pony | 12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137

Analysis

max time kernel
60s
max time network
16s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 04:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe
Size

2.2MB
MD5

c59d21cb82d80f2912ab6948e8b2484e
SHA1

589dba2677014366653eb4c9f0846c3c69408376
SHA256

12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137
SHA512

ac2e516b73b39d0b1a528caeedf11fa0d23b2e64376e5f5723af042bf417abbb444972bab824a9ba6d8735c93f0741f67cba50073f2afaa4bfdee115faf2c24f
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZf:0UzeyQMS4DqodCnoe+iitjWwwb

Score

10^/10

pony discovery evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe	12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe	12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe

Executes dropped EXE 26 IoCs

pid	Process
2908	explorer.exe
2948	explorer.exe
1604	spoolsv.exe
2352	spoolsv.exe
860	spoolsv.exe
1868	spoolsv.exe
2324	spoolsv.exe
2232	spoolsv.exe
2736	spoolsv.exe
1060	spoolsv.exe
624	spoolsv.exe
3064	spoolsv.exe
1076	spoolsv.exe
1512	spoolsv.exe
1620	spoolsv.exe
2544	spoolsv.exe
2744	spoolsv.exe
2492	spoolsv.exe
2816	spoolsv.exe
2644	spoolsv.exe
1864	spoolsv.exe
2476	spoolsv.exe
2408	spoolsv.exe
2464	spoolsv.exe
2224	spoolsv.exe
1084	spoolsv.exe

Loads dropped DLL 50 IoCs

pid	Process
2892	12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe
2892	12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1232 set thread context of 2892	1232	12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe	32
PID 2908 set thread context of 2948	2908	explorer.exe	34

Drops file in Windows directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2892	12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2892	12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe
2892	12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 1960	1232	12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe	30
PID 1232 wrote to memory of 1960	1232	12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe	30
PID 1232 wrote to memory of 1960	1232	12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe	30
PID 1232 wrote to memory of 1960	1232	12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe	30
PID 1232 wrote to memory of 2892	1232	12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe	32
PID 1232 wrote to memory of 2892	1232	12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe	32
PID 1232 wrote to memory of 2892	1232	12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe	32
PID 1232 wrote to memory of 2892	1232	12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe	32
PID 1232 wrote to memory of 2892	1232	12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe	32
PID 1232 wrote to memory of 2892	1232	12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe	32
PID 2892 wrote to memory of 2908	2892	12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe	33
PID 2892 wrote to memory of 2908	2892	12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe	33
PID 2892 wrote to memory of 2908	2892	12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe	33
PID 2892 wrote to memory of 2908	2892	12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe	33
PID 2908 wrote to memory of 2948	2908	explorer.exe	34
PID 2908 wrote to memory of 2948	2908	explorer.exe	34
PID 2908 wrote to memory of 2948	2908	explorer.exe	34
PID 2908 wrote to memory of 2948	2908	explorer.exe	34
PID 2908 wrote to memory of 2948	2908	explorer.exe	34
PID 2908 wrote to memory of 2948	2908	explorer.exe	34
PID 2948 wrote to memory of 1604	2948	explorer.exe	35
PID 2948 wrote to memory of 1604	2948	explorer.exe	35
PID 2948 wrote to memory of 1604	2948	explorer.exe	35
PID 2948 wrote to memory of 1604	2948	explorer.exe	35
PID 2948 wrote to memory of 2352	2948	explorer.exe	36
PID 2948 wrote to memory of 2352	2948	explorer.exe	36
PID 2948 wrote to memory of 2352	2948	explorer.exe	36
PID 2948 wrote to memory of 2352	2948	explorer.exe	36
PID 2948 wrote to memory of 860	2948	explorer.exe	37
PID 2948 wrote to memory of 860	2948	explorer.exe	37
PID 2948 wrote to memory of 860	2948	explorer.exe	37
PID 2948 wrote to memory of 860	2948	explorer.exe	37
PID 2948 wrote to memory of 1868	2948	explorer.exe	38
PID 2948 wrote to memory of 1868	2948	explorer.exe	38
PID 2948 wrote to memory of 1868	2948	explorer.exe	38
PID 2948 wrote to memory of 1868	2948	explorer.exe	38
PID 2948 wrote to memory of 2324	2948	explorer.exe	39
PID 2948 wrote to memory of 2324	2948	explorer.exe	39
PID 2948 wrote to memory of 2324	2948	explorer.exe	39
PID 2948 wrote to memory of 2324	2948	explorer.exe	39
PID 2948 wrote to memory of 2232	2948	explorer.exe	40
PID 2948 wrote to memory of 2232	2948	explorer.exe	40
PID 2948 wrote to memory of 2232	2948	explorer.exe	40
PID 2948 wrote to memory of 2232	2948	explorer.exe	40
PID 2948 wrote to memory of 2736	2948	explorer.exe	41
PID 2948 wrote to memory of 2736	2948	explorer.exe	41
PID 2948 wrote to memory of 2736	2948	explorer.exe	41
PID 2948 wrote to memory of 2736	2948	explorer.exe	41
PID 2948 wrote to memory of 1060	2948	explorer.exe	42
PID 2948 wrote to memory of 1060	2948	explorer.exe	42
PID 2948 wrote to memory of 1060	2948	explorer.exe	42
PID 2948 wrote to memory of 1060	2948	explorer.exe	42
PID 2948 wrote to memory of 624	2948	explorer.exe	43
PID 2948 wrote to memory of 624	2948	explorer.exe	43
PID 2948 wrote to memory of 624	2948	explorer.exe	43
PID 2948 wrote to memory of 624	2948	explorer.exe	43
PID 2948 wrote to memory of 3064	2948	explorer.exe	44
PID 2948 wrote to memory of 3064	2948	explorer.exe	44
PID 2948 wrote to memory of 3064	2948	explorer.exe	44
PID 2948 wrote to memory of 3064	2948	explorer.exe	44
PID 2948 wrote to memory of 1076	2948	explorer.exe	45
PID 2948 wrote to memory of 1076	2948	explorer.exe	45
PID 2948 wrote to memory of 1076	2948	explorer.exe	45
PID 2948 wrote to memory of 1076	2948	explorer.exe	45

