pony | 42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90

Analysis

max time kernel
170s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 08:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90.exe
Size

1.9MB
MD5

15a9103d4b99fcd908c1048b02aeb8f8
SHA1

f7df8f1f0e1c5a2183f4e2d705e25588e63f67e0
SHA256

42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90
SHA512

b50e6237942aee5f40dc27dc69361ad468c689ce48e4703f0386f001da767794c29ba35fadf0bcb899c42778906021bb17b12f93ec218acfff9ee0d3de48c55a
SSDEEP

49152:2rzKZmTHjNLbRAGWe4cqPLylFyaJcrRUQ:UKZmTDNLbRAGocqPLylFyaJcrRUQ

Score

10^/10

pony collection discovery persistence rat spyware stealer upx

Malware Config

Extracted

Family

pony

http://usgroupe.ma/wp-admin/reet/gate.php

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Executes dropped EXE 8 IoCs

Processes:

Update.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exe

pid process

2148 Update.exe
4104 Update.exe
508 Update.exe
3964 Update.exe
1836 Update.exe
1772 Update.exe
2692 Update.exe
4328 Update.exe

pid	process
2148	Update.exe
4104	Update.exe
508	Update.exe
3964	Update.exe
1836	Update.exe
1772	Update.exe
2692	Update.exe
4328	Update.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4104-141-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/4104-144-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/4104-145-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/4104-147-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/4104-149-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/4104-152-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/508-158-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/508-159-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/508-161-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/1836-172-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/1836-174-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/1772-183-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/1772-185-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/2692-193-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/2692-195-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/4328-203-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/4328-205-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/3628-219-0x0000000000400000-0x0000000000420000-memory.dmp	upx

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Update.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

Update.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Update.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Update.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Update.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Update.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Update.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Update.exe

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

Update.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Update.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Update.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Update.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Update.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Update.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Update.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Anti Virus = "C:\\Users\\Admin\\AppData\\Roaming\\Update.exe"	reg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90.exeUpdate.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Update.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	Update.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

Update.exe

description	pid	process	target process
PID 2148 set thread context of 4104	2148	Update.exe	Update.exe
PID 2148 set thread context of 508	2148	Update.exe	Update.exe
PID 2148 set thread context of 3964	2148	Update.exe	Update.exe
PID 2148 set thread context of 1836	2148	Update.exe	Update.exe
PID 2148 set thread context of 1772	2148	Update.exe	Update.exe
PID 2148 set thread context of 2692	2148	Update.exe	Update.exe
PID 2148 set thread context of 4328	2148	Update.exe	Update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90.exeUpdate.exe

pid	process
5004	42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe
2148	Update.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90.exeUpdate.exeUpdate.exeUpdate.exe

