pony | cb1c37b8d1e441cfdb5c026488a9b6bc2e1ce365a22ed4c2189dc3436bcaa9f7

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-09-2024 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef5af683c8dda88d48ee3497b56c61ba_JaffaCakes118.exe
Size

2.8MB
MD5

ef5af683c8dda88d48ee3497b56c61ba
SHA1

693b34cf74e25234de5358cc335dab83745bfdc8
SHA256

cb1c37b8d1e441cfdb5c026488a9b6bc2e1ce365a22ed4c2189dc3436bcaa9f7
SHA512

83824a52df3d6175137cdc47b8d2c133537dc294ebca6ba425d74867ec9aeabb811f86fcabb721e6b5ef07657bf3203408df76774cf68f547f64e08805eb75b1
SSDEEP

49152:ZQTBALttl2+FrMiwx3CWrCnsR6NWQNlVKWLqNw5zu7T9N4es4Q:ZQoPhEt0NBlVxbzuH9NlQ

Score

10^/10

pony credential_access discovery evasion persistence rat spyware stealer upx

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3"	dwme.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables taskbar notifications via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AV Protection 2011v121.exe

Executes dropped EXE 7 IoCs

pid	Process
2636	dwme.exe
2672	dwme.exe
2876	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
1312	dwme.exe
2060	dwme.exe
2992	8EA9.tmp

Loads dropped DLL 14 IoCs

pid	Process
3064	ef5af683c8dda88d48ee3497b56c61ba_JaffaCakes118.exe
3064	ef5af683c8dda88d48ee3497b56c61ba_JaffaCakes118.exe
3064	ef5af683c8dda88d48ee3497b56c61ba_JaffaCakes118.exe
3064	ef5af683c8dda88d48ee3497b56c61ba_JaffaCakes118.exe
3064	ef5af683c8dda88d48ee3497b56c61ba_JaffaCakes118.exe
3064	ef5af683c8dda88d48ee3497b56c61ba_JaffaCakes118.exe
2876	AV Protection 2011v121.exe
2876	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
2636	dwme.exe
2636	dwme.exe
2636	dwme.exe
2636	dwme.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3064-10-0x0000000000400000-0x00000000008E9800-memory.dmp	upx
behavioral1/memory/3064-43-0x0000000000400000-0x00000000008E9800-memory.dmp	upx
behavioral1/memory/3064-42-0x0000000000400000-0x00000000008E4000-memory.dmp	upx
behavioral1/memory/2876-54-0x0000000000400000-0x00000000008E9800-memory.dmp	upx
behavioral1/memory/2672-64-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2636-103-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1312-105-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2632-110-0x0000000000400000-0x00000000008E9800-memory.dmp	upx
behavioral1/memory/2636-170-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2632-175-0x0000000000400000-0x00000000008E9800-memory.dmp	upx
behavioral1/memory/2060-177-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2632-256-0x0000000000400000-0x00000000008E9800-memory.dmp	upx
behavioral1/memory/2636-278-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2632-283-0x0000000000400000-0x00000000008E9800-memory.dmp	upx
behavioral1/memory/2632-297-0x0000000000400000-0x00000000008E9800-memory.dmp	upx
behavioral1/memory/2636-345-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2636-357-0x0000000000400000-0x000000000046B000-memory.dmp	upx

