pony | 34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41

Analysis

max time kernel
154s
max time network
192s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
Size

187KB
MD5

68b4ca99283c6099e6b07994d93ecbbb
SHA1

8b26dcf97f6ad64ab20712d61ac7ca328cb584be
SHA256

34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41
SHA512

95809b747178739ede228109dbefb61cb4bccd7be3982b50abddf2b5e6dda2ca3dfc4a55aed484af603a77864915e4d1647b6a6da44df64bf60b6c2b7f24f5b3
SSDEEP

3072:ungmqO1OfS/LnFZeQ9TiKqVmJAy/ty2WS3gBh39QLTvNaJS7X9hkU:uXZ/L/r9gq/tyrBh36NaU7X9h

Score

10^/10

pony collection discovery persistence rat spyware stealer upx

Malware Config

Extracted

Family

pony

http://silverspoontech.co.in/bogy/Panel/gate.php

Attributes

payload_url
http://silverspoontech.co.in/bogy/Panel/shit.exe

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Executes dropped EXE 5 IoCs

Processes:

AeLookupSvi.exeProfSvc.exeProfSvc.exeAeLookupSvi.exeAeLookupSvi.exe

pid process

1496 AeLookupSvi.exe
1860 ProfSvc.exe
1380 ProfSvc.exe
820 AeLookupSvi.exe
1968 AeLookupSvi.exe

pid	process
1496	AeLookupSvi.exe
1860	ProfSvc.exe
1380	ProfSvc.exe
820	AeLookupSvi.exe
1968	AeLookupSvi.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/728-58-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/728-60-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/728-61-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/728-65-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/728-66-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/728-72-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/728-74-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/728-88-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1380-106-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1380-102-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1380-108-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1380-122-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/956-129-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/956-128-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/956-130-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Loads dropped DLL 3 IoCs

Processes:

34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exeAeLookupSvi.exeProfSvc.exe

pid process

940 34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
1496 AeLookupSvi.exe
1860 ProfSvc.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exeProfSvc.exetakshost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	ProfSvc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	takshost.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

ProfSvc.exetakshost.exe34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	ProfSvc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	takshost.exe
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

AeLookupSvi.exeAeLookupSvi.exeAeLookupSvi.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application Experience = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\AeLookupSvi.exe"	AeLookupSvi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application Experience = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\AeLookupSvi.exe"	AeLookupSvi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application Experience = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\AeLookupSvi.exe"	AeLookupSvi.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 3 IoCs

Processes:

34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exeProfSvc.exetakshost.exe

description	pid	process	target process
PID 940 set thread context of 728	940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
PID 1860 set thread context of 1380	1860	ProfSvc.exe	ProfSvc.exe
PID 544 set thread context of 956	544	takshost.exe	takshost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exeAeLookupSvi.exe

pid	process
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
1496	AeLookupSvi.exe
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
1496	AeLookupSvi.exe
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
1496	AeLookupSvi.exe
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
1496	AeLookupSvi.exe
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
1496	AeLookupSvi.exe
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
1496	AeLookupSvi.exe
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
1496	AeLookupSvi.exe
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
1496	AeLookupSvi.exe
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
1496	AeLookupSvi.exe
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
1496	AeLookupSvi.exe
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
1496	AeLookupSvi.exe
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
1496	AeLookupSvi.exe
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe

pid process

940 34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exeAeLookupSvi.exeProfSvc.exeProfSvc.exeAeLookupSvi.exetakshost.exeAeLookupSvi.exe

