pony | 1e06cd6080f6c70fa2cdf71317885a10e34f5dbe9ea67cdf68eed11ea1ed9f17

Analysis

max time kernel
148s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-09-2024 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7563fb714975fdd125a7147b6f26cb7_JaffaCakes118.exe
Size

786KB
MD5

e7563fb714975fdd125a7147b6f26cb7
SHA1

177677382a11ff91bce6b0d18edddca6eec7e847
SHA256

1e06cd6080f6c70fa2cdf71317885a10e34f5dbe9ea67cdf68eed11ea1ed9f17
SHA512

9dbc70f53d9bf647f1621a5d2ebdc859832993c92f8cfe30d31eb356115d7e2337fe476ae0309a901dc6fa64abbb876e5501914f9d2daafdd18cbaaf9df67d19
SSDEEP

12288:R7AjiMRTL6SeMj8PNJL4mCKfY157wbZ6od6nA19YTvIfQVjAZTmNF0BZnuH:yji4LXe/zLpCKfY0AoGuloVSTmNukH

Score

10^/10

pony credential_access defense_evasion discovery evasion persistence rat spyware stealer upx

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3"	3R2R.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 9 IoCs

pid	Process
2292	Pynchon, Thomas - The Crying of Lot 49.exe
2784	ic5.exe
2672	2 Gansta.exe
1292	3R2R.exe
2132	4tbp.exe
332	csrss.exe
980	3R2R.exe
2748	3R2R.exe
952	5783.tmp

Loads dropped DLL 46 IoCs

pid	Process
1404	e7563fb714975fdd125a7147b6f26cb7_JaffaCakes118.exe
2292	Pynchon, Thomas - The Crying of Lot 49.exe
2292	Pynchon, Thomas - The Crying of Lot 49.exe
1404	e7563fb714975fdd125a7147b6f26cb7_JaffaCakes118.exe
1404	e7563fb714975fdd125a7147b6f26cb7_JaffaCakes118.exe
1404	e7563fb714975fdd125a7147b6f26cb7_JaffaCakes118.exe
1404	e7563fb714975fdd125a7147b6f26cb7_JaffaCakes118.exe
2784	ic5.exe
2784	ic5.exe
2784	ic5.exe
2672	2 Gansta.exe
2672	2 Gansta.exe
2672	2 Gansta.exe
1404	e7563fb714975fdd125a7147b6f26cb7_JaffaCakes118.exe
1404	e7563fb714975fdd125a7147b6f26cb7_JaffaCakes118.exe
1404	e7563fb714975fdd125a7147b6f26cb7_JaffaCakes118.exe
1404	e7563fb714975fdd125a7147b6f26cb7_JaffaCakes118.exe
1292	3R2R.exe
1292	3R2R.exe
1292	3R2R.exe
2132	4tbp.exe
2132	4tbp.exe
2132	4tbp.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
800	Process not Found
1524	DllHost.exe
1292	3R2R.exe
1292	3R2R.exe
980	3R2R.exe
980	3R2R.exe
980	3R2R.exe
1292	3R2R.exe
2748	3R2R.exe
2748	3R2R.exe
2748	3R2R.exe
1500	rundll32.exe
1500	rundll32.exe
1500	rundll32.exe
1500	rundll32.exe
1292	3R2R.exe
1292	3R2R.exe
952	5783.tmp
1500	rundll32.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1404-36-0x0000000002DD0000-0x0000000002DDA000-memory.dmp	upx
behavioral1/files/0x0007000000016ca2-33.dat	upx
behavioral1/memory/2672-43-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/980-132-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2672-161-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/1292-164-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2748-237-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/1292-239-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/1292-305-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/1292-332-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/1292-354-0x0000000000400000-0x000000000046D000-memory.dmp	upx

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cmuwopozekawepa = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\der3208.dll\",Startup"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\747.exe = "C:\\Program Files (x86)\\LP\\C889\\747.exe"	3R2R.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LP\C889\747.exe	3R2R.exe
File opened for modification	C:\Program Files (x86)\LP\C889\5783.tmp	3R2R.exe
File opened for modification	C:\Program Files (x86)\LP\C889\747.exe	3R2R.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2 Gansta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3R2R.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3R2R.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3R2R.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e7563fb714975fdd125a7147b6f26cb7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pynchon, Thomas - The Crying of Lot 49.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ic5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4tbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5783.tmp

