000000-mapping.dmp
-
memory/4396-134-0x0000000000000000-mapping.dmp
-
memory/4416-184-0x0000000000000000-mapping.dmp
-
memory/4428-160-0x0000000000000000-mapping.dmp
-
memory/4516-150-0x0000000000000000-mapping.dmp
-
memory/4872-194-0x0000000000000000-mapping.dmp
-
memory/5004-132-0x0000000074CA0000-0x0000000075251000-memory.dmpFilesize
5.7MB
-
memory/5004-139-0x0000000074CA0000-0x0000000075251000-memory.dmpFilesize
5.7MB
-
memory/5004-133-0x0000000074CA0000-0x0000000075251000-memory.dmpFilesize
5.7MB