description	pid	process
Token: SeDebugPrivilege	940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
Token: SeImpersonatePrivilege	728	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
Token: SeTcbPrivilege	728	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
Token: SeChangeNotifyPrivilege	728	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
Token: SeCreateTokenPrivilege	728	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
Token: SeBackupPrivilege	728	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
Token: SeRestorePrivilege	728	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
Token: SeIncreaseQuotaPrivilege	728	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
Token: SeAssignPrimaryTokenPrivilege	728	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
Token: SeDebugPrivilege	1496	AeLookupSvi.exe
Token: SeImpersonatePrivilege	728	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
Token: SeTcbPrivilege	728	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
Token: SeChangeNotifyPrivilege	728	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
Token: SeCreateTokenPrivilege	728	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
Token: SeBackupPrivilege	728	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
Token: SeRestorePrivilege	728	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
Token: SeIncreaseQuotaPrivilege	728	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
Token: SeAssignPrimaryTokenPrivilege	728	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
Token: SeImpersonatePrivilege	728	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
Token: SeTcbPrivilege	728	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
Token: SeChangeNotifyPrivilege	728	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
Token: SeCreateTokenPrivilege	728	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
Token: SeBackupPrivilege	728	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
Token: SeRestorePrivilege	728	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
Token: SeIncreaseQuotaPrivilege	728	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
Token: SeAssignPrimaryTokenPrivilege	728	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
Token: SeImpersonatePrivilege	728	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
Token: SeTcbPrivilege	728	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
Token: SeChangeNotifyPrivilege	728	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
Token: SeCreateTokenPrivilege	728	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
Token: SeBackupPrivilege	728	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
Token: SeRestorePrivilege	728	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
Token: SeIncreaseQuotaPrivilege	728	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
Token: SeAssignPrimaryTokenPrivilege	728	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
Token: SeDebugPrivilege	1860	ProfSvc.exe
Token: SeImpersonatePrivilege	1380	ProfSvc.exe
Token: SeTcbPrivilege	1380	ProfSvc.exe
Token: SeChangeNotifyPrivilege	1380	ProfSvc.exe
Token: SeCreateTokenPrivilege	1380	ProfSvc.exe
Token: SeBackupPrivilege	1380	ProfSvc.exe
Token: SeRestorePrivilege	1380	ProfSvc.exe
Token: SeIncreaseQuotaPrivilege	1380	ProfSvc.exe
Token: SeAssignPrimaryTokenPrivilege	1380	ProfSvc.exe
Token: SeDebugPrivilege	820	AeLookupSvi.exe
Token: SeDebugPrivilege	544	takshost.exe
Token: SeDebugPrivilege	1968	AeLookupSvi.exe
Token: SeImpersonatePrivilege	1380	ProfSvc.exe
Token: SeTcbPrivilege	1380	ProfSvc.exe
Token: SeChangeNotifyPrivilege	1380	ProfSvc.exe
Token: SeCreateTokenPrivilege	1380	ProfSvc.exe
Token: SeBackupPrivilege	1380	ProfSvc.exe
Token: SeRestorePrivilege	1380	ProfSvc.exe
Token: SeIncreaseQuotaPrivilege	1380	ProfSvc.exe
Token: SeAssignPrimaryTokenPrivilege	1380	ProfSvc.exe
Token: SeImpersonatePrivilege	1380	ProfSvc.exe
Token: SeTcbPrivilege	1380	ProfSvc.exe
Token: SeChangeNotifyPrivilege	1380	ProfSvc.exe
Token: SeCreateTokenPrivilege	1380	ProfSvc.exe
Token: SeBackupPrivilege	1380	ProfSvc.exe
Token: SeRestorePrivilege	1380	ProfSvc.exe
Token: SeIncreaseQuotaPrivilege	1380	ProfSvc.exe
Token: SeAssignPrimaryTokenPrivilege	1380	ProfSvc.exe
Token: SeImpersonatePrivilege	1380	ProfSvc.exe
Token: SeTcbPrivilege	1380	ProfSvc.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exeAeLookupSvi.exe34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exeProfSvc.exetakshost.exeProfSvc.exe