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\u3onG4amHsJfLgZ = "C:\\Users\\Admin\\AppData\\Roaming\\dwme.exe"	ef5af683c8dda88d48ee3497b56c61ba_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zjUCekIBrOyAuSi8234A = "C:\\Users\\Admin\\AppData\\Roaming\\WUCelIBrzNx1v2b\\AV Protection 2011v121.exe"	AV Protection 2011v121.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AC3.exe = "C:\\Program Files (x86)\\LP\\1A99\\AC3.exe"	dwme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vS2ibD3pn4Q6W7E8234A = "C:\\Windows\\system32\\AV Protection 2011v121.exe"	ef5af683c8dda88d48ee3497b56c61ba_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\AV Protection 2011v121.exe	ef5af683c8dda88d48ee3497b56c61ba_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\AV Protection 2011v121.exe	AV Protection 2011v121.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LP\1A99\AC3.exe	dwme.exe
File opened for modification	C:\Program Files (x86)\LP\1A99\AC3.exe	dwme.exe
File opened for modification	C:\Program Files (x86)\LP\1A99\8EA9.tmp	dwme.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AV Protection 2011v121.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AV Protection 2011v121.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8EA9.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef5af683c8dda88d48ee3497b56c61ba_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2876	AV Protection 2011v121.exe
2876	AV Protection 2011v121.exe
2876	AV Protection 2011v121.exe
2876	AV Protection 2011v121.exe
2876	AV Protection 2011v121.exe
2876	AV Protection 2011v121.exe
2876	AV Protection 2011v121.exe
2876	AV Protection 2011v121.exe
2636	dwme.exe
2636	dwme.exe
2636	dwme.exe
2636	dwme.exe
2636	dwme.exe
2636	dwme.exe
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
2636	dwme.exe
2636	dwme.exe
2636	dwme.exe
2636	dwme.exe
2636	dwme.exe
2636	dwme.exe
2636	dwme.exe
2636	dwme.exe
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2632	AV Protection 2011v121.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeRestorePrivilege	2340	msiexec.exe
Token: SeTakeOwnershipPrivilege	2340	msiexec.exe
Token: SeSecurityPrivilege	2340	msiexec.exe
Token: SeShutdownPrivilege	1748	explorer.exe
Token: SeShutdownPrivilege	1748	explorer.exe
Token: SeShutdownPrivilege	1748	explorer.exe
Token: SeShutdownPrivilege	1748	explorer.exe
Token: SeShutdownPrivilege	1748	explorer.exe
Token: SeShutdownPrivilege	1748	explorer.exe
Token: SeShutdownPrivilege	1748	explorer.exe
Token: SeShutdownPrivilege	1748	explorer.exe
Token: SeShutdownPrivilege	1748	explorer.exe
Token: SeShutdownPrivilege	1748	explorer.exe
Token: SeShutdownPrivilege	1748	explorer.exe
Token: SeShutdownPrivilege	1748	explorer.exe
Token: SeShutdownPrivilege	1748	explorer.exe
Token: SeShutdownPrivilege	1748	explorer.exe
Token: SeShutdownPrivilege	1748	explorer.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3064	ef5af683c8dda88d48ee3497b56c61ba_JaffaCakes118.exe
2876	AV Protection 2011v121.exe
2876	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe
2632	AV Protection 2011v121.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 2636	3064	ef5af683c8dda88d48ee3497b56c61ba_JaffaCakes118.exe	30
PID 3064 wrote to memory of 2636	3064	ef5af683c8dda88d48ee3497b56c61ba_JaffaCakes118.exe	30
PID 3064 wrote to memory of 2636	3064	ef5af683c8dda88d48ee3497b56c61ba_JaffaCakes118.exe	30
PID 3064 wrote to memory of 2636	3064	ef5af683c8dda88d48ee3497b56c61ba_JaffaCakes118.exe	30
PID 3064 wrote to memory of 2672	3064	ef5af683c8dda88d48ee3497b56c61ba_JaffaCakes118.exe	31
PID 3064 wrote to memory of 2672	3064	ef5af683c8dda88d48ee3497b56c61ba_JaffaCakes118.exe	31
PID 3064 wrote to memory of 2672	3064	ef5af683c8dda88d48ee3497b56c61ba_JaffaCakes118.exe	31
PID 3064 wrote to memory of 2672	3064	ef5af683c8dda88d48ee3497b56c61ba_JaffaCakes118.exe	31
PID 3064 wrote to memory of 2876	3064	ef5af683c8dda88d48ee3497b56c61ba_JaffaCakes118.exe	32
PID 3064 wrote to memory of 2876	3064	ef5af683c8dda88d48ee3497b56c61ba_JaffaCakes118.exe	32
PID 3064 wrote to memory of 2876	3064	ef5af683c8dda88d48ee3497b56c61ba_JaffaCakes118.exe	32
PID 3064 wrote to memory of 2876	3064	ef5af683c8dda88d48ee3497b56c61ba_JaffaCakes118.exe	32
PID 2876 wrote to memory of 2632	2876	AV Protection 2011v121.exe	33
PID 2876 wrote to memory of 2632	2876	AV Protection 2011v121.exe	33
PID 2876 wrote to memory of 2632	2876	AV Protection 2011v121.exe	33
PID 2876 wrote to memory of 2632	2876	AV Protection 2011v121.exe	33
PID 2636 wrote to memory of 1312	2636	dwme.exe	36
PID 2636 wrote to memory of 1312	2636	dwme.exe	36
PID 2636 wrote to memory of 1312	2636	dwme.exe	36
PID 2636 wrote to memory of 1312	2636	dwme.exe	36
PID 2636 wrote to memory of 2060	2636	dwme.exe	37
PID 2636 wrote to memory of 2060	2636	dwme.exe	37
PID 2636 wrote to memory of 2060	2636	dwme.exe	37
PID 2636 wrote to memory of 2060	2636	dwme.exe	37
PID 2636 wrote to memory of 2992	2636	dwme.exe	40
PID 2636 wrote to memory of 2992	2636	dwme.exe	40
PID 2636 wrote to memory of 2992	2636	dwme.exe	40
PID 2636 wrote to memory of 2992	2636	dwme.exe	40

