Analysis
-
max time kernel
152s -
max time network
170s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 10:48
Behavioral task
behavioral1
Sample
2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe
Resource
win10v2004-20221111-en
General
-
Target
2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe
-
Size
255KB
-
MD5
f46ac1a243dbd99ba7062da53b48e36b
-
SHA1
c007fef12d4f9afd7bfbaa86ce330ad05e6f3e57
-
SHA256
2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7
-
SHA512
48047b13bbb90daacc52869cee62b295b60d775c4a7640c57e3e4dac160f6b62e7249c48dad3eb1e6c2f35af8fc650f90b6cbee045437f4f21f79107d7207eca
-
SSDEEP
6144:/lIa13U16XmP1DdVmdK4wuT/w5WgvNaU7X9h:l13UYXmP1q04wxVkUZh
Malware Config
Extracted
pony
http://dooglebay.co.in/speed/Panel/gate.php
-
payload_url
http://dooglebay.co.in/speed/Panel/shit.exe
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
IpOverUsbSvrc.exeatiesrx.exeatiesrx.exepid process 1424 IpOverUsbSvrc.exe 1020 atiesrx.exe 944 atiesrx.exe -
Loads dropped DLL 2 IoCs
Processes:
2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exeIpOverUsbSvrc.exepid process 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1424 IpOverUsbSvrc.exe -
Obfuscated with Agile.Net obfuscator 4 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe agile_net \Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe agile_net C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe agile_net C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe agile_net -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs
Processes:
atiesrx.exetakshost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts atiesrx.exe Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts takshost.exe -
Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs
Processes:
atiesrx.exetakshost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook atiesrx.exe Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook takshost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
IpOverUsbSvrc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Multimedia Class Scheduler = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\IpOverUsbSvrc.exe" IpOverUsbSvrc.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exeatiesrx.exetakshost.exedescription pid process target process PID 1652 set thread context of 1104 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe PID 1020 set thread context of 944 1020 atiesrx.exe atiesrx.exe PID 1968 set thread context of 1808 1968 takshost.exe takshost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exeIpOverUsbSvrc.exepid process 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1424 IpOverUsbSvrc.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1424 IpOverUsbSvrc.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1424 IpOverUsbSvrc.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1424 IpOverUsbSvrc.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1424 IpOverUsbSvrc.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1424 IpOverUsbSvrc.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1424 IpOverUsbSvrc.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1424 IpOverUsbSvrc.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1424 IpOverUsbSvrc.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 1424 IpOverUsbSvrc.exe 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exepid process 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exeIpOverUsbSvrc.exeatiesrx.exeatiesrx.exetakshost.exetakshost.exedescription pid process Token: SeDebugPrivilege 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe Token: SeDebugPrivilege 1424 IpOverUsbSvrc.exe Token: SeDebugPrivilege 1020 atiesrx.exe Token: SeImpersonatePrivilege 944 atiesrx.exe Token: SeTcbPrivilege 944 atiesrx.exe Token: SeChangeNotifyPrivilege 944 atiesrx.exe Token: SeCreateTokenPrivilege 944 atiesrx.exe Token: SeBackupPrivilege 