description	pid	process
Token: SeDebugPrivilege	5004	42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90.exe
Token: SeDebugPrivilege	2148	Update.exe
Token: SeImpersonatePrivilege	4104	Update.exe
Token: SeTcbPrivilege	4104	Update.exe
Token: SeChangeNotifyPrivilege	4104	Update.exe
Token: SeCreateTokenPrivilege	4104	Update.exe
Token: SeBackupPrivilege	4104	Update.exe
Token: SeRestorePrivilege	4104	Update.exe
Token: SeIncreaseQuotaPrivilege	4104	Update.exe
Token: SeAssignPrimaryTokenPrivilege	4104	Update.exe
Token: SeImpersonatePrivilege	4104	Update.exe
Token: SeTcbPrivilege	4104	Update.exe
Token: SeChangeNotifyPrivilege	4104	Update.exe
Token: SeCreateTokenPrivilege	4104	Update.exe
Token: SeBackupPrivilege	4104	Update.exe
Token: SeRestorePrivilege	4104	Update.exe
Token: SeIncreaseQuotaPrivilege	4104	Update.exe
Token: SeAssignPrimaryTokenPrivilege	4104	Update.exe
Token: SeImpersonatePrivilege	4104	Update.exe
Token: SeTcbPrivilege	4104	Update.exe
Token: SeChangeNotifyPrivilege	4104	Update.exe
Token: SeCreateTokenPrivilege	4104	Update.exe
Token: SeBackupPrivilege	4104	Update.exe
Token: SeRestorePrivilege	4104	Update.exe
Token: SeIncreaseQuotaPrivilege	4104	Update.exe
Token: SeAssignPrimaryTokenPrivilege	4104	Update.exe
Token: SeImpersonatePrivilege	4104	Update.exe
Token: SeTcbPrivilege	4104	Update.exe
Token: SeChangeNotifyPrivilege	4104	Update.exe
Token: SeCreateTokenPrivilege	4104	Update.exe
Token: SeBackupPrivilege	4104	Update.exe
Token: SeRestorePrivilege	4104	Update.exe
Token: SeIncreaseQuotaPrivilege	4104	Update.exe
Token: SeAssignPrimaryTokenPrivilege	4104	Update.exe
Token: SeImpersonatePrivilege	4104	Update.exe
Token: SeTcbPrivilege	4104	Update.exe
Token: SeChangeNotifyPrivilege	4104	Update.exe
Token: SeCreateTokenPrivilege	4104	Update.exe
Token: SeBackupPrivilege	4104	Update.exe
Token: SeRestorePrivilege	4104	Update.exe
Token: SeIncreaseQuotaPrivilege	4104	Update.exe
Token: SeAssignPrimaryTokenPrivilege	4104	Update.exe
Token: SeImpersonatePrivilege	4104	Update.exe
Token: SeTcbPrivilege	4104	Update.exe
Token: SeChangeNotifyPrivilege	4104	Update.exe
Token: SeCreateTokenPrivilege	4104	Update.exe
Token: SeBackupPrivilege	4104	Update.exe
Token: SeRestorePrivilege	4104	Update.exe
Token: SeIncreaseQuotaPrivilege	4104	Update.exe
Token: SeAssignPrimaryTokenPrivilege	4104	Update.exe
Token: SeImpersonatePrivilege	508	Update.exe
Token: SeTcbPrivilege	508	Update.exe
Token: SeChangeNotifyPrivilege	508	Update.exe
Token: SeCreateTokenPrivilege	508	Update.exe
Token: SeBackupPrivilege	508	Update.exe
Token: SeRestorePrivilege	508	Update.exe
Token: SeIncreaseQuotaPrivilege	508	Update.exe
Token: SeAssignPrimaryTokenPrivilege	508	Update.exe
Token: SeImpersonatePrivilege	508	Update.exe
Token: SeTcbPrivilege	508	Update.exe
Token: SeChangeNotifyPrivilege	508	Update.exe
Token: SeCreateTokenPrivilege	508	Update.exe
Token: SeBackupPrivilege	508	Update.exe
Token: SeRestorePrivilege	508	Update.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90.execmd.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exe