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	dwme.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	dwme.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ef5af683c8dda88d48ee3497b56c61ba_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ef5af683c8dda88d48ee3497b56c61ba_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Users\Admin\AppData\Local\Temp\dwme.exe
  "C:\Users\Admin\AppData\Local\Temp\dwme.exe"
  2⤵
  - Modifies security service
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2636
- - C:\Users\Admin\AppData\Local\Temp\dwme.exe
    C:\Users\Admin\AppData\Local\Temp\dwme.exe startC:\Users\Admin\AppData\Roaming\9E8AC\6041A.exe%C:\Users\Admin\AppData\Roaming\9E8AC
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1312
- - C:\Users\Admin\AppData\Local\Temp\dwme.exe
    C:\Users\Admin\AppData\Local\Temp\dwme.exe startC:\Program Files (x86)\ACE15\lvvm.exe%C:\Program Files (x86)\ACE15
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2060
- - C:\Program Files (x86)\LP\1A99\8EA9.tmp
    "C:\Program Files (x86)\LP\1A99\8EA9.tmp"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2992
- C:\Users\Admin\AppData\Roaming\dwme.exe
  C:\Users\Admin\AppData\Roaming\dwme.exe auto
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2672
- C:\Windows\SysWOW64\AV Protection 2011v121.exe
  C:\Windows\system32\AV Protection 2011v121.exe 5985C:\Users\Admin\AppData\Local\Temp\ef5af683c8dda88d48ee3497b56c61ba_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Users\Admin\AppData\Roaming\WUCelIBrzNx1v2b\AV Protection 2011v121.exe
    C:\Users\Admin\AppData\Roaming\WUCelIBrzNx1v2b\AV Protection 2011v121.exe 5985C:\Windows\SysWOW64\AV Protection 2011v121.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2632

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2340

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fdcBB4.tmp

Filesize
14B

MD5
6c9a891db06547e1e1cc3c5ff4a22c27

SHA1
4521d38398725460ca939984d423e70573601ef5

SHA256
1c50999f26af623872a4db09d78fc1afe5b13955206cd6d031c78a7dc9592858

SHA512
91b2c8f04001222933d2826e5307a948a509e1517f2268fe3200a5511af6c704bde68132d063e6bcd6e5608b1b144f0d59e61766e00b60ef95e974b20aabfbd6

Download Submit
C:\Users\Admin\AppData\Roaming\9E8AC\CE15.E8A

Filesize
300B

MD5
6262b8e4a3a24124adae6d70f11be906

SHA1
987f412553b0b16641e7e0d16c699b4fa6b27584

SHA256
2d53e46b86beca79f5c96a3551f77993837ead6282256515ff8b0ede40558413

SHA512
453009e647be4fcb7e5f38f3f679ab9e0648b2e161a914a00cb00eac845cf2c0a93e181dd4fd508a523b8e49b0946da1be295c30809396d32ec65710800ebcc4

