pony | a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30

Analysis

max time kernel
186s
max time network
194s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe
Size

500KB
MD5

2ac9e60e9e4770c8fcfb4c87a38bdc13
SHA1

0e7812057990cef7a6fe6b06037d0e54700d08bb
SHA256

a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30
SHA512

c10b261725b291ed8aadfa80ba8302e8fd8c6ca2ccbf3702f650df9b44bc8626468f818cf099f5379042c2483ae629bca5a3a96a0f246181704afe9dceb2c718
SSDEEP

6144:hLPe67l7q1fcC3P2uYDEDEkBQGcxjgBSIEFDiKexjyFWnffPW:hbe6ZCcapYEDiWEF2KWVff+

Score

10^/10

pony collection discovery persistence rat spyware stealer upx

Malware Config

Extracted

Family

pony

http://indianmoneybag.in/wp-content/themes/twentythirteen/obi/Panel/gate.php

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Executes dropped EXE 4 IoCs

Processes:

NQXLL.exewequ.exeNQXLL.exewequ.exe

pid process

856 NQXLL.exe
1548 wequ.exe
928 NQXLL.exe
1124 wequ.exe

pid	process
856	NQXLL.exe
1548	wequ.exe
928	NQXLL.exe
1124	wequ.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\NQXLL.exe	upx
\Users\Admin\AppData\Local\Temp\NQXLL.exe	upx
C:\Users\Admin\AppData\Local\Temp\NQXLL.exe	upx
behavioral1/memory/856-79-0x0000000000400000-0x000000000041D000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\NQXLL.exe	upx
\Users\Admin\AppData\Local\Temp\NQXLL.exe	upx
\Users\Admin\AppData\Local\Temp\NQXLL.exe	upx
C:\Users\Admin\AppData\Local\Temp\NQXLL.exe	upx
behavioral1/memory/928-109-0x0000000000400000-0x000000000041D000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\NQXLL.exe	upx
\Users\Admin\AppData\Local\Temp\NQXLL.exe	upx
behavioral1/memory/928-413-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/856-678-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1276 cmd.exe

pid	process
1276	cmd.exe

Loads dropped DLL 7 IoCs

Processes:

a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exea980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exewequ.exewequ.exe

pid	process
944	a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe
944	a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe
340	a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe
1548	wequ.exe
1548	wequ.exe
1124	wequ.exe
1124	wequ.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

NQXLL.exeNQXLL.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	NQXLL.exe
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	NQXLL.exe

Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

NQXLL.exeNQXLL.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	NQXLL.exe
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	NQXLL.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wequ.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\Currentversion\Run	wequ.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\Currentversion\Run	wequ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Releqa = "C:\\Users\\Admin\\AppData\\Roaming\\Afur\\wequ.exe"	wequ.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 4 IoCs

Processes:

a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exewequ.exeNQXLL.exeNQXLL.exe

description	pid	process	target process
PID 944 set thread context of 340	944	a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe	a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe
PID 1548 set thread context of 1124	1548	wequ.exe	wequ.exe
PID 928 set thread context of 1772	928	NQXLL.exe	cmd.exe
PID 856 set thread context of 2036	856	NQXLL.exe	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

NQXLL.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy	NQXLL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	NQXLL.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\37FD0C1A-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

wequ.exe

pid	process
1124	wequ.exe
1124	wequ.exe
1124	wequ.exe
1124	wequ.exe
1124	wequ.exe
1124	wequ.exe
1124	wequ.exe
1124	wequ.exe
1124	wequ.exe
1124	wequ.exe
1124	wequ.exe
1124	wequ.exe
1124	wequ.exe
1124	wequ.exe
1124	wequ.exe
1124	wequ.exe
1124	wequ.exe
1124	wequ.exe
1124	wequ.exe
1124	wequ.exe
1124	wequ.exe
1124	wequ.exe
1124	wequ.exe
1124	wequ.exe
1124	wequ.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