description	pid	process	target process
PID 5004 wrote to memory of 4396	5004	42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90.exe	cmd.exe
PID 5004 wrote to memory of 4396	5004	42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90.exe	cmd.exe
PID 5004 wrote to memory of 4396	5004	42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90.exe	cmd.exe
PID 4396 wrote to memory of 2616	4396	cmd.exe	reg.exe
PID 4396 wrote to memory of 2616	4396	cmd.exe	reg.exe
PID 4396 wrote to memory of 2616	4396	cmd.exe	reg.exe
PID 5004 wrote to memory of 2148	5004	42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90.exe	Update.exe
PID 5004 wrote to memory of 2148	5004	42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90.exe	Update.exe
PID 5004 wrote to memory of 2148	5004	42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90.exe	Update.exe
PID 2148 wrote to memory of 4104	2148	Update.exe	Update.exe
PID 2148 wrote to memory of 4104	2148	Update.exe	Update.exe
PID 2148 wrote to memory of 4104	2148	Update.exe	Update.exe
PID 2148 wrote to memory of 4104	2148	Update.exe	Update.exe
PID 2148 wrote to memory of 4104	2148	Update.exe	Update.exe
PID 2148 wrote to memory of 4104	2148	Update.exe	Update.exe
PID 2148 wrote to memory of 4104	2148	Update.exe	Update.exe
PID 4104 wrote to memory of 4516	4104	Update.exe	cmd.exe
PID 4104 wrote to memory of 4516	4104	Update.exe	cmd.exe
PID 4104 wrote to memory of 4516	4104	Update.exe	cmd.exe
PID 2148 wrote to memory of 508	2148	Update.exe	Update.exe
PID 2148 wrote to memory of 508	2148	Update.exe	Update.exe
PID 2148 wrote to memory of 508	2148	Update.exe	Update.exe
PID 2148 wrote to memory of 508	2148	Update.exe	Update.exe
PID 2148 wrote to memory of 508	2148	Update.exe	Update.exe
PID 2148 wrote to memory of 508	2148	Update.exe	Update.exe
PID 2148 wrote to memory of 508	2148	Update.exe	Update.exe
PID 508 wrote to memory of 4428	508	Update.exe	cmd.exe
PID 508 wrote to memory of 4428	508	Update.exe	cmd.exe
PID 508 wrote to memory of 4428	508	Update.exe	cmd.exe
PID 2148 wrote to memory of 3964	2148	Update.exe	Update.exe
PID 2148 wrote to memory of 3964	2148	Update.exe	Update.exe
PID 2148 wrote to memory of 3964	2148	Update.exe	Update.exe
PID 2148 wrote to memory of 3964	2148	Update.exe	Update.exe
PID 2148 wrote to memory of 3964	2148	Update.exe	Update.exe
PID 2148 wrote to memory of 3964	2148	Update.exe	Update.exe
PID 2148 wrote to memory of 3964	2148	Update.exe	Update.exe
PID 2148 wrote to memory of 1836	2148	Update.exe	Update.exe
PID 2148 wrote to memory of 1836	2148	Update.exe	Update.exe
PID 2148 wrote to memory of 1836	2148	Update.exe	Update.exe
PID 2148 wrote to memory of 1836	2148	Update.exe	Update.exe
PID 2148 wrote to memory of 1836	2148	Update.exe	Update.exe
PID 2148 wrote to memory of 1836	2148	Update.exe	Update.exe
PID 2148 wrote to memory of 1836	2148	Update.exe	Update.exe
PID 1836 wrote to memory of 4388	1836	Update.exe	cmd.exe
PID 1836 wrote to memory of 4388	1836	Update.exe	cmd.exe
PID 1836 wrote to memory of 4388	1836	Update.exe	cmd.exe
PID 2148 wrote to memory of 1772	2148	Update.exe	Update.exe
PID 2148 wrote to memory of 1772	2148	Update.exe	Update.exe
PID 2148 wrote to memory of 1772	2148	Update.exe	Update.exe
PID 2148 wrote to memory of 1772	2148	Update.exe	Update.exe
PID 2148 wrote to memory of 1772	2148	Update.exe	Update.exe
PID 2148 wrote to memory of 1772	2148	Update.exe	Update.exe
PID 2148 wrote to memory of 1772	2148	Update.exe	Update.exe
PID 1772 wrote to memory of 4416	1772	Update.exe	cmd.exe
PID 1772 wrote to memory of 4416	1772	Update.exe	cmd.exe
PID 1772 wrote to memory of 4416	1772	Update.exe	cmd.exe
PID 2148 wrote to memory of 2692	2148	Update.exe	Update.exe
PID 2148 wrote to memory of 2692	2148	Update.exe	Update.exe
PID 2148 wrote to memory of 2692	2148	Update.exe	Update.exe
PID 2148 wrote to memory of 2692	2148	Update.exe	Update.exe
PID 2148 wrote to memory of 2692	2148	Update.exe	Update.exe
PID 2148 wrote to memory of 2692	2148	Update.exe	Update.exe
PID 2148 wrote to memory of 2692	2148	Update.exe	Update.exe
PID 2692 wrote to memory of 4872	2692	Update.exe	cmd.exe

outlook_win_path 1 IoCs

Processes:

Update.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Update.exe

C:\Users\Admin\AppData\Local\Temp\42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90.exe
"C:\Users\Admin\AppData\Local\Temp\42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90.exe"
1⤵
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5004

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Anti Virus" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Update.exe" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4396

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Anti Virus" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Update.exe"
3⤵
- Adds Run key to start application
PID:2616

C:\Users\Admin\AppData\Roaming\Update.exe
"C:\Users\Admin\AppData\Roaming\Update.exe"
2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2148

C:\Users\Admin\AppData\Roaming\Update.exe
"C:\Users\Admin\AppData\Roaming\Update.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240649203.bat" "C:\Users\Admin\AppData\Roaming\Update.exe" "
4⤵
PID:4516

C:\Users\Admin\AppData\Roaming\Update.exe
"C:\Users\Admin\AppData\Roaming\Update.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240676703.bat" "C:\Users\Admin\AppData\Roaming\Update.exe" "
4⤵
PID:4428

C:\Users\Admin\AppData\Roaming\Update.exe
"C:\Users\Admin\AppData\Roaming\Update.exe"
3⤵
- Executes dropped EXE
PID:3964

C:\Users\Admin\AppData\Roaming\Update.exe
"C:\Users\Admin\AppData\Roaming\Update.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240691953.bat" "C:\Users\Admin\AppData\Roaming\Update.exe" "
4⤵
PID:4388

C:\Users\Admin\AppData\Roaming\Update.exe
"C:\Users\Admin\AppData\Roaming\Update.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240703750.bat" "C:\Users\Admin\AppData\Roaming\Update.exe" "
4⤵
PID:4416

