pony | 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe

Analysis

max time kernel
151s
max time network
147s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 11:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
Size

196KB
MD5

7cd3259d6dcfc8b1eff9c35de1b9bbd8
SHA1

bc0b4234f5e014ccc8ab8dd6cb626b0aa0c79207
SHA256

0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe
SHA512

1c1c264f7f6fa01db1bb31fef3d829dc61e604388adcb9b8ea0c0cd6bf6b4a65e2c25134e6cecc0bd67f96f46897705cd69b980d5ae6f67d53c5d6656d69d4c8
SSDEEP

3072:4JDzxTsqJF1teLemzoOkZKeXJ5F6P1A3Cg7ByvOpLTvNaJS7X9hkg:2DlTsqz1teHzOsEn0P1qCwB5NaU7X9h

Score

10^/10

pony agilenet collection discovery persistence rat spyware stealer upx

Malware Config

Extracted

Family

pony

http://5.39.8.194/~login/sam/Panel/gate.php

Attributes

payload_url
http://5.39.8.194/~login/sam/Panel/shit.exe

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Executes dropped EXE 3 IoCs

Processes:

IpOverUsbSvrc.exeatiesrx.exeatiesrx.exe

pid process

852 IpOverUsbSvrc.exe
1008 atiesrx.exe
1104 atiesrx.exe

pid	process
852	IpOverUsbSvrc.exe
1008	atiesrx.exe
1104	atiesrx.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1280-58-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1280-60-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1280-61-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1280-65-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1280-66-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1280-72-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1104-97-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1104-99-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1200-110-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1280-112-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exeIpOverUsbSvrc.exe

pid process

1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
852 IpOverUsbSvrc.exe

Obfuscated with Agile.Net obfuscator 7 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe	agile_net
\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe	agile_net

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

takshost.exe0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exeatiesrx.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	takshost.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	atiesrx.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exeatiesrx.exetakshost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	atiesrx.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	takshost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

IpOverUsbSvrc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Multimedia Class Scheduler = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\IpOverUsbSvrc.exe"	IpOverUsbSvrc.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 3 IoCs

Processes:

0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exeatiesrx.exetakshost.exe

description	pid	process	target process
PID 1964 set thread context of 1280	1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
PID 1008 set thread context of 1104	1008	atiesrx.exe	atiesrx.exe
PID 1004 set thread context of 1200	1004	takshost.exe	takshost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exeIpOverUsbSvrc.exe

pid	process
1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
852	IpOverUsbSvrc.exe
1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
852	IpOverUsbSvrc.exe
1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
852	IpOverUsbSvrc.exe
1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
852	IpOverUsbSvrc.exe
1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
852	IpOverUsbSvrc.exe
1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
852	IpOverUsbSvrc.exe
1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
852	IpOverUsbSvrc.exe
1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
852	IpOverUsbSvrc.exe
1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
852	IpOverUsbSvrc.exe
1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
852	IpOverUsbSvrc.exe
1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
852	IpOverUsbSvrc.exe
1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
852	IpOverUsbSvrc.exe
1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
852	IpOverUsbSvrc.exe
852	IpOverUsbSvrc.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe

pid process

1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

Processes:

0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exeIpOverUsbSvrc.exeatiesrx.exeatiesrx.exetakshost.exetakshost.exe