NQXLL.exea980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exeNQXLL.exe

description	pid	process
Token: SeImpersonatePrivilege	856	NQXLL.exe
Token: SeTcbPrivilege	856	NQXLL.exe
Token: SeChangeNotifyPrivilege	856	NQXLL.exe
Token: SeCreateTokenPrivilege	856	NQXLL.exe
Token: SeBackupPrivilege	856	NQXLL.exe
Token: SeRestorePrivilege	856	NQXLL.exe
Token: SeIncreaseQuotaPrivilege	856	NQXLL.exe
Token: SeAssignPrimaryTokenPrivilege	856	NQXLL.exe
Token: SeSecurityPrivilege	340	a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe
Token: SeSecurityPrivilege	340	a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe
Token: SeImpersonatePrivilege	928	NQXLL.exe
Token: SeTcbPrivilege	928	NQXLL.exe
Token: SeChangeNotifyPrivilege	928	NQXLL.exe
Token: SeCreateTokenPrivilege	928	NQXLL.exe
Token: SeBackupPrivilege	928	NQXLL.exe
Token: SeRestorePrivilege	928	NQXLL.exe
Token: SeIncreaseQuotaPrivilege	928	NQXLL.exe
Token: SeAssignPrimaryTokenPrivilege	928	NQXLL.exe
Token: SeSecurityPrivilege	856	NQXLL.exe
Token: SeSecurityPrivilege	856	NQXLL.exe
Token: SeSecurityPrivilege	856	NQXLL.exe
Token: SeImpersonatePrivilege	928	NQXLL.exe
Token: SeTcbPrivilege	928	NQXLL.exe
Token: SeChangeNotifyPrivilege	928	NQXLL.exe
Token: SeCreateTokenPrivilege	928	NQXLL.exe
Token: SeBackupPrivilege	928	NQXLL.exe
Token: SeRestorePrivilege	928	NQXLL.exe
Token: SeIncreaseQuotaPrivilege	928	NQXLL.exe
Token: SeAssignPrimaryTokenPrivilege	928	NQXLL.exe
Token: SeImpersonatePrivilege	928	NQXLL.exe
Token: SeTcbPrivilege	928	NQXLL.exe
Token: SeChangeNotifyPrivilege	928	NQXLL.exe
Token: SeCreateTokenPrivilege	928	NQXLL.exe
Token: SeBackupPrivilege	928	NQXLL.exe
Token: SeRestorePrivilege	928	NQXLL.exe
Token: SeIncreaseQuotaPrivilege	928	NQXLL.exe
Token: SeAssignPrimaryTokenPrivilege	928	NQXLL.exe
Token: SeImpersonatePrivilege	928	NQXLL.exe
Token: SeTcbPrivilege	928	NQXLL.exe
Token: SeChangeNotifyPrivilege	928	NQXLL.exe
Token: SeCreateTokenPrivilege	928	NQXLL.exe
Token: SeBackupPrivilege	928	NQXLL.exe
Token: SeRestorePrivilege	928	NQXLL.exe
Token: SeIncreaseQuotaPrivilege	928	NQXLL.exe
Token: SeAssignPrimaryTokenPrivilege	928	NQXLL.exe
Token: SeSecurityPrivilege	856	NQXLL.exe
Token: SeImpersonatePrivilege	856	NQXLL.exe
Token: SeSecurityPrivilege	856	NQXLL.exe
Token: SeTcbPrivilege	856	NQXLL.exe
Token: SeChangeNotifyPrivilege	856	NQXLL.exe
Token: SeCreateTokenPrivilege	856	NQXLL.exe
Token: SeBackupPrivilege	856	NQXLL.exe
Token: SeRestorePrivilege	856	NQXLL.exe
Token: SeIncreaseQuotaPrivilege	856	NQXLL.exe
Token: SeAssignPrimaryTokenPrivilege	856	NQXLL.exe
Token: SeImpersonatePrivilege	856	NQXLL.exe
Token: SeTcbPrivilege	856	NQXLL.exe
Token: SeChangeNotifyPrivilege	856	NQXLL.exe
Token: SeCreateTokenPrivilege	856	NQXLL.exe
Token: SeBackupPrivilege	856	NQXLL.exe
Token: SeRestorePrivilege	856	NQXLL.exe
Token: SeIncreaseQuotaPrivilege	856	NQXLL.exe
Token: SeAssignPrimaryTokenPrivilege	856	NQXLL.exe
Token: SeImpersonatePrivilege	856	NQXLL.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WinMail.exe

