pony | 62869dd10e3025be8ee4ad498214336ab2e68a2c37f7cbf3c340f2fa6854bb52

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
29-05-2024 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f3913a16346193d50485061ea79b1e0_JaffaCakes118.rtf
Size

1.0MB
MD5

7f3913a16346193d50485061ea79b1e0
SHA1

ae9051ed40935240900d392b82978cdfae28c280
SHA256

62869dd10e3025be8ee4ad498214336ab2e68a2c37f7cbf3c340f2fa6854bb52
SHA512

0fec24b743478e09d9c784dfd24840af7fc92b24aa29367685de6115a73c2867f3609ea252e7358dfe3a2fc94551678129fcc9bf30d2f39e23180238c38d5cf2
SSDEEP

24576:U0ycEf/gsWZi6CVeHysNl0jnvH9KDCfbXEmSR8uDIRI2:Y

Score

10^/10

pony collection discovery rat spyware stealer

Malware Config

Extracted

Family

pony

http://www.janabaalicheck.com/web-content/log/log/file/gate.php

Attributes

payload_url
http://www.janabaalicheck.com/web-content/log/log/file/shit.exe

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2636	2012	cmd.exe	27
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1824	2012	cmd.exe	27

Executes dropped EXE 1 IoCs

pid	Process
744	saver.scr

Loads dropped DLL 1 IoCs

pid	Process
2232	cmd.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	saver.scr

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	saver.scr

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\desktop.ini	cscript.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\desktop.ini	cscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2544	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1216	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2012	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeDebugPrivilege	1216	taskkill.exe
Token: 1988	744	saver.scr
Token: SeImpersonatePrivilege	744	saver.scr
Token: SeTcbPrivilege	744	saver.scr
Token: SeChangeNotifyPrivilege	744	saver.scr
Token: SeCreateTokenPrivilege	744	saver.scr
Token: SeBackupPrivilege	744	saver.scr
Token: SeRestorePrivilege	744	saver.scr
Token: SeIncreaseQuotaPrivilege	744	saver.scr
Token: SeAssignPrimaryTokenPrivilege	744	saver.scr
Token: SeImpersonatePrivilege	744	saver.scr
Token: SeTcbPrivilege	744	saver.scr
Token: SeChangeNotifyPrivilege	744	saver.scr
Token: SeCreateTokenPrivilege	744	saver.scr
Token: SeBackupPrivilege	744	saver.scr
Token: SeRestorePrivilege	744	saver.scr
Token: SeIncreaseQuotaPrivilege	744	saver.scr
Token: SeAssignPrimaryTokenPrivilege	744	saver.scr
Token: SeImpersonatePrivilege	744	saver.scr
Token: SeTcbPrivilege	744	saver.scr
Token: SeChangeNotifyPrivilege	744	saver.scr
Token: SeCreateTokenPrivilege	744	saver.scr
Token: SeBackupPrivilege	744	saver.scr
Token: SeRestorePrivilege	744	saver.scr
Token: SeIncreaseQuotaPrivilege	744	saver.scr
Token: SeAssignPrimaryTokenPrivilege	744	saver.scr
Token: SeImpersonatePrivilege	744	saver.scr
Token: SeTcbPrivilege	744	saver.scr
Token: SeChangeNotifyPrivilege	744	saver.scr
Token: SeCreateTokenPrivilege	744	saver.scr
Token: SeBackupPrivilege	744	saver.scr
Token: SeRestorePrivilege	744	saver.scr
Token: SeIncreaseQuotaPrivilege	744	saver.scr
Token: SeAssignPrimaryTokenPrivilege	744	saver.scr

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2376	cscript.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2012	WINWORD.EXE
2012	WINWORD.EXE
2012	WINWORD.EXE
744	saver.scr
744	saver.scr