description	pid	process
Token: SeDebugPrivilege	1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
Token: SeImpersonatePrivilege	1280	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
Token: SeTcbPrivilege	1280	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
Token: SeChangeNotifyPrivilege	1280	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
Token: SeCreateTokenPrivilege	1280	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
Token: SeBackupPrivilege	1280	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
Token: SeRestorePrivilege	1280	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
Token: SeIncreaseQuotaPrivilege	1280	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
Token: SeAssignPrimaryTokenPrivilege	1280	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
Token: SeDebugPrivilege	852	IpOverUsbSvrc.exe
Token: SeDebugPrivilege	1008	atiesrx.exe
Token: SeImpersonatePrivilege	1104	atiesrx.exe
Token: SeTcbPrivilege	1104	atiesrx.exe
Token: SeChangeNotifyPrivilege	1104	atiesrx.exe
Token: SeCreateTokenPrivilege	1104	atiesrx.exe
Token: SeBackupPrivilege	1104	atiesrx.exe
Token: SeRestorePrivilege	1104	atiesrx.exe
Token: SeIncreaseQuotaPrivilege	1104	atiesrx.exe
Token: SeAssignPrimaryTokenPrivilege	1104	atiesrx.exe
Token: SeDebugPrivilege	1004	takshost.exe
Token: SeImpersonatePrivilege	1200	takshost.exe
Token: SeTcbPrivilege	1200	takshost.exe
Token: SeChangeNotifyPrivilege	1200	takshost.exe
Token: SeCreateTokenPrivilege	1200	takshost.exe
Token: SeBackupPrivilege	1200	takshost.exe
Token: SeRestorePrivilege	1200	takshost.exe
Token: SeIncreaseQuotaPrivilege	1200	takshost.exe
Token: SeAssignPrimaryTokenPrivilege	1200	takshost.exe
Token: SeImpersonatePrivilege	1280	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
Token: SeTcbPrivilege	1280	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
Token: SeChangeNotifyPrivilege	1280	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
Token: SeCreateTokenPrivilege	1280	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
Token: SeBackupPrivilege	1280	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
Token: SeRestorePrivilege	1280	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
Token: SeIncreaseQuotaPrivilege	1280	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
Token: SeAssignPrimaryTokenPrivilege	1280	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
Token: SeImpersonatePrivilege	1280	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
Token: SeTcbPrivilege	1280	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
Token: SeChangeNotifyPrivilege	1280	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
Token: SeCreateTokenPrivilege	1280	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
Token: SeBackupPrivilege	1280	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
Token: SeRestorePrivilege	1280	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
Token: SeIncreaseQuotaPrivilege	1280	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
Token: SeAssignPrimaryTokenPrivilege	1280	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
Token: SeImpersonatePrivilege	1280	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
Token: SeTcbPrivilege	1280	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
Token: SeChangeNotifyPrivilege	1280	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
Token: SeCreateTokenPrivilege	1280	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
Token: SeBackupPrivilege	1280	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
Token: SeRestorePrivilege	1280	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
Token: SeIncreaseQuotaPrivilege	1280	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
Token: SeAssignPrimaryTokenPrivilege	1280	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exeIpOverUsbSvrc.exeatiesrx.exetakshost.exe0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe

description	pid	process	target process
PID 1964 wrote to memory of 1280	1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
PID 1964 wrote to memory of 1280	1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
PID 1964 wrote to memory of 1280	1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
PID 1964 wrote to memory of 1280	1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
PID 1964 wrote to memory of 1280	1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
PID 1964 wrote to memory of 1280	1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
PID 1964 wrote to memory of 1280	1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
PID 1964 wrote to memory of 1280	1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
PID 1964 wrote to memory of 852	1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe	IpOverUsbSvrc.exe
PID 1964 wrote to memory of 852	1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe	IpOverUsbSvrc.exe
PID 1964 wrote to memory of 852	1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe	IpOverUsbSvrc.exe
PID 1964 wrote to memory of 852	1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe	IpOverUsbSvrc.exe
PID 852 wrote to memory of 1008	852	IpOverUsbSvrc.exe	atiesrx.exe
PID 852 wrote to memory of 1008	852	IpOverUsbSvrc.exe	atiesrx.exe
PID 852 wrote to memory of 1008	852	IpOverUsbSvrc.exe	atiesrx.exe
PID 852 wrote to memory of 1008	852	IpOverUsbSvrc.exe	atiesrx.exe
PID 1964 wrote to memory of 1004	1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe	takshost.exe
PID 1964 wrote to memory of 1004	1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe	takshost.exe
PID 1964 wrote to memory of 1004	1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe	takshost.exe
PID 1964 wrote to memory of 1004	1964	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe	takshost.exe
PID 1008 wrote to memory of 1104	1008	atiesrx.exe	atiesrx.exe
PID 1008 wrote to memory of 1104	1008	atiesrx.exe	atiesrx.exe
PID 1008 wrote to memory of 1104	1008	atiesrx.exe	atiesrx.exe
PID 1008 wrote to memory of 1104	1008	atiesrx.exe	atiesrx.exe
PID 1008 wrote to memory of 1104	1008	atiesrx.exe	atiesrx.exe
PID 1008 wrote to memory of 1104	1008	atiesrx.exe	atiesrx.exe
PID 1008 wrote to memory of 1104	1008	atiesrx.exe	atiesrx.exe
PID 1008 wrote to memory of 1104	1008	atiesrx.exe	atiesrx.exe
PID 1004 wrote to memory of 1200	1004	takshost.exe	takshost.exe
PID 1004 wrote to memory of 1200	1004	takshost.exe	takshost.exe
PID 1004 wrote to memory of 1200	1004	takshost.exe	takshost.exe
PID 1004 wrote to memory of 1200	1004	takshost.exe	takshost.exe
PID 1004 wrote to memory of 1200	1004	takshost.exe	takshost.exe
PID 1004 wrote to memory of 1200	1004	takshost.exe	takshost.exe
PID 1004 wrote to memory of 1200	1004	takshost.exe	takshost.exe
PID 1004 wrote to memory of 1200	1004	takshost.exe	takshost.exe
PID 1280 wrote to memory of 1800	1280	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe	cmd.exe
PID 1280 wrote to memory of 1800	1280	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe	cmd.exe
PID 1280 wrote to memory of 1800	1280	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe	cmd.exe
PID 1280 wrote to memory of 1800	1280	0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe	cmd.exe

outlook_win_path 1 IoCs

Processes:

takshost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	takshost.exe

C:\Users\Admin\AppData\Local\Temp\0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
"C:\Users\Admin\AppData\Local\Temp\0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964

C:\Users\Admin\AppData\Local\Temp\0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
"C:\Users\Admin\AppData\Local\Temp\0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe"
2⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7223969.bat" "C:\Users\Admin\AppData\Local\Temp\0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe" "
3⤵
PID:1800

C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:852

C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1008

C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1004

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
3⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
PID:1200

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe
Filesize
10KB

MD5
b3bbb175906ed2831daef23eccea6a2c

SHA1
ed5cb8c8f225ead014298ae5636c142cfed448dd

SHA256
be649d0f7996abd93f2a4f05d71cf65ab688f9007017c6791cd94033133947eb

SHA512
185a3c6f62dd68f3d9c2b9d49079363bf3c8cbbcbbd89a8416060af2f47c28e72055bad653d7d1832326eccde38169fd826fcc2a4867ae61483d56893d9bd986

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe
Filesize
10KB

MD5
b3bbb175906ed2831daef23eccea6a2c

SHA1
ed5cb8c8f225ead014298ae5636c142cfed448dd

SHA256
be649d0f7996abd93f2a4f05d71cf65ab688f9007017c6791cd94033133947eb

SHA512
185a3c6f62dd68f3d9c2b9d49079363bf3c8cbbcbbd89a8416060af2f47c28e72055bad653d7d1832326eccde38169fd826fcc2a4867ae61483d56893d9bd986

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
Filesize
196KB

MD5
7cd3259d6dcfc8b1eff9c35de1b9bbd8

SHA1
bc0b4234f5e014ccc8ab8dd6cb626b0aa0c79207

SHA256
0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe

SHA512
1c1c264f7f6fa01db1bb31fef3d829dc61e604388adcb9b8ea0c0cd6bf6b4a65e2c25134e6cecc0bd67f96f46897705cd69b980d5ae6f67d53c5d6656d69d4c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
Filesize
196KB