pid process

2016 WinMail.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

WinMail.exe

pid process

2016 WinMail.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WinMail.exe

pid process

2016 WinMail.exe

pid	process
2016	WinMail.exe

pid	process
2016	WinMail.exe

pid	process
2016	WinMail.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exea980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exewequ.exewequ.exe

description	pid	process	target process
PID 944 wrote to memory of 856	944	a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe	NQXLL.exe
PID 944 wrote to memory of 856	944	a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe	NQXLL.exe
PID 944 wrote to memory of 856	944	a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe	NQXLL.exe
PID 944 wrote to memory of 856	944	a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe	NQXLL.exe
PID 944 wrote to memory of 340	944	a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe	a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe
PID 944 wrote to memory of 340	944	a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe	a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe
PID 944 wrote to memory of 340	944	a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe	a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe
PID 944 wrote to memory of 340	944	a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe	a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe
PID 944 wrote to memory of 340	944	a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe	a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe
PID 944 wrote to memory of 340	944	a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe	a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe
PID 944 wrote to memory of 340	944	a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe	a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe
PID 944 wrote to memory of 340	944	a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe	a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe
PID 944 wrote to memory of 340	944	a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe	a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe
PID 340 wrote to memory of 1548	340	a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe	wequ.exe
PID 340 wrote to memory of 1548	340	a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe	wequ.exe
PID 340 wrote to memory of 1548	340	a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe	wequ.exe
PID 340 wrote to memory of 1548	340	a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe	wequ.exe
PID 1548 wrote to memory of 928	1548	wequ.exe	NQXLL.exe
PID 1548 wrote to memory of 928	1548	wequ.exe	NQXLL.exe
PID 1548 wrote to memory of 928	1548	wequ.exe	NQXLL.exe
PID 1548 wrote to memory of 928	1548	wequ.exe	NQXLL.exe
PID 1548 wrote to memory of 1124	1548	wequ.exe	wequ.exe
PID 1548 wrote to memory of 1124	1548	wequ.exe	wequ.exe
PID 1548 wrote to memory of 1124	1548	wequ.exe	wequ.exe
PID 1548 wrote to memory of 1124	1548	wequ.exe	wequ.exe
PID 1548 wrote to memory of 1124	1548	wequ.exe	wequ.exe
PID 1548 wrote to memory of 1124	1548	wequ.exe	wequ.exe
PID 1548 wrote to memory of 1124	1548	wequ.exe	wequ.exe
PID 1548 wrote to memory of 1124	1548	wequ.exe	wequ.exe
PID 1548 wrote to memory of 1124	1548	wequ.exe	wequ.exe
PID 1124 wrote to memory of 1128	1124	wequ.exe	taskhost.exe
PID 1124 wrote to memory of 1128	1124	wequ.exe	taskhost.exe
PID 1124 wrote to memory of 1128	1124	wequ.exe	taskhost.exe
PID 1124 wrote to memory of 1128	1124	wequ.exe	taskhost.exe
PID 1124 wrote to memory of 1128	1124	wequ.exe	taskhost.exe
PID 1124 wrote to memory of 1228	1124	wequ.exe	Dwm.exe
PID 1124 wrote to memory of 1228	1124	wequ.exe	Dwm.exe
PID 1124 wrote to memory of 1228	1124	wequ.exe	Dwm.exe
PID 1124 wrote to memory of 1228	1124	wequ.exe	Dwm.exe
PID 1124 wrote to memory of 1228	1124	wequ.exe	Dwm.exe
PID 1124 wrote to memory of 1284	1124	wequ.exe	Explorer.EXE
PID 1124 wrote to memory of 1284	1124	wequ.exe	Explorer.EXE
PID 1124 wrote to memory of 1284	1124	wequ.exe	Explorer.EXE
PID 1124 wrote to memory of 1284	1124	wequ.exe	Explorer.EXE
PID 1124 wrote to memory of 1284	1124	wequ.exe	Explorer.EXE
PID 1124 wrote to memory of 856	1124	wequ.exe	NQXLL.exe
PID 1124 wrote to memory of 856	1124	wequ.exe	NQXLL.exe
PID 1124 wrote to memory of 856	1124	wequ.exe	NQXLL.exe
PID 1124 wrote to memory of 856	1124	wequ.exe	NQXLL.exe
PID 1124 wrote to memory of 856	1124	wequ.exe	NQXLL.exe
PID 340 wrote to memory of 1276	340	a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe	cmd.exe
PID 340 wrote to memory of 1276	340	a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe	cmd.exe
PID 340 wrote to memory of 1276	340	a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe	cmd.exe
PID 340 wrote to memory of 1276	340	a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe	cmd.exe
PID 1124 wrote to memory of 1988	1124	wequ.exe	DllHost.exe
PID 1124 wrote to memory of 1988	1124	wequ.exe	DllHost.exe
PID 1124 wrote to memory of 1988	1124	wequ.exe	DllHost.exe
PID 1124 wrote to memory of 1988	1124	wequ.exe	DllHost.exe
PID 1124 wrote to memory of 1988	1124	wequ.exe	DllHost.exe
PID 1124 wrote to memory of 928	1124	wequ.exe	NQXLL.exe
PID 1124 wrote to memory of 928	1124	wequ.exe	NQXLL.exe
PID 1124 wrote to memory of 928	1124	wequ.exe	NQXLL.exe
PID 1124 wrote to memory of 928	1124	wequ.exe	NQXLL.exe
PID 1124 wrote to memory of 928	1124	wequ.exe	NQXLL.exe