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2636	2012	WINWORD.EXE	28
PID 2012 wrote to memory of 2636	2012	WINWORD.EXE	28
PID 2012 wrote to memory of 2636	2012	WINWORD.EXE	28
PID 2012 wrote to memory of 2636	2012	WINWORD.EXE	28
PID 2636 wrote to memory of 2496	2636	cmd.exe	30
PID 2636 wrote to memory of 2496	2636	cmd.exe	30
PID 2636 wrote to memory of 2496	2636	cmd.exe	30
PID 2636 wrote to memory of 2496	2636	cmd.exe	30
PID 2496 wrote to memory of 2232	2496	cmd.exe	31
PID 2496 wrote to memory of 2232	2496	cmd.exe	31
PID 2496 wrote to memory of 2232	2496	cmd.exe	31
PID 2496 wrote to memory of 2232	2496	cmd.exe	31
PID 2232 wrote to memory of 2544	2232	cmd.exe	32
PID 2232 wrote to memory of 2544	2232	cmd.exe	32
PID 2232 wrote to memory of 2544	2232	cmd.exe	32
PID 2232 wrote to memory of 2544	2232	cmd.exe	32
PID 2012 wrote to memory of 1824	2012	WINWORD.EXE	33
PID 2012 wrote to memory of 1824	2012	WINWORD.EXE	33
PID 2012 wrote to memory of 1824	2012	WINWORD.EXE	33
PID 2012 wrote to memory of 1824	2012	WINWORD.EXE	33
PID 1824 wrote to memory of 2420	1824	cmd.exe	35
PID 1824 wrote to memory of 2420	1824	cmd.exe	35
PID 1824 wrote to memory of 2420	1824	cmd.exe	35
PID 1824 wrote to memory of 2420	1824	cmd.exe	35
PID 2232 wrote to memory of 2376	2232	cmd.exe	36
PID 2232 wrote to memory of 2376	2232	cmd.exe	36
PID 2232 wrote to memory of 2376	2232	cmd.exe	36
PID 2232 wrote to memory of 2376	2232	cmd.exe	36
PID 2232 wrote to memory of 1216	2232	cmd.exe	37
PID 2232 wrote to memory of 1216	2232	cmd.exe	37
PID 2232 wrote to memory of 1216	2232	cmd.exe	37
PID 2232 wrote to memory of 1216	2232	cmd.exe	37
PID 2232 wrote to memory of 1556	2232	cmd.exe	39
PID 2232 wrote to memory of 1556	2232	cmd.exe	39
PID 2232 wrote to memory of 1556	2232	cmd.exe	39
PID 2232 wrote to memory of 1556	2232	cmd.exe	39
PID 2232 wrote to memory of 2352	2232	cmd.exe	40
PID 2232 wrote to memory of 2352	2232	cmd.exe	40
PID 2232 wrote to memory of 2352	2232	cmd.exe	40
PID 2232 wrote to memory of 2352	2232	cmd.exe	40
PID 2352 wrote to memory of 2548	2352	cmd.exe	41
PID 2352 wrote to memory of 2548	2352	cmd.exe	41
PID 2352 wrote to memory of 2548	2352	cmd.exe	41
PID 2352 wrote to memory of 2548	2352	cmd.exe	41
PID 2232 wrote to memory of 2620	2232	cmd.exe	42
PID 2232 wrote to memory of 2620	2232	cmd.exe	42
PID 2232 wrote to memory of 2620	2232	cmd.exe	42
PID 2232 wrote to memory of 2620	2232	cmd.exe	42
PID 2232 wrote to memory of 1656	2232	cmd.exe	43
PID 2232 wrote to memory of 1656	2232	cmd.exe	43
PID 2232 wrote to memory of 1656	2232	cmd.exe	43
PID 2232 wrote to memory of 1656	2232	cmd.exe	43
PID 1656 wrote to memory of 1768	1656	cmd.exe	44
PID 1656 wrote to memory of 1768	1656	cmd.exe	44
PID 1656 wrote to memory of 1768	1656	cmd.exe	44
PID 1656 wrote to memory of 1768	1656	cmd.exe	44
PID 2232 wrote to memory of 1868	2232	cmd.exe	45
PID 2232 wrote to memory of 1868	2232	cmd.exe	45
PID 2232 wrote to memory of 1868	2232	cmd.exe	45
PID 2232 wrote to memory of 1868	2232	cmd.exe	45
PID 2232 wrote to memory of 1852	2232	cmd.exe	46
PID 2232 wrote to memory of 1852	2232	cmd.exe	46
PID 2232 wrote to memory of 1852	2232	cmd.exe	46
PID 2232 wrote to memory of 1852	2232	cmd.exe	46

