Analysis
-
max time kernel
151s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 11:17
Behavioral task
behavioral1
Sample
0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
Resource
win10v2004-20221111-en
General
-
Target
0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
-
Size
196KB
-
MD5
7cd3259d6dcfc8b1eff9c35de1b9bbd8
-
SHA1
bc0b4234f5e014ccc8ab8dd6cb626b0aa0c79207
-
SHA256
0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe
-
SHA512
1c1c264f7f6fa01db1bb31fef3d829dc61e604388adcb9b8ea0c0cd6bf6b4a65e2c25134e6cecc0bd67f96f46897705cd69b980d5ae6f67d53c5d6656d69d4c8
-
SSDEEP
3072:4JDzxTsqJF1teLemzoOkZKeXJ5F6P1A3Cg7ByvOpLTvNaJS7X9hkg:2DlTsqz1teHzOsEn0P1qCwB5NaU7X9h
Malware Config
Extracted
pony
http://5.39.8.194/~login/sam/Panel/gate.php
-
payload_url
http://5.39.8.194/~login/sam/Panel/shit.exe
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
IpOverUsbSvrc.exeatiesrx.exeatiesrx.exepid process 852 IpOverUsbSvrc.exe 1008 atiesrx.exe 1104 atiesrx.exe -
Processes:
resource yara_rule behavioral1/memory/1280-58-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1280-60-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1280-61-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1280-65-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1280-66-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1280-72-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1104-97-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1104-99-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1200-110-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1280-112-0x0000000000400000-0x000000000041C000-memory.dmp upx -
Loads dropped DLL 2 IoCs
Processes:
0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exeIpOverUsbSvrc.exepid process 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 852 IpOverUsbSvrc.exe -
Obfuscated with Agile.Net obfuscator 7 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe agile_net C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe agile_net C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe agile_net C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe agile_net \Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe agile_net C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe agile_net C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe agile_net -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 3 IoCs
Processes:
takshost.exe0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exeatiesrx.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts takshost.exe Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts atiesrx.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exeatiesrx.exetakshost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook atiesrx.exe Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook takshost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
IpOverUsbSvrc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Multimedia Class Scheduler = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\IpOverUsbSvrc.exe" IpOverUsbSvrc.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exeatiesrx.exetakshost.exedescription pid process target process PID 1964 set thread context of 1280 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe PID 1008 set thread context of 1104 1008 atiesrx.exe atiesrx.exe PID 1004 set thread context of 1200 1004 takshost.exe takshost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exeIpOverUsbSvrc.exepid process 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 852 IpOverUsbSvrc.exe 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 852 IpOverUsbSvrc.exe 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 852 IpOverUsbSvrc.exe 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 852 IpOverUsbSvrc.exe 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 852 IpOverUsbSvrc.exe 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 852 IpOverUsbSvrc.exe 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 852 IpOverUsbSvrc.exe 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 852 IpOverUsbSvrc.exe 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 852 IpOverUsbSvrc.exe 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 852 IpOverUsbSvrc.exe 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 852 IpOverUsbSvrc.exe 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 852 IpOverUsbSvrc.exe 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 852 IpOverUsbSvrc.exe 852 IpOverUsbSvrc.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exepid process 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe -
Suspicious use of AdjustPrivilegeToken 52 IoCs
Processes:
0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exeIpOverUsbSvrc.exeatiesrx.exeatiesrx.exetakshost.exetakshost.exedescription pid process Token: SeDebugPrivilege 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe Token: SeImpersonatePrivilege 1280 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe Token: SeTcbPrivilege 1280 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe Token: SeChangeNotifyPrivilege 1280 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe Token: SeCreateTokenPrivilege 1280 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe Token: SeBackupPrivilege 1280 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe Token: SeRestorePrivilege 1280 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe Token: SeIncreaseQuotaPrivilege 1280 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe Token: SeAssignPrimaryTokenPrivilege 1280 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe Token: SeDebugPrivilege 852 IpOverUsbSvrc.exe Token: SeDebugPrivilege 1008 atiesrx.exe Token: SeImpersonatePrivilege 1104 atiesrx.exe Token: SeTcbPrivilege 1104 atiesrx.exe Token: SeChangeNotifyPrivilege 1104 atiesrx.exe Token: SeCreateTokenPrivilege 1104 atiesrx.exe Token: SeBackupPrivilege 1104 atiesrx.exe Token: SeRestorePrivilege 1104 atiesrx.exe Token: SeIncreaseQuotaPrivilege 1104 atiesrx.exe Token: SeAssignPrimaryTokenPrivilege 1104 atiesrx.exe Token: SeDebugPrivilege 1004 takshost.exe Token: SeImpersonatePrivilege 1200 takshost.exe Token: SeTcbPrivilege 1200 takshost.exe Token: SeChangeNotifyPrivilege 1200 takshost.exe Token: SeCreateTokenPrivilege 1200 takshost.exe Token: SeBackupPrivilege 1200 takshost.exe Token: SeRestorePrivilege 1200 takshost.exe Token: SeIncreaseQuotaPrivilege 1200 takshost.exe Token: SeAssignPrimaryTokenPrivilege 1200 takshost.exe Token: SeImpersonatePrivilege 1280 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe Token: SeTcbPrivilege 1280 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe Token: SeChangeNotifyPrivilege 1280 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe Token: SeCreateTokenPrivilege 1280 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe Token: SeBackupPrivilege 1280 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe Token: SeRestorePrivilege 1280 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe Token: SeIncreaseQuotaPrivilege 1280 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe Token: SeAssignPrimaryTokenPrivilege 1280 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe Token: SeImpersonatePrivilege 1280 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe Token: SeTcbPrivilege 1280 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe Token: SeChangeNotifyPrivilege 1280 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe Token: SeCreateTokenPrivilege 1280 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe Token: SeBackupPrivilege 1280 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe Token: SeRestorePrivilege 1280 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe Token: SeIncreaseQuotaPrivilege 1280 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe Token: SeAssignPrimaryTokenPrivilege 1280 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe Token: SeImpersonatePrivilege 1280 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe Token: SeTcbPrivilege 1280 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe Token: SeChangeNotifyPrivilege 1280 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe Token: SeCreateTokenPrivilege 1280 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe Token: SeBackupPrivilege 1280 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe Token: SeRestorePrivilege 1280 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe Token: SeIncreaseQuotaPrivilege 1280 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe Token: SeAssignPrimaryTokenPrivilege 1280 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exeIpOverUsbSvrc.exeatiesrx.exetakshost.exe0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exedescription pid process target process PID 1964 wrote to memory of 1280 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe PID 1964 wrote to memory of 1280 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe PID 1964 wrote to memory of 1280 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe PID 1964 wrote to memory of 1280 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe PID 1964 wrote to memory of 1280 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe PID 1964 wrote to memory of 1280 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe PID 1964 wrote to memory of 1280 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe PID 1964 wrote to memory of 1280 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe PID 1964 wrote to memory of 852 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe IpOverUsbSvrc.exe PID 1964 wrote to memory of 852 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe IpOverUsbSvrc.exe PID 1964 wrote to memory of 852 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe IpOverUsbSvrc.exe PID 1964 wrote to memory of 852 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe IpOverUsbSvrc.exe PID 852 wrote to memory of 1008 852 IpOverUsbSvrc.exe atiesrx.exe PID 852 wrote to memory of 1008 852 IpOverUsbSvrc.exe atiesrx.exe PID 852 wrote to memory of 1008 852 IpOverUsbSvrc.exe atiesrx.exe PID 852 wrote to memory of 1008 852 IpOverUsbSvrc.exe atiesrx.exe PID 1964 wrote to memory of 1004 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe takshost.exe PID 1964 wrote to memory of 1004 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe takshost.exe PID 1964 wrote to memory of 1004 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe takshost.exe PID 1964 wrote to memory of 1004 1964 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe takshost.exe PID 1008 wrote to memory of 1104 1008 atiesrx.exe atiesrx.exe PID 1008 wrote to memory of 1104 1008 atiesrx.exe atiesrx.exe PID 1008 wrote to memory of 1104 1008 atiesrx.exe atiesrx.exe PID 1008 wrote to memory of 1104 1008 atiesrx.exe atiesrx.exe PID 1008 wrote to memory of 1104 1008 atiesrx.exe atiesrx.exe PID 1008 wrote to memory of 1104 1008 atiesrx.exe atiesrx.exe PID 1008 wrote to memory of 1104 1008 atiesrx.exe atiesrx.exe PID 1008 wrote to memory of 1104 1008 atiesrx.exe atiesrx.exe PID 1004 wrote to memory of 1200 1004 takshost.exe takshost.exe PID 1004 wrote to memory of 1200 1004 takshost.exe takshost.exe PID 1004 wrote to memory of 1200 1004 takshost.exe takshost.exe PID 1004 wrote to memory of 1200 1004 takshost.exe takshost.exe PID 1004 wrote to memory of 1200 1004 takshost.exe takshost.exe PID 1004 wrote to memory of 1200 1004 takshost.exe takshost.exe PID 1004 wrote to memory of 1200 1004 takshost.exe takshost.exe PID 1004 wrote to memory of 1200 1004 takshost.exe takshost.exe PID 1280 wrote to memory of 1800 1280 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe cmd.exe PID 1280 wrote to memory of 1800 1280 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe cmd.exe PID 1280 wrote to memory of 1800 1280 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe cmd.exe PID 1280 wrote to memory of 1800 1280 0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe cmd.exe -