C:\Users\Admin\AppData\Roaming\Update.exe
"C:\Users\Admin\AppData\Roaming\Update.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of WriteProcessMemory
PID:2692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240715937.bat" "C:\Users\Admin\AppData\Roaming\Update.exe" "
4⤵
PID:4872

C:\Users\Admin\AppData\Roaming\Update.exe
"C:\Users\Admin\AppData\Roaming\Update.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- outlook_win_path
PID:4328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240728000.bat" "C:\Users\Admin\AppData\Roaming\Update.exe" "
4⤵
PID:4232

C:\Users\Admin\AppData\Roaming\Update.exe
"C:\Users\Admin\AppData\Roaming\Update.exe"
3⤵
PID:1812

C:\Users\Admin\AppData\Roaming\Update.exe
"C:\Users\Admin\AppData\Roaming\Update.exe"
3⤵
PID:4236

C:\Users\Admin\AppData\Roaming\Update.exe
"C:\Users\Admin\AppData\Roaming\Update.exe"
3⤵
PID:3628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240649203.bat
Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\240676703.bat
Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\240691953.bat
Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\240703750.bat
Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\240715937.bat
Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\240728000.bat
Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Roaming\Update.exe
Filesize
1.9MB

MD5
15a9103d4b99fcd908c1048b02aeb8f8

SHA1
f7df8f1f0e1c5a2183f4e2d705e25588e63f67e0

SHA256
42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90

SHA512
b50e6237942aee5f40dc27dc69361ad468c689ce48e4703f0386f001da767794c29ba35fadf0bcb899c42778906021bb17b12f93ec218acfff9ee0d3de48c55a

Download Submit
C:\Users\Admin\AppData\Roaming\Update.exe
Filesize
1.9MB

MD5
15a9103d4b99fcd908c1048b02aeb8f8

SHA1
f7df8f1f0e1c5a2183f4e2d705e25588e63f67e0

SHA256
42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90

SHA512
b50e6237942aee5f40dc27dc69361ad468c689ce48e4703f0386f001da767794c29ba35fadf0bcb899c42778906021bb17b12f93ec218acfff9ee0d3de48c55a

Download Submit
C:\Users\Admin\AppData\Roaming\Update.exe
Filesize
1.9MB

MD5
15a9103d4b99fcd908c1048b02aeb8f8

SHA1
f7df8f1f0e1c5a2183f4e2d705e25588e63f67e0

SHA256
42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90

SHA512
b50e6237942aee5f40dc27dc69361ad468c689ce48e4703f0386f001da767794c29ba35fadf0bcb899c42778906021bb17b12f93ec218acfff9ee0d3de48c55a

Download Submit
C:\Users\Admin\AppData\Roaming\Update.exe
Filesize
1.9MB

MD5
15a9103d4b99fcd908c1048b02aeb8f8

SHA1
f7df8f1f0e1c5a2183f4e2d705e25588e63f67e0

SHA256
42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90

SHA512
b50e6237942aee5f40dc27dc69361ad468c689ce48e4703f0386f001da767794c29ba35fadf0bcb899c42778906021bb17b12f93ec218acfff9ee0d3de48c55a

Download Submit
C:\Users\Admin\AppData\Roaming\Update.exe
Filesize
1.9MB

MD5
15a9103d4b99fcd908c1048b02aeb8f8

SHA1
f7df8f1f0e1c5a2183f4e2d705e25588e63f67e0

SHA256
42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90

SHA512
b50e6237942aee5f40dc27dc69361ad468c689ce48e4703f0386f001da767794c29ba35fadf0bcb899c42778906021bb17b12f93ec218acfff9ee0d3de48c55a

Download Submit
C:\Users\Admin\AppData\Roaming\Update.exe
Filesize
1.9MB

MD5
15a9103d4b99fcd908c1048b02aeb8f8

SHA1
f7df8f1f0e1c5a2183f4e2d705e25588e63f67e0

SHA256
42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90

SHA512
b50e6237942aee5f40dc27dc69361ad468c689ce48e4703f0386f001da767794c29ba35fadf0bcb899c42778906021bb17b12f93ec218acfff9ee0d3de48c55a

Download Submit
C:\Users\Admin\AppData\Roaming\Update.exe
Filesize
1.9MB

MD5
15a9103d4b99fcd908c1048b02aeb8f8

SHA1
f7df8f1f0e1c5a2183f4e2d705e25588e63f67e0

SHA256
42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90

SHA512
b50e6237942aee5f40dc27dc69361ad468c689ce48e4703f0386f001da767794c29ba35fadf0bcb899c42778906021bb17b12f93ec218acfff9ee0d3de48c55a