outlook_win_path 1 IoCs

Processes:

NQXLL.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	NQXLL.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1284

C:\Users\Admin\AppData\Local\Temp\a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe
"C:\Users\Admin\AppData\Local\Temp\a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:944

C:\Users\Admin\AppData\Local\Temp\NQXLL.exe
"C:\Users\Admin\AppData\Local\Temp\NQXLL.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
PID:856

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7185016.bat" "C:\Users\Admin\AppData\Local\Temp\NQXLL.exe" "
4⤵
PID:2036

C:\Users\Admin\AppData\Local\Temp\a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe
"C:\Users\Admin\AppData\Local\Temp\a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe"
3⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:340

C:\Users\Admin\AppData\Roaming\Afur\wequ.exe
"C:\Users\Admin\AppData\Roaming\Afur\wequ.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1548

C:\Users\Admin\AppData\Local\Temp\NQXLL.exe
"C:\Users\Admin\AppData\Local\Temp\NQXLL.exe"
5⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:928

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7182676.bat" "C:\Users\Admin\AppData\Local\Temp\NQXLL.exe" "
6⤵
PID:1772

C:\Users\Admin\AppData\Roaming\Afur\wequ.exe
"C:\Users\Admin\AppData\Roaming\Afur\wequ.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp59fa9e9b.bat"
4⤵
- Deletes itself
PID:1276

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1228

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1988

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1684463372-29388457-12127176291327609284-17044370061094244578-1748945001564736035"
1⤵
PID:1860

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1135961106-49294741-165565372820060621671457918737-1514329411986180926-1828536035"
1⤵
PID:904

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1804

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1596

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2016

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1204

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1528

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7182676.bat
Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7185016.bat
Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NQXLL.exe
Filesize
34KB

MD5
584c952a93d0c0794d52d481bf2991c2

SHA1
67d2b0d1e7d135054d4c1fc057c7fb5c784aa524

SHA256
e5ba35f40059abd42e0df99509749f7654f39859ab704e9a02fef1ec5ed7f9a3

SHA512
46ede591d55e8e664f803e8e0b76970a80be74fb95b98139ebcfa6ad9dda8dc43e1ba8d094287bb5ab0194ebb9adb1bf8cf94145f28815357c25110d049ce380

Download Submit
C:\Users\Admin\AppData\Local\Temp\NQXLL.exe
Filesize
34KB

MD5
584c952a93d0c0794d52d481bf2991c2

SHA1
67d2b0d1e7d135054d4c1fc057c7fb5c784aa524

SHA256
e5ba35f40059abd42e0df99509749f7654f39859ab704e9a02fef1ec5ed7f9a3

SHA512
46ede591d55e8e664f803e8e0b76970a80be74fb95b98139ebcfa6ad9dda8dc43e1ba8d094287bb5ab0194ebb9adb1bf8cf94145f28815357c25110d049ce380