Download Submit
C:\Users\Admin\AppData\Roaming\9E8AC\CE15.E8A

Filesize
696B

MD5
f7c7bc10a3c9990d89e81facdf3dac24

SHA1
11133a6842136105b0cb58f921551f3ff12dcf91

SHA256
e1ac89839f9ad46f5fc192260975e2bfdeca64b3af3bdc0a95dbde1a462a3379

SHA512
91f11422975091561e8151ecf1dda986353e7ff92988bf97b1fc8b78030abdce9abb9641e9e8e7b599969d2a774b0596ca950b4b2f97fc20962b5373c4418d60

Download Submit
C:\Users\Admin\AppData\Roaming\9E8AC\CE15.E8A

Filesize
1KB

MD5
f780f108db0ac242a175aa2ac9fb7093

SHA1
cb1ebaaacb7be3b7b73d13a46b5108af9cf3a170

SHA256
1a683ac80821818692d644d284637c72a55d194d8c4e505d347e05401ec046bf

SHA512
b16722c051de8dc838df5e62ecdf353cd85d2d6ecd6dc94fa73e8e45917150b1e4c3fca8c4afc9efb65460a5497d90beadf9d6d42cfd5bb3e7bceda7565f92c0

Download Submit
C:\Users\Admin\AppData\Roaming\9E8AC\CE15.E8A

Filesize
1KB

MD5
8236a09010a0cbf3a80e5b9fee2e3597

SHA1
4c740b3ffdc345cd517288b1ce1d615777e8fbbe

SHA256
3b50457a3026f6c94952c181d89a6e53649ce399316606cf5dad1d664ddc4bf9

SHA512
a42e08553b40847568c05ad250c63e9c69fb848b6a0d5ac09f3cb0b73e90068ffd887c09a55240fb79000b3985514f699b271b24155c8e3c5967bad49b4cbcc0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AV Protection 2011\AV Protection 2011.lnk

Filesize
1KB

MD5
aa1f7fcfc726bcb92c271c559b20d96e

SHA1
9f843c621df0f769d416e27f87309e2964b0fcf0

SHA256
cb7a0448afa849a5e7308dc995fdd369ea4bf6a676cdef06114ccd6614a06151

SHA512
9609fefdd81080b254124f86cc7d29081d3d15a3ecc78be171eedaef9c1139f1d8d4ccb1f4e3dc17df5c1260a8096143cc48d352860040c7622e201b6885205a

Download Submit
C:\Users\Admin\AppData\Roaming\ldr.ini

Filesize
1KB

MD5
fa0e06f76539913b8a870b4b5a581c04

SHA1
9274538aac47665f8da0978db9bfc9664361bedc

SHA256
f2264ef290fcb22899a33a09f81642fc7698f377774fc10f4dfa3dc9d5f1dd81

SHA512
29d4bca203e81097e0abcaec00909585394d28fd282ea04796ded2b6609eeb56b18215360c6ca08450b5a70958903b4951ac06c24ca8a80d50f4a12f105b6956

Download Submit
C:\Users\Admin\AppData\Roaming\ldr.ini

Filesize
909B

MD5
a2128b9ee70bb49e7e3c2b6e655a7ad5

SHA1
c8c3b07af405dd17a84bf696dfcd6b739a14060c

SHA256
944b81191c08f3d7e5304ffc8e2d85b99a545237c0fe585684d93444265a5eb0

SHA512
c9c743947ecc9acdd008992a7936cde61aa5a3c82a9a0df74dc73a21970b05d0552ffe9d090c284fcc8c33e4000c99f3f370862832ad812e7e05d8a0f58b171c

Download Submit
C:\Users\Admin\AppData\Roaming\yamH5sWJ7E8RqYw\AV Protection 2011.ico

Filesize
12KB

MD5
bb87f71a6e7f979fcb716926d452b6a8

SHA1
f41e3389760eaea099720e980e599a160f0413b9

SHA256
14c9c49d8ead9ab59a56c328008f59c20b32c3ad22c00e02d34e16ad7086fe84

SHA512
e1d14363274e367ea600afc357d012233fc68f0636e8d05b29992e762d31e9a55b4fa38b08613c2ca528d7fb0f547774a3a3dc79aada32c2c7359c3edcdb549d