Download Submit
C:\Users\Admin\AppData\Roaming\Update.exe
Filesize
1.9MB

MD5
15a9103d4b99fcd908c1048b02aeb8f8

SHA1
f7df8f1f0e1c5a2183f4e2d705e25588e63f67e0

SHA256
42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90

SHA512
b50e6237942aee5f40dc27dc69361ad468c689ce48e4703f0386f001da767794c29ba35fadf0bcb899c42778906021bb17b12f93ec218acfff9ee0d3de48c55a

Download Submit
C:\Users\Admin\AppData\Roaming\Update.exe
Filesize
1.9MB

MD5
15a9103d4b99fcd908c1048b02aeb8f8

SHA1
f7df8f1f0e1c5a2183f4e2d705e25588e63f67e0

SHA256
42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90

SHA512
b50e6237942aee5f40dc27dc69361ad468c689ce48e4703f0386f001da767794c29ba35fadf0bcb899c42778906021bb17b12f93ec218acfff9ee0d3de48c55a

Download Submit
C:\Users\Admin\AppData\Roaming\Update.exe
Filesize
1.9MB

MD5
15a9103d4b99fcd908c1048b02aeb8f8

SHA1
f7df8f1f0e1c5a2183f4e2d705e25588e63f67e0

SHA256
42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90

SHA512
b50e6237942aee5f40dc27dc69361ad468c689ce48e4703f0386f001da767794c29ba35fadf0bcb899c42778906021bb17b12f93ec218acfff9ee0d3de48c55a

Download Submit
C:\Users\Admin\AppData\Roaming\Update.exe
Filesize
1.9MB

MD5
15a9103d4b99fcd908c1048b02aeb8f8

SHA1
f7df8f1f0e1c5a2183f4e2d705e25588e63f67e0

SHA256
42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90

SHA512
b50e6237942aee5f40dc27dc69361ad468c689ce48e4703f0386f001da767794c29ba35fadf0bcb899c42778906021bb17b12f93ec218acfff9ee0d3de48c55a

Download Submit
C:\Users\Admin\AppData\Roaming\Update.exe
Filesize
1.9MB

MD5
15a9103d4b99fcd908c1048b02aeb8f8

SHA1
f7df8f1f0e1c5a2183f4e2d705e25588e63f67e0

SHA256
42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90

SHA512
b50e6237942aee5f40dc27dc69361ad468c689ce48e4703f0386f001da767794c29ba35fadf0bcb899c42778906021bb17b12f93ec218acfff9ee0d3de48c55a

Download Submit
memory/508-161-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/508-159-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/508-153-0x0000000000000000-mapping.dmp

Download
memory/508-158-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1772-183-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1772-185-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1772-176-0x0000000000000000-mapping.dmp

Download
memory/1812-207-0x0000000000000000-mapping.dmp

Download
memory/1812-208-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1836-166-0x0000000000000000-mapping.dmp

Download
memory/1836-172-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1836-174-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2148-148-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/2148-146-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/2148-182-0x0000000000A39000-0x0000000000A3F000-memory.dmp

Filesize
24KB

Download
memory/2148-136-0x0000000000000000-mapping.dmp

Download
memory/2616-135-0x0000000000000000-mapping.dmp

Download
memory/2692-195-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2692-187-0x0000000000000000-mapping.dmp

Download
memory/2692-193-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3628-219-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3628-213-0x0000000000000000-mapping.dmp

Download
memory/3964-163-0x0000000000000000-mapping.dmp

Download
memory/4104-141-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4104-145-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4104-149-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4104-152-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4104-140-0x0000000000000000-mapping.dmp

Download
memory/4104-144-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4104-147-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4232-204-0x0000000000000000-mapping.dmp

Download
memory/4236-210-0x0000000000000000-mapping.dmp

Download
memory/4328-203-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4328-197-0x0000000000000000-mapping.dmp

Download
memory/4328-205-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4388-173-0x0000000000000000-mapping.dmp

Download
memory/4396-134-0x0000000000000000-mapping.dmp

Download
memory/4416-184-0x0000000000000000-mapping.dmp

Download
memory/4428-160-0x0000000000000000-mapping.dmp

Download
memory/4516-150-0x0000000000000000-mapping.dmp

Download
memory/4872-194-0x0000000000000000-mapping.dmp

Download
memory/5004-132-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/5004-139-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/5004-133-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download