description	pid	process	target process
PID 940 wrote to memory of 728	940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
PID 940 wrote to memory of 728	940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
PID 940 wrote to memory of 728	940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
PID 940 wrote to memory of 728	940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
PID 940 wrote to memory of 728	940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
PID 940 wrote to memory of 728	940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
PID 940 wrote to memory of 728	940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
PID 940 wrote to memory of 728	940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
PID 940 wrote to memory of 1496	940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe	AeLookupSvi.exe
PID 940 wrote to memory of 1496	940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe	AeLookupSvi.exe
PID 940 wrote to memory of 1496	940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe	AeLookupSvi.exe
PID 940 wrote to memory of 1496	940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe	AeLookupSvi.exe
PID 1496 wrote to memory of 1860	1496	AeLookupSvi.exe	ProfSvc.exe
PID 1496 wrote to memory of 1860	1496	AeLookupSvi.exe	ProfSvc.exe
PID 1496 wrote to memory of 1860	1496	AeLookupSvi.exe	ProfSvc.exe
PID 1496 wrote to memory of 1860	1496	AeLookupSvi.exe	ProfSvc.exe
PID 940 wrote to memory of 544	940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe	takshost.exe
PID 940 wrote to memory of 544	940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe	takshost.exe
PID 940 wrote to memory of 544	940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe	takshost.exe
PID 940 wrote to memory of 544	940	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe	takshost.exe
PID 728 wrote to memory of 1644	728	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe	cmd.exe
PID 728 wrote to memory of 1644	728	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe	cmd.exe
PID 728 wrote to memory of 1644	728	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe	cmd.exe
PID 728 wrote to memory of 1644	728	34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe	cmd.exe
PID 1860 wrote to memory of 1380	1860	ProfSvc.exe	ProfSvc.exe
PID 1860 wrote to memory of 1380	1860	ProfSvc.exe	ProfSvc.exe
PID 1860 wrote to memory of 1380	1860	ProfSvc.exe	ProfSvc.exe
PID 1860 wrote to memory of 1380	1860	ProfSvc.exe	ProfSvc.exe
PID 1860 wrote to memory of 1380	1860	ProfSvc.exe	ProfSvc.exe
PID 1860 wrote to memory of 1380	1860	ProfSvc.exe	ProfSvc.exe
PID 1860 wrote to memory of 1380	1860	ProfSvc.exe	ProfSvc.exe
PID 1860 wrote to memory of 1380	1860	ProfSvc.exe	ProfSvc.exe
PID 1860 wrote to memory of 820	1860	ProfSvc.exe	AeLookupSvi.exe
PID 1860 wrote to memory of 820	1860	ProfSvc.exe	AeLookupSvi.exe
PID 1860 wrote to memory of 820	1860	ProfSvc.exe	AeLookupSvi.exe
PID 1860 wrote to memory of 820	1860	ProfSvc.exe	AeLookupSvi.exe
PID 1860 wrote to memory of 1968	1860	ProfSvc.exe	AeLookupSvi.exe
PID 1860 wrote to memory of 1968	1860	ProfSvc.exe	AeLookupSvi.exe
PID 1860 wrote to memory of 1968	1860	ProfSvc.exe	AeLookupSvi.exe
PID 1860 wrote to memory of 1968	1860	ProfSvc.exe	AeLookupSvi.exe
PID 544 wrote to memory of 956	544	takshost.exe	takshost.exe
PID 544 wrote to memory of 956	544	takshost.exe	takshost.exe
PID 544 wrote to memory of 956	544	takshost.exe	takshost.exe
PID 544 wrote to memory of 956	544	takshost.exe	takshost.exe
PID 544 wrote to memory of 956	544	takshost.exe	takshost.exe
PID 1380 wrote to memory of 1588	1380	ProfSvc.exe	cmd.exe
PID 1380 wrote to memory of 1588	1380	ProfSvc.exe	cmd.exe
PID 1380 wrote to memory of 1588	1380	ProfSvc.exe	cmd.exe
PID 1380 wrote to memory of 1588	1380	ProfSvc.exe	cmd.exe
PID 544 wrote to memory of 956	544	takshost.exe	takshost.exe
PID 544 wrote to memory of 956	544	takshost.exe	takshost.exe
PID 544 wrote to memory of 956	544	takshost.exe	takshost.exe

outlook_win_path 1 IoCs

Processes:

takshost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	takshost.exe

C:\Users\Admin\AppData\Local\Temp\34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
"C:\Users\Admin\AppData\Local\Temp\34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:940

C:\Users\Admin\AppData\Local\Temp\34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe
"C:\Users\Admin\AppData\Local\Temp\34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe"
2⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:728

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7207589.bat" "C:\Users\Admin\AppData\Local\Temp\34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41.exe" "
3⤵
PID:1644

C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1496

C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1860

C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe"
4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7262579.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe" "
5⤵
PID:1588