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	Pynchon, Thomas - The Crying of Lot 49.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\registry\machine\Software\Classes\Interface\{d0bd03f9-6d59-e6e2-2fad-1e136de3e1d4}	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{d0bd03f9-6d59-e6e2-2fad-1e136de3e1d4}\u = "860049491"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{d0bd03f9-6d59-e6e2-2fad-1e136de3e1d4}\cid = "8462148105817855627"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1292	3R2R.exe
1292	3R2R.exe
1292	3R2R.exe
1292	3R2R.exe
1292	3R2R.exe
1292	3R2R.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
2804	rundll32.exe
1292	3R2R.exe
1292	3R2R.exe
1292	3R2R.exe
1292	3R2R.exe
1292	3R2R.exe
1292	3R2R.exe
1292	3R2R.exe
1292	3R2R.exe
2804	rundll32.exe
332	csrss.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1740	msiexec.exe
Token: SeTakeOwnershipPrivilege	1740	msiexec.exe
Token: SeSecurityPrivilege	1740	msiexec.exe
Token: SeDebugPrivilege	1620	explorer.exe
Token: SeIncBasePriorityPrivilege	2672	2 Gansta.exe
Token: SeShutdownPrivilege	688	explorer.exe
Token: SeShutdownPrivilege	688	explorer.exe
Token: SeShutdownPrivilege	688	explorer.exe
Token: SeShutdownPrivilege	688	explorer.exe
Token: SeShutdownPrivilege	688	explorer.exe
Token: SeShutdownPrivilege	688	explorer.exe
Token: SeShutdownPrivilege	688	explorer.exe
Token: SeShutdownPrivilege	688	explorer.exe
Token: SeShutdownPrivilege	688	explorer.exe
Token: SeShutdownPrivilege	688	explorer.exe
Token: SeShutdownPrivilege	688	explorer.exe
Token: SeShutdownPrivilege	688	explorer.exe
Token: SeAssignPrimaryTokenPrivilege	852	svchost.exe
Token: SeIncreaseQuotaPrivilege	852	svchost.exe
Token: SeSecurityPrivilege	852	svchost.exe
Token: SeTakeOwnershipPrivilege	852	svchost.exe
Token: SeLoadDriverPrivilege	852	svchost.exe
Token: SeSystemtimePrivilege	852	svchost.exe
Token: SeBackupPrivilege	852	svchost.exe
Token: SeRestorePrivilege	852	svchost.exe
Token: SeShutdownPrivilege	852	svchost.exe
Token: SeSystemEnvironmentPrivilege	852	svchost.exe
Token: SeUndockPrivilege	852	svchost.exe
Token: SeManageVolumePrivilege	852	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	852	svchost.exe
Token: SeIncreaseQuotaPrivilege	852	svchost.exe
Token: SeSecurityPrivilege	852	svchost.exe
Token: SeTakeOwnershipPrivilege	852	svchost.exe
Token: SeLoadDriverPrivilege	852	svchost.exe
Token: SeSystemtimePrivilege	852	svchost.exe
Token: SeBackupPrivilege	852	svchost.exe
Token: SeRestorePrivilege	852	svchost.exe
Token: SeShutdownPrivilege	852	svchost.exe
Token: SeSystemEnvironmentPrivilege	852	svchost.exe
Token: SeUndockPrivilege	852	svchost.exe
Token: SeManageVolumePrivilege	852	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	852	svchost.exe
Token: SeIncreaseQuotaPrivilege	852	svchost.exe
Token: SeSecurityPrivilege	852	svchost.exe
Token: SeTakeOwnershipPrivilege	852	svchost.exe
Token: SeLoadDriverPrivilege	852	svchost.exe
Token: SeSystemtimePrivilege	852	svchost.exe
Token: SeBackupPrivilege	852	svchost.exe
Token: SeRestorePrivilege	852	svchost.exe
Token: SeShutdownPrivilege	852	svchost.exe
Token: SeSystemEnvironmentPrivilege	852	svchost.exe
Token: SeUndockPrivilege	852	svchost.exe
Token: SeManageVolumePrivilege	852	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	852	svchost.exe
Token: SeIncreaseQuotaPrivilege	852	svchost.exe
Token: SeSecurityPrivilege	852	svchost.exe
Token: SeTakeOwnershipPrivilege	852	svchost.exe
Token: SeLoadDriverPrivilege	852	svchost.exe
Token: SeSystemtimePrivilege	852	svchost.exe
Token: SeBackupPrivilege	852	svchost.exe
Token: SeRestorePrivilege	852	svchost.exe
Token: SeShutdownPrivilege	852	svchost.exe
Token: SeSystemEnvironmentPrivilege	852	svchost.exe
Token: SeUndockPrivilege	852	svchost.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
688	explorer.exe
688	explorer.exe
688	explorer.exe
688	explorer.exe
688	explorer.exe
688	explorer.exe
688	explorer.exe
688	explorer.exe
688	explorer.exe
688	explorer.exe
688	explorer.exe
688	explorer.exe
688	explorer.exe
688	explorer.exe
688	explorer.exe
688	explorer.exe
688	explorer.exe
688	explorer.exe
688	explorer.exe
688	explorer.exe
688	explorer.exe
688	explorer.exe
688	explorer.exe
688	explorer.exe
688	explorer.exe
688	explorer.exe
688	explorer.exe
688	explorer.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
688	explorer.exe
688	explorer.exe
688	explorer.exe
688	explorer.exe
688	explorer.exe
688	explorer.exe
688	explorer.exe
688	explorer.exe
688	explorer.exe
688	explorer.exe
688	explorer.exe
688	explorer.exe
688	explorer.exe
688	explorer.exe
688	explorer.exe
688	explorer.exe
688	explorer.exe
688	explorer.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2292	Pynchon, Thomas - The Crying of Lot 49.exe
2292	Pynchon, Thomas - The Crying of Lot 49.exe
2132	4tbp.exe