944 atiesrx.exe Token: SeRestorePrivilege 944 atiesrx.exe Token: SeIncreaseQuotaPrivilege 944 atiesrx.exe Token: SeAssignPrimaryTokenPrivilege 944 atiesrx.exe Token: SeDebugPrivilege 1968 takshost.exe Token: SeImpersonatePrivilege 1808 takshost.exe Token: SeTcbPrivilege 1808 takshost.exe Token: SeChangeNotifyPrivilege 1808 takshost.exe Token: SeCreateTokenPrivilege 1808 takshost.exe Token: SeBackupPrivilege 1808 takshost.exe Token: SeRestorePrivilege 1808 takshost.exe Token: SeIncreaseQuotaPrivilege 1808 takshost.exe Token: SeAssignPrimaryTokenPrivilege 1808 takshost.exe Token: SeImpersonatePrivilege 944 atiesrx.exe Token: SeTcbPrivilege 944 atiesrx.exe Token: SeChangeNotifyPrivilege 944 atiesrx.exe Token: SeCreateTokenPrivilege 944 atiesrx.exe Token: SeBackupPrivilege 944 atiesrx.exe Token: SeRestorePrivilege 944 atiesrx.exe Token: SeIncreaseQuotaPrivilege 944 atiesrx.exe Token: SeAssignPrimaryTokenPrivilege 944 atiesrx.exe Token: SeImpersonatePrivilege 1808 takshost.exe Token: SeTcbPrivilege 1808 takshost.exe Token: SeChangeNotifyPrivilege 1808 takshost.exe Token: SeCreateTokenPrivilege 1808 takshost.exe Token: SeBackupPrivilege 1808 takshost.exe Token: SeRestorePrivilege 1808 takshost.exe Token: SeIncreaseQuotaPrivilege 1808 takshost.exe Token: SeAssignPrimaryTokenPrivilege 1808 takshost.exe Token: SeImpersonatePrivilege 1808 takshost.exe Token: SeTcbPrivilege 1808 takshost.exe Token: SeChangeNotifyPrivilege 1808 takshost.exe Token: SeCreateTokenPrivilege 1808 takshost.exe Token: SeBackupPrivilege 1808 takshost.exe Token: SeRestorePrivilege 1808 takshost.exe Token: SeIncreaseQuotaPrivilege 1808 takshost.exe Token: SeAssignPrimaryTokenPrivilege 1808 takshost.exe Token: SeImpersonatePrivilege 944 atiesrx.exe Token: SeTcbPrivilege 944 atiesrx.exe Token: SeChangeNotifyPrivilege 944 atiesrx.exe Token: SeCreateTokenPrivilege 944 atiesrx.exe Token: SeBackupPrivilege 944 atiesrx.exe Token: SeRestorePrivilege 944 atiesrx.exe Token: SeIncreaseQuotaPrivilege 944 atiesrx.exe Token: SeAssignPrimaryTokenPrivilege 944 atiesrx.exe Token: SeImpersonatePrivilege 1808 takshost.exe Token: SeTcbPrivilege 1808 takshost.exe Token: SeChangeNotifyPrivilege 1808 takshost.exe Token: SeCreateTokenPrivilege 1808 takshost.exe Token: SeBackupPrivilege 1808 takshost.exe Token: SeRestorePrivilege 1808 takshost.exe Token: SeIncreaseQuotaPrivilege 1808 takshost.exe Token: SeAssignPrimaryTokenPrivilege 1808 takshost.exe Token: SeImpersonatePrivilege 944 atiesrx.exe Token: SeTcbPrivilege 944 atiesrx.exe Token: SeChangeNotifyPrivilege 944 atiesrx.exe Token: SeCreateTokenPrivilege 944 atiesrx.exe -
Suspicious use of WriteProcessMemory 47 IoCs
Processes:
2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exeIpOverUsbSvrc.exeatiesrx.exetakshost.exetakshost.exeatiesrx.exedescription pid process target process PID 1652 wrote to memory of 1104 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe PID 1652 wrote to memory of 1104 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe PID 1652 wrote to memory of 1104 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe PID 1652 wrote to memory of 1104 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe PID 1652 wrote to memory of 1104 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe PID 1652 wrote to memory of 1104 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe PID 1652 wrote to memory of 1104 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe PID 1652 wrote to memory of 1104 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe PID 1652 wrote to memory of 1104 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe PID 1652 wrote to memory of 1424 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe IpOverUsbSvrc.exe PID 1652 wrote to memory of 1424 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe IpOverUsbSvrc.exe PID 1652 wrote to memory of 1424 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe IpOverUsbSvrc.exe PID 1652 wrote to memory of 1424 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe IpOverUsbSvrc.exe PID 1424 wrote to memory of 1020 1424 IpOverUsbSvrc.exe atiesrx.exe PID 1424 wrote to memory of 1020 1424 IpOverUsbSvrc.exe atiesrx.exe PID 1424 wrote to memory of 1020 1424 IpOverUsbSvrc.exe atiesrx.exe PID 1424 wrote to memory of 1020 1424 IpOverUsbSvrc.exe atiesrx.exe PID 1652 wrote to memory of 1968 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe takshost.exe PID 1652 wrote to memory of 1968 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe takshost.exe PID 1652 wrote to memory of 1968 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe takshost.exe PID 1652 wrote to memory of 1968 1652 2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe takshost.exe PID 1020 wrote to memory of 944 1020 atiesrx.exe atiesrx.exe PID 1020 wrote to memory of 944 1020 atiesrx.exe atiesrx.exe PID 1020 wrote to memory of 944 1020 atiesrx.exe atiesrx.exe PID 1020 wrote to memory of 944 1020 atiesrx.exe atiesrx.exe PID 1020 wrote to memory of 944 1020 atiesrx.exe atiesrx.exe PID 1020 wrote to memory of 944 1020 atiesrx.exe atiesrx.exe PID 1020 wrote to memory of 944 1020 atiesrx.exe atiesrx.exe PID 1020 wrote to memory of 944 1020 atiesrx.exe atiesrx.exe PID 1020 wrote to memory of 944 1020 atiesrx.exe atiesrx.exe PID 1968 wrote to memory of 1808 1968 takshost.exe takshost.exe PID 1968 wrote to memory of 1808 1968 takshost.exe takshost.exe PID 1968 wrote to memory of 1808 1968 takshost.exe takshost.exe PID 1968 wrote to memory of 1808 1968 takshost.exe takshost.exe PID 1968 wrote to memory of 1808 1968 takshost.exe takshost.exe PID 1968 wrote to memory of 1808 1968 takshost.exe takshost.exe PID 1968 wrote to memory of 1808 1968 takshost.exe takshost.exe PID 1968 wrote to memory of 1808 1968 takshost.exe takshost.exe PID 1968 wrote to memory of 1808 1968 takshost.exe takshost.exe PID 1808 wrote to memory of 604 1808 takshost.exe cmd.exe PID 1808 wrote to memory of 604 1808 takshost.exe cmd.exe PID 1808 wrote to memory of 604 1808 takshost.exe cmd.exe PID 1808 wrote to memory of 604 1808 takshost.exe cmd.exe PID 944 wrote to memory of 2028 944 atiesrx.exe cmd.exe PID 944 wrote to memory of 2028 944 atiesrx.exe cmd.exe PID 944 wrote to memory of 2028 944 atiesrx.exe cmd.exe PID 944 wrote to memory of 2028 944 atiesrx.exe cmd.exe -
outlook_win_path 1 IoCs
Processes:
takshost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook takshost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe"C:\Users\Admin\AppData\Local\Temp\2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe"C:\Users\Admin\AppData\Local\Temp\2d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe"C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7248695.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe" "5⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"3⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7248680.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe" "4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7248680.batFilesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
C:\Users\Admin\AppData\Local\Temp\7248695.batFilesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exeFilesize
12KB
MD57ebd9207b4b4e2c71924e3726b6ef885
SHA143cec7b0be258572e2427652b54e9713334abc6c
SHA256735afd756f2a12ff9acea88c6564d7e5dc4f2ee3a8d41de08aa985dac6f1804f
SHA51204ab820e1b262b6e12c0f16fcfcbca275b99fe377348e20e76fb465153db71835f2c87ff785d8a95570f624151eccbf63c031aedd32efe0f406d3f3d8cfe0eb1
-
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exeFilesize
12KB
MD57ebd9207b4b4e2c71924e3726b6ef885
SHA143cec7b0be258572e2427652b54e9713334abc6c
SHA256735afd756f2a12ff9acea88c6564d7e5dc4f2ee3a8d41de08aa985dac6f1804f