C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:544

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
3⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- outlook_win_path
PID:956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7207589.bat
Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7262579.bat
Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe
Filesize
7KB

MD5
54b446b04c83570cc974ed428b416a63

SHA1
f6e9eb6319a45d381baef998ce45e50f247cbc7d

SHA256
ead396edbe63927c734b30f9275e52c4dde8fd3c1e53963cfdafb24f53e9fab4

SHA512
0d0129553c623c107d70d756c1d023f8f4463cd6d6517639e5ca2c79944285cfd23dffe98a3ca6c12b9d33501830de05c599d89d12a3ae5514ddd6c18b28e939

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe
Filesize
7KB

MD5
54b446b04c83570cc974ed428b416a63

SHA1
f6e9eb6319a45d381baef998ce45e50f247cbc7d

SHA256
ead396edbe63927c734b30f9275e52c4dde8fd3c1e53963cfdafb24f53e9fab4

SHA512
0d0129553c623c107d70d756c1d023f8f4463cd6d6517639e5ca2c79944285cfd23dffe98a3ca6c12b9d33501830de05c599d89d12a3ae5514ddd6c18b28e939

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe
Filesize
7KB

MD5
54b446b04c83570cc974ed428b416a63

SHA1
f6e9eb6319a45d381baef998ce45e50f247cbc7d

SHA256
ead396edbe63927c734b30f9275e52c4dde8fd3c1e53963cfdafb24f53e9fab4

SHA512
0d0129553c623c107d70d756c1d023f8f4463cd6d6517639e5ca2c79944285cfd23dffe98a3ca6c12b9d33501830de05c599d89d12a3ae5514ddd6c18b28e939

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe
Filesize
7KB

MD5
54b446b04c83570cc974ed428b416a63

SHA1
f6e9eb6319a45d381baef998ce45e50f247cbc7d

SHA256
ead396edbe63927c734b30f9275e52c4dde8fd3c1e53963cfdafb24f53e9fab4

SHA512
0d0129553c623c107d70d756c1d023f8f4463cd6d6517639e5ca2c79944285cfd23dffe98a3ca6c12b9d33501830de05c599d89d12a3ae5514ddd6c18b28e939

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe
Filesize
7KB

MD5
54b446b04c83570cc974ed428b416a63

SHA1
f6e9eb6319a45d381baef998ce45e50f247cbc7d

SHA256
ead396edbe63927c734b30f9275e52c4dde8fd3c1e53963cfdafb24f53e9fab4

SHA512
0d0129553c623c107d70d756c1d023f8f4463cd6d6517639e5ca2c79944285cfd23dffe98a3ca6c12b9d33501830de05c599d89d12a3ae5514ddd6c18b28e939

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe
Filesize
187KB

MD5
68b4ca99283c6099e6b07994d93ecbbb

SHA1
8b26dcf97f6ad64ab20712d61ac7ca328cb584be

SHA256
34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41

SHA512
95809b747178739ede228109dbefb61cb4bccd7be3982b50abddf2b5e6dda2ca3dfc4a55aed484af603a77864915e4d1647b6a6da44df64bf60b6c2b7f24f5b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe
Filesize
187KB

MD5
68b4ca99283c6099e6b07994d93ecbbb

SHA1
8b26dcf97f6ad64ab20712d61ac7ca328cb584be

SHA256
34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41

SHA512
95809b747178739ede228109dbefb61cb4bccd7be3982b50abddf2b5e6dda2ca3dfc4a55aed484af603a77864915e4d1647b6a6da44df64bf60b6c2b7f24f5b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe
Filesize
187KB

MD5
68b4ca99283c6099e6b07994d93ecbbb

SHA1
8b26dcf97f6ad64ab20712d61ac7ca328cb584be

SHA256
34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41

SHA512
95809b747178739ede228109dbefb61cb4bccd7be3982b50abddf2b5e6dda2ca3dfc4a55aed484af603a77864915e4d1647b6a6da44df64bf60b6c2b7f24f5b3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe
Filesize
7KB