Download Submit
C:\Users\Admin\AppData\Local\Temp\NQXLL.exe
Filesize
34KB

MD5
584c952a93d0c0794d52d481bf2991c2

SHA1
67d2b0d1e7d135054d4c1fc057c7fb5c784aa524

SHA256
e5ba35f40059abd42e0df99509749f7654f39859ab704e9a02fef1ec5ed7f9a3

SHA512
46ede591d55e8e664f803e8e0b76970a80be74fb95b98139ebcfa6ad9dda8dc43e1ba8d094287bb5ab0194ebb9adb1bf8cf94145f28815357c25110d049ce380

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp59fa9e9b.bat
Filesize
307B

MD5
78bb3a8b41ad8b9cfb6636138c5d06ac

SHA1
86643c7b65c6c9b2ef2b678878e01c3680c54f78

SHA256
515f30ccf4e39ac6550c1dc751ee0614e663df24e485d7df02f829b69e3d2e10

SHA512
3b5fefabe449e2315c18160db39cfc5fa1b08033f6fdad9a1b873f8135998bf3b0058d3a4dc62ec21770b5fb3fa6496c21ea770297bb7d8c2b4ca13dd93c569f

Download Submit
C:\Users\Admin\AppData\Roaming\Afur\wequ.exe
Filesize
500KB

MD5
aa85f90716376ccdaee38e957f97738d

SHA1
2c1cd98f05d89e7a3173c72390b8a1d563450a46

SHA256
0cda5ca24cf6401284425ebfc5aa7933b2be2c04b8a5efd1f58ed14f8489814e

SHA512
d1e02eb0e5b4d484810c567f3c1967ed982b711da02646600cf1f323f9a9eb2f3368b8f0803da7a801c6344cdcaa8a43a1153e8826cbc211708fc3076b235091

Download Submit
C:\Users\Admin\AppData\Roaming\Afur\wequ.exe
Filesize
500KB

MD5
aa85f90716376ccdaee38e957f97738d

SHA1
2c1cd98f05d89e7a3173c72390b8a1d563450a46

SHA256
0cda5ca24cf6401284425ebfc5aa7933b2be2c04b8a5efd1f58ed14f8489814e

SHA512
d1e02eb0e5b4d484810c567f3c1967ed982b711da02646600cf1f323f9a9eb2f3368b8f0803da7a801c6344cdcaa8a43a1153e8826cbc211708fc3076b235091

Download Submit
C:\Users\Admin\AppData\Roaming\Afur\wequ.exe
Filesize
500KB

MD5
aa85f90716376ccdaee38e957f97738d

SHA1
2c1cd98f05d89e7a3173c72390b8a1d563450a46

SHA256
0cda5ca24cf6401284425ebfc5aa7933b2be2c04b8a5efd1f58ed14f8489814e

SHA512
d1e02eb0e5b4d484810c567f3c1967ed982b711da02646600cf1f323f9a9eb2f3368b8f0803da7a801c6344cdcaa8a43a1153e8826cbc211708fc3076b235091

Download Submit
C:\Users\Admin\AppData\Roaming\Ohepyd\qycen.ulv
Filesize
373B

MD5
16393c999505dce350d9619c1d5c5711

SHA1
3d1d180963d9b103dcdd633ddfe495e2c7267c8c

SHA256
305df5b00d1e27788bdda8fcd8fd535de462d9f1ea647ec8d0cb9f39dfd953ce

SHA512
eff4546442748b82696efe9c2bee98a02cac280146c0b33a3d67bf11ed3a41cc00d8a50636c08f3d33321888dfd32e76a285cd2da3d5a8654662a8ef06fa2dae

Download Submit
C:\Users\Admin\AppData\Roaming\Ohepyd\qycen.ulv
Filesize
3KB

MD5
d2ea1159f1e4ca9f650278037ec995c6

SHA1
c51c020cbc5246ea6a3d2a7c213d0cc4284fff7b

SHA256
3e090547c297eb603d4930c4afa979e022d6e6bb9bbd2793a5c790b4c64d7d26

SHA512
23dbd4dde71cbf6fa9d75616ceb4ca30f51b272222a5de01c651bd4acbc2632f3300f9009d82a3dc5f0cce854337b0add37a3f1cd405ed292d2a3a6e6be83e28