2804	rundll32.exe
1500	rundll32.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
332	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 2292	1404	e7563fb714975fdd125a7147b6f26cb7_JaffaCakes118.exe	31
PID 1404 wrote to memory of 2292	1404	e7563fb714975fdd125a7147b6f26cb7_JaffaCakes118.exe	31
PID 1404 wrote to memory of 2292	1404	e7563fb714975fdd125a7147b6f26cb7_JaffaCakes118.exe	31
PID 1404 wrote to memory of 2292	1404	e7563fb714975fdd125a7147b6f26cb7_JaffaCakes118.exe	31
PID 1404 wrote to memory of 2292	1404	e7563fb714975fdd125a7147b6f26cb7_JaffaCakes118.exe	31
PID 1404 wrote to memory of 2292	1404	e7563fb714975fdd125a7147b6f26cb7_JaffaCakes118.exe	31
PID 1404 wrote to memory of 2292	1404	e7563fb714975fdd125a7147b6f26cb7_JaffaCakes118.exe	31
PID 1404 wrote to memory of 2784	1404	e7563fb714975fdd125a7147b6f26cb7_JaffaCakes118.exe	32
PID 1404 wrote to memory of 2784	1404	e7563fb714975fdd125a7147b6f26cb7_JaffaCakes118.exe	32
PID 1404 wrote to memory of 2784	1404	e7563fb714975fdd125a7147b6f26cb7_JaffaCakes118.exe	32
PID 1404 wrote to memory of 2784	1404	e7563fb714975fdd125a7147b6f26cb7_JaffaCakes118.exe	32
PID 1404 wrote to memory of 2784	1404	e7563fb714975fdd125a7147b6f26cb7_JaffaCakes118.exe	32
PID 1404 wrote to memory of 2784	1404	e7563fb714975fdd125a7147b6f26cb7_JaffaCakes118.exe	32
PID 1404 wrote to memory of 2784	1404	e7563fb714975fdd125a7147b6f26cb7_JaffaCakes118.exe	32
PID 1404 wrote to memory of 2672	1404	e7563fb714975fdd125a7147b6f26cb7_JaffaCakes118.exe	33
PID 1404 wrote to memory of 2672	1404	e7563fb714975fdd125a7147b6f26cb7_JaffaCakes118.exe	33
PID 1404 wrote to memory of 2672	1404	e7563fb714975fdd125a7147b6f26cb7_JaffaCakes118.exe	33
PID 1404 wrote to memory of 2672	1404	e7563fb714975fdd125a7147b6f26cb7_JaffaCakes118.exe	33
PID 1404 wrote to memory of 2672	1404	e7563fb714975fdd125a7147b6f26cb7_JaffaCakes118.exe	33
PID 1404 wrote to memory of 2672	1404	e7563fb714975fdd125a7147b6f26cb7_JaffaCakes118.exe	33
PID 1404 wrote to memory of 2672	1404	e7563fb714975fdd125a7147b6f26cb7_JaffaCakes118.exe	33
PID 1404 wrote to memory of 1292	1404	e7563fb714975fdd125a7147b6f26cb7_JaffaCakes118.exe	34
PID 1404 wrote to memory of 1292	1404	e7563fb714975fdd125a7147b6f26cb7_JaffaCakes118.exe	34
PID 1404 wrote to memory of 1292	1404	e7563fb714975fdd125a7147b6f26cb7_JaffaCakes118.exe	34
PID 1404 wrote to memory of 1292	1404	e7563fb714975fdd125a7147b6f26cb7_JaffaCakes118.exe	34
PID 1404 wrote to memory of 1292	1404	e7563fb714975fdd125a7147b6f26cb7_JaffaCakes118.exe	34
PID 1404 wrote to memory of 1292	1404	e7563fb714975fdd125a7147b6f26cb7_JaffaCakes118.exe	34
PID 1404 wrote to memory of 1292	1404	e7563fb714975fdd125a7147b6f26cb7_JaffaCakes118.exe	34
PID 1404 wrote to memory of 2132	1404	e7563fb714975fdd125a7147b6f26cb7_JaffaCakes118.exe	35
PID 1404 wrote to memory of 2132	1404	e7563fb714975fdd125a7147b6f26cb7_JaffaCakes118.exe	35
PID 1404 wrote to memory of 2132	1404	e7563fb714975fdd125a7147b6f26cb7_JaffaCakes118.exe	35
PID 1404 wrote to memory of 2132	1404	e7563fb714975fdd125a7147b6f26cb7_JaffaCakes118.exe	35
PID 1404 wrote to memory of 2132	1404	e7563fb714975fdd125a7147b6f26cb7_JaffaCakes118.exe	35
PID 1404 wrote to memory of 2132	1404	e7563fb714975fdd125a7147b6f26cb7_JaffaCakes118.exe	35
PID 1404 wrote to memory of 2132	1404	e7563fb714975fdd125a7147b6f26cb7_JaffaCakes118.exe	35
PID 2132 wrote to memory of 2804	2132	4tbp.exe	36
PID 2132 wrote to memory of 2804	2132	4tbp.exe	36
PID 2132 wrote to memory of 2804	2132	4tbp.exe	36
PID 2132 wrote to memory of 2804	2132	4tbp.exe	36
PID 2132 wrote to memory of 2804	2132	4tbp.exe	36
PID 2132 wrote to memory of 2804	2132	4tbp.exe	36
PID 2132 wrote to memory of 2804	2132	4tbp.exe	36
PID 2784 wrote to memory of 1620	2784	ic5.exe	37
PID 2784 wrote to memory of 1620	2784	ic5.exe	37
PID 2784 wrote to memory of 1620	2784	ic5.exe	37
PID 2784 wrote to memory of 1620	2784	ic5.exe	37
PID 2784 wrote to memory of 1620	2784	ic5.exe	37
PID 2784 wrote to memory of 1620	2784	ic5.exe	37
PID 1620 wrote to memory of 332	1620	explorer.exe	2
PID 332 wrote to memory of 1524	332	csrss.exe	39
PID 1292 wrote to memory of 980	1292	3R2R.exe	40
PID 1292 wrote to memory of 980	1292	3R2R.exe	40
PID 1292 wrote to memory of 980	1292	3R2R.exe	40
PID 1292 wrote to memory of 980	1292	3R2R.exe	40
PID 1292 wrote to memory of 980	1292	3R2R.exe	40
PID 1292 wrote to memory of 980	1292	3R2R.exe	40
PID 1292 wrote to memory of 980	1292	3R2R.exe	40
PID 1292 wrote to memory of 2748	1292	3R2R.exe	41
PID 1292 wrote to memory of 2748	1292	3R2R.exe	41
PID 1292 wrote to memory of 2748	1292	3R2R.exe	41
PID 1292 wrote to memory of 2748	1292	3R2R.exe	41
PID 1292 wrote to memory of 2748	1292	3R2R.exe	41
PID 1292 wrote to memory of 2748	1292	3R2R.exe	41
PID 1292 wrote to memory of 2748	1292	3R2R.exe	41