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	saver.scr

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7f3913a16346193d50485061ea79b1e0_JaffaCakes118.rtf"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\Admin\AppData\Local\Temp\ufFm.cMD"
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\SysWOW64\cmd.exe
    CmD
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K itnqknf5.CMD
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2232
    - - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 1
        5⤵
        Delays execution with timeout.exe
        
        PID:2544
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript //nologo "C:\Users\Admin\AppData\Local\Temp\_.vbs"
        5⤵
        Drops desktop.ini file(s)
        Suspicious use of FindShellTrayWindow
        
        PID:2376
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASkKILL /F /IM winword.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1216
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\Resiliency /f
        5⤵
        
        PID:1556
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2352
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
        6⤵
        
        PID:2548
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\Resiliency /f
        5⤵
        
        PID:2620
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1656
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
        6⤵
        
        PID:1768
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\13.0\Word\Resiliency /f
        5⤵
        
        PID:1868
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\13.0\Word\File MRU" /v "Item 1"
        5⤵
        
        PID:1852
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\13.0\Word\File MRU" /v "Item 1"
        6⤵
        
        PID:2268
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\Resiliency /f
        5⤵
        
        PID:2256
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
        5⤵
        
        PID:1912
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
        6⤵
        
        PID:2324
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\Resiliency /f
        5⤵
        
        PID:2292
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
        5⤵
        
        PID:2284
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
        6⤵
        
        PID:1900
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency /f
        5⤵
        
        PID:2280
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
        5⤵
        
        PID:348
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
        6⤵
        
        PID:1220
    - - C:\Users\Admin\AppData\Local\Temp\saver.scr
        
        "C:\Users\Admin\AppData\Local\Temp\saver.scr"
        5⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        Accesses Microsoft Outlook profiles
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        outlook_win_path
        
        PID:744
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\259405186.bat" "C:\Users\Admin\AppData\Local\Temp\saver.scr" "
        6⤵
        
        PID:2696
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript //nologo "C:\Users\Admin\AppData\Local\Temp\_.vbs"
        5⤵
        
        PID:1848
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\Admin\AppData\Local\Temp\ufFm.cMD"
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\Windows\SysWOW64\cmd.exe
    CmD
    3⤵
    PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.zip

Filesize
461KB

MD5
36a3f943e6f57f1d902b02deba4b5b0b

SHA1
ff5f76449f28a304e451344dde7cdcb8871d26e6

SHA256
5d1412cf34a115ab2f5e9c997740f1fbf423ad414ed6ff9dadbff945134ce7a2

SHA512
e50f2ddc61b7e6fc46a11fe6c1a4c2eb2489879385adf545d2cd2039384c3fecc208973073da1be8a46cda0d4dcb3b30d5a760916823231bc0aba0fbe70f1299

Download Submit
C:\Users\Admin\AppData\Local\Temp\259405186.bat

Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_.vbs

Filesize
255B

MD5
bf8b4048b61bd2f3c20690415fa52ee4

SHA1
10cf302e555807f6a1e46cf52e9e0746cf93951b

SHA256
4e9782ff685787063d3213cb56c918f2ba9a57f7bdf365027e1d11a9824718a6

SHA512
60d1f5ea1595cb9efd8d3bc906a7f9e74b9f561a10ed96f0b1c6f4d33d878be0d86ba622bdd5d8efd576032c30471d5929458c1aa7124b1764deb6f0dbf30990