Download Submit
C:\Users\Admin\Desktop\AV Protection 2011.lnk

Filesize
1KB

MD5
69bde7053efe3260834e6be8e5fdb4b6

SHA1
f4bcdf315c14c34888df668cbbc8d82fad26c18d

SHA256
43161aaea744dba6532024e41b643feb06d53123f9b9aa2a768eda17b3a09b69

SHA512
8983cadb0faffe7c75245c4fa1c7bd57483ef622e9d2de009ca306dcd0062dbd476ce5e68151bb914851ab9ccf63b064168dc7e29d439fefd2cd07442623ea51

Download Submit
\Program Files (x86)\LP\1A99\8EA9.tmp

Filesize
100KB

MD5
de4945aedb66456dc2f3ee1acfba3246

SHA1
1b0bc34168f1735ad4ac66155309102fb566ea63

SHA256
91f6bb5318ef3615012be80cfb8cc4ed8e81b31bf52215c15684d700fb8b8b5b

SHA512
ede90603a8645063d3180e6283f6c12b26d66a0238cc54187090d80e02455c5a0cc68d0a232ce785c55a1fd4a890292f077ceef35141658a0e32849f8576acd7

Download Submit
\Users\Admin\AppData\Local\Temp\dwme.exe

Filesize
283KB

MD5
cc6f0b2fd70c63672de6c1249f0e9cbb

SHA1
72caa65da6f0a4ce78a0c22b5ad64540b87e2912

SHA256
3e4d6fd109879dc3f608f08e0e152b26b93dce0d08e10d4c2308aedf2fbc1177

SHA512
a8b2199357092780aa62db1959bc631cd8138e54fb62312fbc10738fa5543afa3e252e0fc3ec08399e7c80e2cfcfa795262b0060ad4386811219cac94b032db6

Download Submit
\Windows\SysWOW64\AV Protection 2011v121.exe

Filesize
2.8MB

MD5
ef5af683c8dda88d48ee3497b56c61ba

SHA1
693b34cf74e25234de5358cc335dab83745bfdc8

SHA256
cb1c37b8d1e441cfdb5c026488a9b6bc2e1ce365a22ed4c2189dc3436bcaa9f7

SHA512
83824a52df3d6175137cdc47b8d2c133537dc294ebca6ba425d74867ec9aeabb811f86fcabb721e6b5ef07657bf3203408df76774cf68f547f64e08805eb75b1

Download Submit
memory/1312-105-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2060-177-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2632-110-0x0000000000400000-0x00000000008E9800-memory.dmp

Filesize
4.9MB

Download
memory/2632-283-0x0000000000400000-0x00000000008E9800-memory.dmp

Filesize
4.9MB

Download
memory/2632-66-0x0000000002F90000-0x0000000003381000-memory.dmp

Filesize
3.9MB

Download
memory/2632-175-0x0000000000400000-0x00000000008E9800-memory.dmp

Filesize
4.9MB

Download
memory/2632-256-0x0000000000400000-0x00000000008E9800-memory.dmp

Filesize
4.9MB

Download
memory/2632-297-0x0000000000400000-0x00000000008E9800-memory.dmp

Filesize
4.9MB

Download
memory/2636-357-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2636-278-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2636-170-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2636-103-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2636-345-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2672-64-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2876-45-0x00000000030C0000-0x00000000034B1000-memory.dmp

Filesize
3.9MB

Download
memory/2876-54-0x0000000000400000-0x00000000008E9800-memory.dmp

Filesize
4.9MB

Download
memory/2992-284-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2992-285-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3064-8-0x0000000000400000-0x00000000008E9800-memory.dmp

Filesize
4.9MB

Download
memory/3064-9-0x0000000003000000-0x00000000033F1000-memory.dmp

Filesize
3.9MB

Download
memory/3064-10-0x0000000000400000-0x00000000008E9800-memory.dmp

Filesize
4.9MB

Download
memory/3064-43-0x0000000000400000-0x00000000008E9800-memory.dmp

Filesize
4.9MB

Download
memory/3064-7-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/3064-42-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/3064-6-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download