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	3R2R.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	3R2R.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:852

C:\Users\Admin\AppData\Local\Temp\e7563fb714975fdd125a7147b6f26cb7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e7563fb714975fdd125a7147b6f26cb7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Users\Admin\AppData\Local\Temp\nstDB63.tmp\Pynchon, Thomas - The Crying of Lot 49.exe
  "C:\Users\Admin\AppData\Local\Temp\nstDB63.tmp\Pynchon, Thomas - The Crying of Lot 49.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2292
- C:\Users\Admin\AppData\Local\Temp\nstDB63.tmp\ic5.exe
  "C:\Users\Admin\AppData\Local\Temp\nstDB63.tmp\ic5.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\explorer.exe
    00000110*
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1620
- C:\Users\Admin\AppData\Local\Temp\nstDB63.tmp\2 Gansta.exe
  "C:\Users\Admin\AppData\Local\Temp\nstDB63.tmp\2 Gansta.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2672
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\nstDB63.tmp\2GANST~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3016
- C:\Users\Admin\AppData\Local\Temp\nstDB63.tmp\3R2R.exe
  "C:\Users\Admin\AppData\Local\Temp\nstDB63.tmp\3R2R.exe"
  2⤵
  - Modifies security service
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1292
- - C:\Users\Admin\AppData\Local\Temp\nstDB63.tmp\3R2R.exe
    C:\Users\Admin\AppData\Local\Temp\nstDB63.tmp\3R2R.exe startC:\Users\Admin\AppData\Roaming\91EC2\94FC8.exe%C:\Users\Admin\AppData\Roaming\91EC2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:980
- - C:\Users\Admin\AppData\Local\Temp\nstDB63.tmp\3R2R.exe
    C:\Users\Admin\AppData\Local\Temp\nstDB63.tmp\3R2R.exe startC:\Program Files (x86)\C2E0A\lvvm.exe%C:\Program Files (x86)\C2E0A
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2748
- - C:\Program Files (x86)\LP\C889\5783.tmp
    "C:\Program Files (x86)\LP\C889\5783.tmp"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:952
- C:\Users\Admin\AppData\Local\Temp\nstDB63.tmp\4tbp.exe
  "C:\Users\Admin\AppData\Local\Temp\nstDB63.tmp\4tbp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\der3208.dll",Startup
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2804
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\der3208.dll",iep
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1500