C:\Users\Admin\AppData\Local\Temp\12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe
"C:\Users\Admin\AppData\Local\Temp\12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1960
- C:\Users\Admin\AppData\Local\Temp\12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe
  "C:\Users\Admin\AppData\Local\Temp\12af9fdb89868aad7b06da794d3c1c3e6dc730dfbad5848057c952e449093137.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2892
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - \??\c:\windows\system\explorer.exe
      "c:\windows\system\explorer.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2948
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1604
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2352
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:860
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1868
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2324
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2232
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2736
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1060
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:624
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3064
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1076
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1512
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1620
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2544
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2744
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2492
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2816
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2644
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1864
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2476
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2408
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2464
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2224
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
\Windows\system\explorer.exe

Filesize
2.2MB

MD5
de05651db8db7f2b0afca1039174a7a2

SHA1
6f954e9543372bacfb657579414aea0bf2c254d0

SHA256
803430a4f92aa922368777f664e6e6dadf49acee888f5fc4b4b1137612b2af56

SHA512
e17352de310fadbf379e3f82b7366792fadf2672acf32a8fc31270cd54f76e20970199aab0749fc2a019019a86a9dfab2b9ff84a6470d7070e686fb2a610cecd

Download Submit
\Windows\system\spoolsv.exe

Filesize
2.2MB

MD5
56eee4a93523b67a553cf0f276c2524a

SHA1
dbaae9afebe9a98c5edb8f205065760b725ed257

SHA256
c2b0b7e08d9082c33a550f2abed5d4e2ca7c9c88ca541a2d1d82ebf4c4a48ac5

SHA512
77a8b52ac4babe7268f12b5c936570c45f412bb4338f0c0c3a7614bc8cc3c22a004e9fea2f4e6d5706f2b651488fb441d8ecfa9064d8976ad5cd01982dd7456b

Download Submit
memory/1232-0-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1232-17-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1232-16-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1232-27-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2892-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2892-25-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2892-48-0x0000000000440000-0x00000000004A7000-memory.dmp

Filesize
412KB

Download
memory/2892-49-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2892-28-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2892-19-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2908-41-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2908-60-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2908-71-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download