Download Submit
\Users\Admin\AppData\Local\Temp\NQXLL.exe
Filesize
34KB

MD5
584c952a93d0c0794d52d481bf2991c2

SHA1
67d2b0d1e7d135054d4c1fc057c7fb5c784aa524

SHA256
e5ba35f40059abd42e0df99509749f7654f39859ab704e9a02fef1ec5ed7f9a3

SHA512
46ede591d55e8e664f803e8e0b76970a80be74fb95b98139ebcfa6ad9dda8dc43e1ba8d094287bb5ab0194ebb9adb1bf8cf94145f28815357c25110d049ce380

Download Submit
\Users\Admin\AppData\Local\Temp\NQXLL.exe
Filesize
34KB

MD5
584c952a93d0c0794d52d481bf2991c2

SHA1
67d2b0d1e7d135054d4c1fc057c7fb5c784aa524

SHA256
e5ba35f40059abd42e0df99509749f7654f39859ab704e9a02fef1ec5ed7f9a3

SHA512
46ede591d55e8e664f803e8e0b76970a80be74fb95b98139ebcfa6ad9dda8dc43e1ba8d094287bb5ab0194ebb9adb1bf8cf94145f28815357c25110d049ce380

Download Submit
\Users\Admin\AppData\Local\Temp\NQXLL.exe
Filesize
34KB

MD5
584c952a93d0c0794d52d481bf2991c2

SHA1
67d2b0d1e7d135054d4c1fc057c7fb5c784aa524

SHA256
e5ba35f40059abd42e0df99509749f7654f39859ab704e9a02fef1ec5ed7f9a3

SHA512
46ede591d55e8e664f803e8e0b76970a80be74fb95b98139ebcfa6ad9dda8dc43e1ba8d094287bb5ab0194ebb9adb1bf8cf94145f28815357c25110d049ce380

Download Submit
\Users\Admin\AppData\Local\Temp\NQXLL.exe
Filesize
34KB

MD5
584c952a93d0c0794d52d481bf2991c2

SHA1
67d2b0d1e7d135054d4c1fc057c7fb5c784aa524

SHA256
e5ba35f40059abd42e0df99509749f7654f39859ab704e9a02fef1ec5ed7f9a3

SHA512
46ede591d55e8e664f803e8e0b76970a80be74fb95b98139ebcfa6ad9dda8dc43e1ba8d094287bb5ab0194ebb9adb1bf8cf94145f28815357c25110d049ce380

Download Submit
\Users\Admin\AppData\Local\Temp\NQXLL.exe
Filesize
34KB

MD5
584c952a93d0c0794d52d481bf2991c2

SHA1
67d2b0d1e7d135054d4c1fc057c7fb5c784aa524

SHA256
e5ba35f40059abd42e0df99509749f7654f39859ab704e9a02fef1ec5ed7f9a3

SHA512
46ede591d55e8e664f803e8e0b76970a80be74fb95b98139ebcfa6ad9dda8dc43e1ba8d094287bb5ab0194ebb9adb1bf8cf94145f28815357c25110d049ce380

Download Submit
\Users\Admin\AppData\Local\Temp\NQXLL.exe
Filesize
34KB

MD5
584c952a93d0c0794d52d481bf2991c2

SHA1
67d2b0d1e7d135054d4c1fc057c7fb5c784aa524

SHA256
e5ba35f40059abd42e0df99509749f7654f39859ab704e9a02fef1ec5ed7f9a3

SHA512
46ede591d55e8e664f803e8e0b76970a80be74fb95b98139ebcfa6ad9dda8dc43e1ba8d094287bb5ab0194ebb9adb1bf8cf94145f28815357c25110d049ce380

Download Submit
\Users\Admin\AppData\Roaming\Afur\wequ.exe
Filesize
500KB

MD5
aa85f90716376ccdaee38e957f97738d

SHA1
2c1cd98f05d89e7a3173c72390b8a1d563450a46

SHA256
0cda5ca24cf6401284425ebfc5aa7933b2be2c04b8a5efd1f58ed14f8489814e

SHA512
d1e02eb0e5b4d484810c567f3c1967ed982b711da02646600cf1f323f9a9eb2f3368b8f0803da7a801c6344cdcaa8a43a1153e8826cbc211708fc3076b235091