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
- Loads dropped DLL
PID:1524

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:688

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nstDB63.tmp\3R2R.exe

Filesize
281KB

MD5
f25c5ce835570548f56fb76d200e5a85

SHA1
4546ff42a0124ddce6fba8c741f243a13ea62070

SHA256
c2e7735af27176afe00cf5b13b8340517fd01299691a54427ce5fd7591db9759

SHA512
2cc92b646241f3bdcd5d9ffd546574c3d2bf36fff08a54b4dc29284f855c3b47928f7bc40bc174bc3b68d0805fe8a6f4739a17aef07b7e0af4903a19133b59a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstDB63.tmp\4tbp.exe

Filesize
108KB

MD5
03b927c7c418bb244c2080e40bc7c20e

SHA1
f8abf451378cbc13ec4c336456d0ba096ed64459

SHA256
317d95ad3f8b58b6e7d7623e4ead965aea9eff10934280ca3cfa104f3d176f48

SHA512
329102dee848ed482c07e3d7cd528088a7526179382d72cf9c5a8325519fe40a5adbb1f8bb560ccd4a8e876f4ca3f0e893f8983195ad775249844dcdf4e39747

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstDB63.tmp\ic5.exe

Filesize
150KB

MD5
58ab20cd01024368a62cc6501c663a89

SHA1
6e156412ab82920aae95bb375a5efc8c82436f54

SHA256
cde043a40ee019077541e722b0d120395997c0bf944444966da691b10dfd8937

SHA512
9feed6407c64afcbd52c59faccbf9d1f51b6447144f5404c2b6a51c3ee07c99896af04c2a309daa3682adf0bd2ff4be0cce5427f6d7e1e7744bc8cf1fe9be19f