MD5
54b446b04c83570cc974ed428b416a63

SHA1
f6e9eb6319a45d381baef998ce45e50f247cbc7d

SHA256
ead396edbe63927c734b30f9275e52c4dde8fd3c1e53963cfdafb24f53e9fab4

SHA512
0d0129553c623c107d70d756c1d023f8f4463cd6d6517639e5ca2c79944285cfd23dffe98a3ca6c12b9d33501830de05c599d89d12a3ae5514ddd6c18b28e939

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe
Filesize
7KB

MD5
54b446b04c83570cc974ed428b416a63

SHA1
f6e9eb6319a45d381baef998ce45e50f247cbc7d

SHA256
ead396edbe63927c734b30f9275e52c4dde8fd3c1e53963cfdafb24f53e9fab4

SHA512
0d0129553c623c107d70d756c1d023f8f4463cd6d6517639e5ca2c79944285cfd23dffe98a3ca6c12b9d33501830de05c599d89d12a3ae5514ddd6c18b28e939

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe
Filesize
187KB

MD5
68b4ca99283c6099e6b07994d93ecbbb

SHA1
8b26dcf97f6ad64ab20712d61ac7ca328cb584be

SHA256
34447d74a502b3bd45c648f6137a7e1e5da532cd24f7a318b6e87a1a42e57f41

SHA512
95809b747178739ede228109dbefb61cb4bccd7be3982b50abddf2b5e6dda2ca3dfc4a55aed484af603a77864915e4d1647b6a6da44df64bf60b6c2b7f24f5b3

Download Submit
memory/544-83-0x0000000000000000-mapping.dmp

Download
memory/544-85-0x0000000074260000-0x000000007480B000-memory.dmp

Filesize
5.7MB

Download
memory/544-109-0x0000000074260000-0x000000007480B000-memory.dmp

Filesize
5.7MB

Download
memory/728-66-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/728-88-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/728-74-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/728-57-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/728-72-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/728-58-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/728-60-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/728-61-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/728-65-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/728-62-0x000000000041A1E0-mapping.dmp

Download
memory/820-110-0x0000000074260000-0x000000007480B000-memory.dmp

Filesize
5.7MB

Download
memory/820-111-0x0000000074260000-0x000000007480B000-memory.dmp

Filesize
5.7MB

Download
memory/820-101-0x0000000000000000-mapping.dmp

Download
memory/820-107-0x0000000074260000-0x000000007480B000-memory.dmp

Filesize
5.7MB

Download
memory/940-89-0x0000000074260000-0x000000007480B000-memory.dmp

Filesize
5.7MB

Download
memory/940-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/940-56-0x0000000074260000-0x000000007480B000-memory.dmp

Filesize
5.7MB

Download
memory/940-55-0x0000000074260000-0x000000007480B000-memory.dmp

Filesize
5.7MB

Download
memory/956-129-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/956-124-0x000000000041A1E0-mapping.dmp

Download
memory/956-130-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/956-128-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1380-102-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1380-108-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1380-96-0x000000000041A1E0-mapping.dmp

Download
memory/1380-106-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1380-122-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1496-87-0x0000000074260000-0x000000007480B000-memory.dmp

Filesize
5.7MB

Download
memory/1496-68-0x0000000000000000-mapping.dmp

Download
memory/1496-73-0x0000000074260000-0x000000007480B000-memory.dmp

Filesize
5.7MB

Download
memory/1496-75-0x0000000074260000-0x000000007480B000-memory.dmp

Filesize
5.7MB

Download
memory/1588-119-0x0000000000000000-mapping.dmp

Download
memory/1644-86-0x0000000000000000-mapping.dmp

Download
memory/1860-78-0x0000000000000000-mapping.dmp

Download
memory/1860-81-0x0000000074260000-0x000000007480B000-memory.dmp

Filesize
5.7MB

Download
memory/1860-82-0x0000000074260000-0x000000007480B000-memory.dmp

Filesize
5.7MB

Download
memory/1968-116-0x0000000074260000-0x000000007480B000-memory.dmp

Filesize
5.7MB

Download
memory/1968-115-0x0000000074260000-0x000000007480B000-memory.dmp

Filesize
5.7MB

Download
memory/1968-112-0x0000000000000000-mapping.dmp

Download