SHA51204ab820e1b262b6e12c0f16fcfcbca275b99fe377348e20e76fb465153db71835f2c87ff785d8a95570f624151eccbf63c031aedd32efe0f406d3f3d8cfe0eb1
-
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exeFilesize
255KB
MD5f46ac1a243dbd99ba7062da53b48e36b
SHA1c007fef12d4f9afd7bfbaa86ce330ad05e6f3e57
SHA2562d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7
SHA51248047b13bbb90daacc52869cee62b295b60d775c4a7640c57e3e4dac160f6b62e7249c48dad3eb1e6c2f35af8fc650f90b6cbee045437f4f21f79107d7207eca
-
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exeFilesize
255KB
MD5f46ac1a243dbd99ba7062da53b48e36b
SHA1c007fef12d4f9afd7bfbaa86ce330ad05e6f3e57
SHA2562d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7
SHA51248047b13bbb90daacc52869cee62b295b60d775c4a7640c57e3e4dac160f6b62e7249c48dad3eb1e6c2f35af8fc650f90b6cbee045437f4f21f79107d7207eca
-
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exeFilesize
255KB
MD5f46ac1a243dbd99ba7062da53b48e36b
SHA1c007fef12d4f9afd7bfbaa86ce330ad05e6f3e57
SHA2562d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7
SHA51248047b13bbb90daacc52869cee62b295b60d775c4a7640c57e3e4dac160f6b62e7249c48dad3eb1e6c2f35af8fc650f90b6cbee045437f4f21f79107d7207eca
-
\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exeFilesize
12KB
MD57ebd9207b4b4e2c71924e3726b6ef885
SHA143cec7b0be258572e2427652b54e9713334abc6c
SHA256735afd756f2a12ff9acea88c6564d7e5dc4f2ee3a8d41de08aa985dac6f1804f
SHA51204ab820e1b262b6e12c0f16fcfcbca275b99fe377348e20e76fb465153db71835f2c87ff785d8a95570f624151eccbf63c031aedd32efe0f406d3f3d8cfe0eb1
-
\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exeFilesize
255KB
MD5f46ac1a243dbd99ba7062da53b48e36b
SHA1c007fef12d4f9afd7bfbaa86ce330ad05e6f3e57
SHA2562d6a03aa9a578344e44a07e10d9b264abb51a3847ed3f264660a0c1b1857e5c7
SHA51248047b13bbb90daacc52869cee62b295b60d775c4a7640c57e3e4dac160f6b62e7249c48dad3eb1e6c2f35af8fc650f90b6cbee045437f4f21f79107d7207eca
-
memory/604-113-0x0000000000000000-mapping.dmp
-
memory/944-97-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/944-116-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/944-100-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/944-96-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/944-92-0x0000000000410626-mapping.dmp
-
memory/1020-79-0x00000000744D0000-0x0000000074A7B000-memory.dmpFilesize
5.7MB
-
memory/1020-99-0x00000000744D0000-0x0000000074A7B000-memory.dmpFilesize
5.7MB
-
memory/1020-80-0x00000000744D0000-0x0000000074A7B000-memory.dmpFilesize
5.7MB
-
memory/1020-76-0x0000000000000000-mapping.dmp
-
memory/1104-58-0x00000000000D0000-0x00000000000E9000-memory.dmpFilesize
100KB
-
memory/1104-61-0x00000000000D0000-0x00000000000E9000-memory.dmpFilesize
100KB
-
memory/1104-60-0x00000000000D0000-0x00000000000E9000-memory.dmpFilesize
100KB
-
memory/1104-64-0x0000000000410626-mapping.dmp
-
memory/1104-57-0x00000000000D0000-0x00000000000E9000-memory.dmpFilesize
100KB
-
memory/1104-65-0x00000000000D0000-0x00000000000E9000-memory.dmpFilesize
100KB
-
memory/1424-68-0x0000000000000000-mapping.dmp
-
memory/1424-73-0x00000000744D0000-0x0000000074A7B000-memory.dmpFilesize
5.7MB
-
memory/1424-72-0x00000000744D0000-0x0000000074A7B000-memory.dmpFilesize
5.7MB
-
memory/1652-55-0x00000000744D0000-0x0000000074A7B000-memory.dmpFilesize
5.7MB
-
memory/1652-83-0x00000000744D0000-0x0000000074A7B000-memory.dmpFilesize
5.7MB
-
memory/1652-56-0x00000000744D0000-0x0000000074A7B000-memory.dmpFilesize
5.7MB
-
memory/1652-54-0x0000000074FD1000-0x0000000074FD3000-memory.dmpFilesize
8KB
-
memory/1808-112-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1808-115-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1808-108-0x0000000000410626-mapping.dmp
-
memory/1968-98-0x00000000744D0000-0x0000000074A7B000-memory.dmpFilesize
5.7MB
-
memory/1968-84-0x00000000744D0000-0x0000000074A7B000-memory.dmpFilesize
5.7MB
-
memory/1968-81-0x0000000000000000-mapping.dmp
-
memory/2028-114-0x0000000000000000-mapping.dmp