Download Submit
C:\Users\Admin\AppData\Roaming\91EC2\2E0A.1EC

Filesize
300B

MD5
943aa8b60b1b5cf13aefdfda1390c910

SHA1
3c28272a4b19754a1f37496f686a214e3d27de6f

SHA256
9fbdf846d13e0c6bd7469615329169fb05bf31b60c29285741b98bbf33cff943

SHA512
dff6fac11cf05b36fec672f53751157d54860e782cdb75e85fdf04066c1f119f1f2f81290bffd9731491ed55d0e3ae52f95c559af6729f0676cdb38aa87649ad

Download Submit
C:\Users\Admin\AppData\Roaming\91EC2\2E0A.1EC

Filesize
600B

MD5
8c785c9826d4f2a5647fc27427ade5ad

SHA1
f589049d8cd1cffa68c1406204d7536d34e4b1d4

SHA256
8801568175c66e63d8b5ba834c8f4d78bcd4ba5bd9d54573556448d63c687b6c

SHA512
7864f3e6178e2e7294f3af857d6c333f9802ab47b4ca890b00927932d08d2dd79772fb5b5876fa25ac4dc7dac026fd68a27b7bc059aabdf5c50a48110386ed9a

Download Submit
C:\Users\Admin\AppData\Roaming\91EC2\2E0A.1EC

Filesize
996B

MD5
a049934587348f7522c83a2a005c3aaa

SHA1
e8789f8343d29d1adeaa9d7c6cfecce8c6a330c8

SHA256
633808c9e9456993f3bc5866d74d850118c5d518955ccde87b8cc0d7b9695422

SHA512
0bc713b4f7010b8429f3a5e041daa3a02d6b0c27313624a2a8bab284ea99b51234712d997dcf57e0ab916e5025b3664f0ab3aa582da2d89ac57870b8af4916e0

Download Submit
C:\Windows\system32\consrv.DLL

Filesize
52KB

MD5
c7570a7e24b29ee04a48c2c99da2587b

SHA1
b6e3635a8de44b1635e8d362ac131e14281feb24

SHA256
717cd7661c09701ee39c505d8b604ea3dd6c1151ef18e7ed1cab3832552ac34b

SHA512
57479d2f5386ace8cc5e5ed543e6ad2c2b7b58accc849807d804a8cf0d03080f328f7b42442422fa1483a01ad473ca302f9eca97b9eb24e699e22db56641c572

Download Submit
\??\globalroot\systemroot\assembly\temp\@

Filesize
2KB

MD5
531e6e4a0b7d2e1350f4cf1b61aa53d1

SHA1
fc8446aa41ced6b4fda8a1192f7682eebf9b089d

SHA256
f2da6bdc36fc03347c42feefdeb3a05c802fbd6a458645b122cd80baa1891e90

SHA512
106bbdba2857b6efe73249492ffbe9bb7b4abcaa92249426442e290588adb8a3faa02421a3848ed75ddb636af8417db05dd7d9b42b0be71a69281c513165cad6

Download Submit
\Program Files (x86)\LP\C889\5783.tmp

Filesize
100KB

MD5
bc4366d0a577f23038c4078b9daa6529

SHA1
057b8992c93e8eb027190cddf22b4953b2038418

SHA256
a5b375d932be3fa254012d6a15047dbdde68744fb323cada056bf1056a36a627

SHA512
e29f546c1d978e3663872c8a532ec8f4c05c06b14554f06f6403cd049d202a9c6cdc73f8955ba0e8215e5ef1dbdbf40f61d6ed6ccdfaa70f8033c18c346ca274

Download Submit
\Users\Admin\AppData\Local\Temp\nstDB63.tmp\2 Gansta.exe

Filesize
6KB

MD5
bee76c79e2e63e198038e01f0d571038

SHA1
fcffdd6bb030f516a46e9d303ebae2ab33af222e

SHA256
50a3c7134460bfe5f2840bd8dc957edfaa76da5beaaff70f8da5e0fef80ae876

SHA512
dd2e9488ad365c02722e1a2466acffb8beaf4dbb68d7093e01c50cd915418ca0642cb6bdd43f2f2b014455803f3c69dec24ca9dfee11bdf7790379181cd2f6f9