MD5
7cd3259d6dcfc8b1eff9c35de1b9bbd8

SHA1
bc0b4234f5e014ccc8ab8dd6cb626b0aa0c79207

SHA256
0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe

SHA512
1c1c264f7f6fa01db1bb31fef3d829dc61e604388adcb9b8ea0c0cd6bf6b4a65e2c25134e6cecc0bd67f96f46897705cd69b980d5ae6f67d53c5d6656d69d4c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
Filesize
196KB

MD5
7cd3259d6dcfc8b1eff9c35de1b9bbd8

SHA1
bc0b4234f5e014ccc8ab8dd6cb626b0aa0c79207

SHA256
0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe

SHA512
1c1c264f7f6fa01db1bb31fef3d829dc61e604388adcb9b8ea0c0cd6bf6b4a65e2c25134e6cecc0bd67f96f46897705cd69b980d5ae6f67d53c5d6656d69d4c8

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe
Filesize
10KB

MD5
b3bbb175906ed2831daef23eccea6a2c

SHA1
ed5cb8c8f225ead014298ae5636c142cfed448dd

SHA256
be649d0f7996abd93f2a4f05d71cf65ab688f9007017c6791cd94033133947eb

SHA512
185a3c6f62dd68f3d9c2b9d49079363bf3c8cbbcbbd89a8416060af2f47c28e72055bad653d7d1832326eccde38169fd826fcc2a4867ae61483d56893d9bd986

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
Filesize
196KB

MD5
7cd3259d6dcfc8b1eff9c35de1b9bbd8

SHA1
bc0b4234f5e014ccc8ab8dd6cb626b0aa0c79207

SHA256
0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe

SHA512
1c1c264f7f6fa01db1bb31fef3d829dc61e604388adcb9b8ea0c0cd6bf6b4a65e2c25134e6cecc0bd67f96f46897705cd69b980d5ae6f67d53c5d6656d69d4c8

Download Submit
memory/852-73-0x0000000074970000-0x0000000074F1B000-memory.dmp

Filesize
5.7MB

Download
memory/852-74-0x0000000074970000-0x0000000074F1B000-memory.dmp

Filesize
5.7MB

Download
memory/852-68-0x0000000000000000-mapping.dmp

Download
memory/1004-98-0x0000000074970000-0x0000000074F1B000-memory.dmp

Filesize
5.7MB

Download
memory/1004-82-0x0000000000000000-mapping.dmp

Download
memory/1004-85-0x0000000074970000-0x0000000074F1B000-memory.dmp

Filesize
5.7MB

Download
memory/1008-81-0x0000000074970000-0x0000000074F1B000-memory.dmp

Filesize
5.7MB

Download
memory/1008-80-0x0000000074970000-0x0000000074F1B000-memory.dmp

Filesize
5.7MB

Download
memory/1008-77-0x0000000000000000-mapping.dmp

Download
memory/1104-97-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1104-91-0x000000000041A1F0-mapping.dmp

Download
memory/1104-99-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1200-105-0x000000000041A1F0-mapping.dmp

Download
memory/1200-110-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1280-65-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1280-66-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1280-112-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1280-72-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1280-62-0x000000000041A1F0-mapping.dmp

Download
memory/1280-61-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1280-60-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1280-58-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1280-57-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1800-111-0x0000000000000000-mapping.dmp

Download
memory/1964-54-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/1964-55-0x0000000074970000-0x0000000074F1B000-memory.dmp

Filesize
5.7MB

Download
memory/1964-56-0x0000000074970000-0x0000000074F1B000-memory.dmp

Filesize
5.7MB

Download
memory/1964-84-0x0000000074970000-0x0000000074F1B000-memory.dmp

Filesize
5.7MB

Download