Download Submit
memory/340-67-0x000000000042B055-mapping.dmp

Download
memory/340-78-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/340-77-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/340-76-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/340-74-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/340-72-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/340-71-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/340-69-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/340-66-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/340-107-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/340-63-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/340-144-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/340-62-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/340-59-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/856-143-0x0000000002A40000-0x0000000002A7B000-memory.dmp

Filesize
236KB

Download
memory/856-135-0x0000000002A40000-0x0000000002A7B000-memory.dmp

Filesize
236KB

Download
memory/856-131-0x0000000002A40000-0x0000000002A7B000-memory.dmp

Filesize
236KB

Download
memory/856-79-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/856-133-0x0000000002A40000-0x0000000002A7B000-memory.dmp

Filesize
236KB

Download
memory/856-132-0x0000000002A40000-0x0000000002A7B000-memory.dmp

Filesize
236KB

Download
memory/856-264-0x0000000002900000-0x0000000002AC4000-memory.dmp

Filesize
1.8MB

Download
memory/856-134-0x0000000002A40000-0x0000000002A7B000-memory.dmp

Filesize
236KB

Download
memory/856-140-0x0000000002A40000-0x0000000002A7B000-memory.dmp

Filesize
236KB

Download
memory/856-678-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/856-138-0x0000000002A40000-0x0000000002A7B000-memory.dmp

Filesize
236KB

Download
memory/856-57-0x0000000000000000-mapping.dmp

Download
memory/856-137-0x0000000002900000-0x0000000002AC4000-memory.dmp

Filesize
1.8MB

Download
memory/928-413-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/928-87-0x0000000000000000-mapping.dmp

Download
memory/928-403-0x00000000028B0000-0x0000000002A74000-memory.dmp

Filesize
1.8MB

Download
memory/928-109-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/944-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/944-68-0x0000000000410000-0x000000000042D000-memory.dmp

Filesize
116KB

Download
memory/1124-102-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1124-108-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1124-486-0x0000000000270000-0x000000000028D000-memory.dmp

Filesize
116KB

Download
memory/1124-104-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1124-402-0x0000000000270000-0x000000000028D000-memory.dmp

Filesize
116KB

Download
memory/1124-97-0x000000000042B055-mapping.dmp

Download
memory/1124-263-0x0000000000270000-0x000000000028D000-memory.dmp

Filesize
116KB

Download
memory/1128-115-0x0000000001E10000-0x0000000001E4B000-memory.dmp

Filesize
236KB

Download
memory/1128-112-0x0000000001E10000-0x0000000001E4B000-memory.dmp

Filesize
236KB

Download
memory/1128-114-0x0000000001E10000-0x0000000001E4B000-memory.dmp

Filesize
236KB

Download
memory/1128-113-0x0000000001E10000-0x0000000001E4B000-memory.dmp

Filesize
236KB

Download
memory/1228-120-0x00000000001C0000-0x00000000001FB000-memory.dmp

Filesize
236KB

Download
memory/1228-119-0x00000000001C0000-0x00000000001FB000-memory.dmp

Filesize
236KB

Download
memory/1228-121-0x00000000001C0000-0x00000000001FB000-memory.dmp

Filesize
236KB

Download
memory/1228-118-0x00000000001C0000-0x00000000001FB000-memory.dmp

Filesize
236KB

Download
memory/1276-141-0x0000000000000000-mapping.dmp

Download
memory/1284-126-0x00000000029C0000-0x00000000029FB000-memory.dmp

Filesize
236KB

Download
memory/1284-125-0x00000000029C0000-0x00000000029FB000-memory.dmp

Filesize
236KB

Download
memory/1284-127-0x00000000029C0000-0x00000000029FB000-memory.dmp

Filesize
236KB

Download
memory/1284-124-0x00000000029C0000-0x00000000029FB000-memory.dmp

Filesize
236KB

Download
memory/1548-81-0x0000000000000000-mapping.dmp

Download
memory/1772-412-0x0000000000069BF5-mapping.dmp

Download
memory/1772-485-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/1772-695-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/1772-742-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/2036-548-0x0000000000069BF5-mapping.dmp

Download
memory/2036-688-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/2036-743-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download