Download Submit
\Users\Admin\AppData\Local\Temp\nstDB63.tmp\Pynchon, Thomas - The Crying of Lot 49.exe

Filesize
305KB

MD5
d41651376225212ae23b848e7f2d1119

SHA1
917d7791d382a3f6a24bf1c6bc99eb2bfbd0df7f

SHA256
ed7ebc7ab8070028495cb17c7652d89fbb9c5d2108f8faf1f07fedfbb4af4942

SHA512
dbc84010fecb1bc49d0bd6cfd1f14283466774f72e589121f7f5c80200177151416802c05a93dc0a6311ea8e3775af013c40a2c3bacf162ee7aea8baeaeeb627

Download Submit
\Users\Admin\AppData\Local\der3208.dll

Filesize
108KB

MD5
7d7679b1493c32da08daae1949e9724c

SHA1
32da402420f912e637f2a54c73d54d31c73d4912

SHA256
5f73756e6fafd121ddff05750d8c21a4d9a29d319b8022591787451af7766aa5

SHA512
6a57805aa0d0df5020b0290d4b0121621a278dc97f31c93dfd64420a597d90212037e7559fe5550d2f68e850714fbfc326a887ec48651e3617725edf5258d15d

Download Submit
\Windows\assembly\GAC_32\Desktop.ini

Filesize
4KB

MD5
80dbc7d15fdf94f16bb4a739cd9c3f98

SHA1
c0f3f20b360ce78cc153fa514e5f62c06f68feb7

SHA256
20b2d1e1b5348ed92f7e2eaedba4348e446970c13c6226f34a816503aa956c91

SHA512
cf8d820104ee3db4a103fb19d38267fe2f5095a29777bf3bcde95d4299360681cedd421251af92038da3f8709e68f101f7326ad9abdd087a59ca83adec87bc48

Download Submit
\Windows\assembly\GAC_64\Desktop.ini

Filesize
5KB

MD5
78ab98fd9228277f2638fd93cd703016

SHA1
1640ee7f500074c155a5af431e9d125a4ec2cea5

SHA256
e0517a9584af6cfd4f1e6d280e086b20fd576b90b32f9ddac916de03a53b766c

SHA512
d98ed49a83d5b50737a674e4421cea4cbe353f80234d2d5a8df82995a0d81e9524f23919ca600afb98bc676a8f93e7c0df73c22cae9b3fc624027800ba9dcc76

Download Submit
memory/332-341-0x0000000002320000-0x0000000002332000-memory.dmp

Filesize
72KB

Download
memory/332-109-0x0000000002320000-0x0000000002332000-memory.dmp

Filesize
72KB

Download
memory/852-343-0x0000000000410000-0x000000000041B000-memory.dmp

Filesize
44KB

Download
memory/852-351-0x0000000000410000-0x000000000041B000-memory.dmp

Filesize
44KB

Download
memory/852-352-0x0000000000420000-0x000000000042B000-memory.dmp

Filesize
44KB

Download
memory/852-347-0x0000000000410000-0x000000000041B000-memory.dmp

Filesize
44KB

Download
memory/952-330-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/980-132-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1292-164-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1292-332-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1292-305-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1292-354-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1292-239-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1404-36-0x0000000002DD0000-0x0000000002DDA000-memory.dmp

Filesize
40KB

Download
memory/1404-29-0x0000000002DD0000-0x0000000002E14000-memory.dmp

Filesize
272KB

Download
memory/1404-31-0x0000000002DD0000-0x0000000002E14000-memory.dmp

Filesize
272KB

Download
memory/1404-41-0x0000000002DD0000-0x0000000002DDA000-memory.dmp

Filesize
40KB

Download
memory/1500-334-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/1620-92-0x0000000001F00000-0x0000000001F19000-memory.dmp

Filesize
100KB

Download
memory/1620-102-0x0000000001F00000-0x0000000001F19000-memory.dmp

Filesize
100KB

Download
memory/1620-97-0x0000000001F00000-0x0000000001F19000-memory.dmp

Filesize
100KB

Download
memory/2132-83-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/2132-80-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/2672-53-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/2672-162-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/2672-161-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2672-43-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2748-237-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2784-91-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2784-35-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2804-336-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/2804-333-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/2804-165-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/2804-89-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download