outlook_win_path 1 IoCs
Processes:
takshost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook takshost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe"C:\Users\Admin\AppData\Local\Temp\0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe"C:\Users\Admin\AppData\Local\Temp\0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe"2⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7223969.bat" "C:\Users\Admin\AppData\Local\Temp\0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe" "3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe"C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"3⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exeFilesize
10KB
MD5b3bbb175906ed2831daef23eccea6a2c
SHA1ed5cb8c8f225ead014298ae5636c142cfed448dd
SHA256be649d0f7996abd93f2a4f05d71cf65ab688f9007017c6791cd94033133947eb
SHA512185a3c6f62dd68f3d9c2b9d49079363bf3c8cbbcbbd89a8416060af2f47c28e72055bad653d7d1832326eccde38169fd826fcc2a4867ae61483d56893d9bd986
-
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exeFilesize
10KB
MD5b3bbb175906ed2831daef23eccea6a2c
SHA1ed5cb8c8f225ead014298ae5636c142cfed448dd
SHA256be649d0f7996abd93f2a4f05d71cf65ab688f9007017c6791cd94033133947eb
SHA512185a3c6f62dd68f3d9c2b9d49079363bf3c8cbbcbbd89a8416060af2f47c28e72055bad653d7d1832326eccde38169fd826fcc2a4867ae61483d56893d9bd986
-
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exeFilesize
196KB
MD57cd3259d6dcfc8b1eff9c35de1b9bbd8
SHA1bc0b4234f5e014ccc8ab8dd6cb626b0aa0c79207
SHA2560ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe
SHA5121c1c264f7f6fa01db1bb31fef3d829dc61e604388adcb9b8ea0c0cd6bf6b4a65e2c25134e6cecc0bd67f96f46897705cd69b980d5ae6f67d53c5d6656d69d4c8
-
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exeFilesize
196KB
MD57cd3259d6dcfc8b1eff9c35de1b9bbd8
SHA1bc0b4234f5e014ccc8ab8dd6cb626b0aa0c79207
SHA2560ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe
SHA5121c1c264f7f6fa01db1bb31fef3d829dc61e604388adcb9b8ea0c0cd6bf6b4a65e2c25134e6cecc0bd67f96f46897705cd69b980d5ae6f67d53c5d6656d69d4c8
-
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exeFilesize
196KB
MD57cd3259d6dcfc8b1eff9c35de1b9bbd8
SHA1bc0b4234f5e014ccc8ab8dd6cb626b0aa0c79207
SHA2560ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe
SHA5121c1c264f7f6fa01db1bb31fef3d829dc61e604388adcb9b8ea0c0cd6bf6b4a65e2c25134e6cecc0bd67f96f46897705cd69b980d5ae6f67d53c5d6656d69d4c8
-
\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exeFilesize
10KB
MD5b3bbb175906ed2831daef23eccea6a2c
SHA1ed5cb8c8f225ead014298ae5636c142cfed448dd
SHA256be649d0f7996abd93f2a4f05d71cf65ab688f9007017c6791cd94033133947eb
SHA512185a3c6f62dd68f3d9c2b9d49079363bf3c8cbbcbbd89a8416060af2f47c28e72055bad653d7d1832326eccde38169fd826fcc2a4867ae61483d56893d9bd986
-
\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exeFilesize
196KB
MD57cd3259d6dcfc8b1eff9c35de1b9bbd8
SHA1bc0b4234f5e014ccc8ab8dd6cb626b0aa0c79207
SHA2560ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe
SHA5121c1c264f7f6fa01db1bb31fef3d829dc61e604388adcb9b8ea0c0cd6bf6b4a65e2c25134e6cecc0bd67f96f46897705cd69b980d5ae6f67d53c5d6656d69d4c8
-
memory/852-73-0x0000000074970000-0x0000000074F1B000-memory.dmpFilesize
5.7MB
-
memory/852-74-0x0000000074970000-0x0000000074F1B000-memory.dmpFilesize
5.7MB
-
memory/852-68-0x0000000000000000-mapping.dmp
-
memory/1004-98-0x0000000074970000-0x0000000074F1B000-memory.dmpFilesize
5.7MB
-
memory/1004-82-0x0000000000000000-mapping.dmp
-
memory/1004-85-0x0000000074970000-0x0000000074F1B000-memory.dmpFilesize
5.7MB
-
memory/1008-81-0x0000000074970000-0x0000000074F1B000-memory.dmpFilesize
5.7MB
-
memory/1008-80-0x0000000074970000-0x0000000074F1B000-memory.dmpFilesize
5.7MB
-
memory/1008-77-0x0000000000000000-mapping.dmp
-
memory/1104-97-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1104-91-0x000000000041A1F0-mapping.dmp
-
memory/1104-99-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1200-105-0x000000000041A1F0-mapping.dmp
-
memory/1200-110-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1280-65-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1280-66-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1280-112-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1280-72-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1280-62-0x000000000041A1F0-mapping.dmp
-
memory/1280-61-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1280-60-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1280-58-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1280-57-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1800-111-0x0000000000000000-mapping.dmp
-
memory/1964-54-0x0000000076411000-0x0000000076413000-memory.dmpFilesize
8KB
-
memory/1964-55-0x0000000074970000-0x0000000074F1B000-memory.dmpFilesize
5.7MB
-
memory/1964-56-0x0000000074970000-0x0000000074F1B000-memory.dmpFilesize
5.7MB
-
memory/1964-84-0x0000000074970000-0x0000000074F1B000-memory.dmpFilesize
5.7MB