Download Submit
C:\Users\Admin\AppData\Local\Temp\_.vbs

Filesize
179B

MD5
1d88166a10f71703ef63a827718737ae

SHA1
d4ae6060a3c8c8ee0bc0498294e9fbac11133212

SHA256
9608595afec837d3131a139be240297f78fb1a79c34879eb3e1d01d4ca2c0fb7

SHA512
48f6cc0e4128289ad688cfd67d35f2b47199bfcb807071e800f798df61ae293d0e5af41915a7efb9c5869be48dbbbe0e7ed5ac41a433239a36c10939c28c8236

Download Submit
C:\Users\Admin\AppData\Local\Temp\a.ScT

Filesize
864B

MD5
93522467ea6a1b96b85ddc1aec79da43

SHA1
b4dfef1b1cec653e8675fe954c9c5f43bcdd32ad

SHA256
fab6f1444b9550ef2ef06b651efae615c358f5da51f267c94b78dd115240e9a1

SHA512
d94669ac17d9b1a3f50ddca1eba9c5c20a805e58e22faf86b7bb8379f8f38ae6b48930d9885568d60197f1f8b5fded3125ed7e7b879990ed6643928cbf827905

Download Submit
C:\Users\Admin\AppData\Local\Temp\itnqknf5.cmd

Filesize
1KB

MD5
a3b2ec295ad5a65c83a52892a2abe0fe

SHA1
e69986fc8ad7e818b4f66b101d4063faccf8dafb

SHA256
5a8956e665402c41f00377a5f5f2900b1a3dbc8b04099d8293207d3c65caa238

SHA512
ee42eea67996b1f8aca454eb2bfd2a63caf5cd669b341f60187d714db8a2461069a5d4f1b9328d4fa7569a5f044430cee7294025c7d2c035e437c25b390f0807

Download Submit
C:\Users\Admin\AppData\Local\Temp\ufFm.cMD

Filesize
210B

MD5
955dfb33cd8846c2214a71956b51f68b

SHA1
0e1eded70be14241237ce07620fa4db75618e3a8

SHA256
4a169cbdb43ce32975dcbc5b97dab03466479a1a6aefe9be8c3677a34740c118

SHA512
467b6ed79145460f1ec8d6852b07b19d35686e2f7920b80e07d90dc04ee859264c918b0902191ceb12094c153e61459b0ae144f84ce6072463b3cc15ffa4fb4e

Download Submit
C:\Users\Admin\appData\loCal\TeMp\gondi.doc

Filesize
31KB

MD5
df778726a0f7ffeaa9fc16826f77a946

SHA1
3b4bac8f09cf2d9227c3143aa33ee7b6c1a2cc0c

SHA256
a52fad09e1fb5e5c5532b8a9130c4f99ddbebbfb15ba416e67069866e1b5b3da

SHA512
5d5525b61cce9fc6f806c8d666d291e74915aeac20d7fd937c6d0fab9cefc4287ccdc539dd34b017c9abc6f38c87e9244b0c85a54b3fbe83da885334b1f63215

Download Submit
\Users\Admin\AppData\Local\Temp\saver.scr

Filesize
821KB

MD5
058912d4a58f02677139ae156da4f133

SHA1
bfd79f45b034e8c6512cad3a31e97e5d6b977e54

SHA256
d1401f35070c343ecfe458a3461e12bf2b9888984d476faffb697caf518b905d

SHA512
ec00192febf3b388660a242c7120099cd33f6f4aaf5a90c54aa92b8298584dc800b3b3d0e24fb306c143ee72a100819e29af4bdaa38a66b866f426bf8e67f376

Download Submit
memory/744-61-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/744-71-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2012-0-0x000000002FF11000-0x000000002FF12000-memory.dmp

Filesize
4KB

Download
memory/2012-50-0x000000007101D000-0x0000000071028000-memory.dmp

Filesize
44KB

Download
memory/2012-2-0x000000007101D000-0x0000000071028000-memory.dmp

Filesize
44KB

Download
memory/2012-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads