pony | 4f81092552663aaf57c5c961ca378193dca0ff0e8d6981899a201e26e22e18fd

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-09-2024 08:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5914258c41db889e402903ac67ed4f6_JaffaCakes118.exe
Size

2.8MB
MD5

f5914258c41db889e402903ac67ed4f6
SHA1

83e793ac1f9035755fa51bc49a0714343a317156
SHA256

4f81092552663aaf57c5c961ca378193dca0ff0e8d6981899a201e26e22e18fd
SHA512

6a9b995e337c2d9007c01973e6c90befd25e9df97f4e9374c93d3226536c70b5b4a0819aaf6affa79879bca8aa3b1d2a85d201730b9f51b89959279962677137
SSDEEP

49152:EDmsKRJj/P7GP/LqXUTeCLdkt0wbZLHmWUlrvJYW/zPU2+kIqNB:E6sKRF/zGP+XHCLdcb1HNUlL6oPUVS

Score

10^/10

pony credential_access discovery evasion persistence rat spyware stealer upx

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3"	dwme.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables taskbar notifications via registry modification
evasion

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AV Protection 2011v121.exe
File created	C:\Windows\system32\drivers\etc\hosts	AV Protection 2011v121.exe

Executes dropped EXE 7 IoCs

pid	Process
1468	dwme.exe
2396	dwme.exe
2800	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
1356	dwme.exe
2088	dwme.exe
2860	2B16.tmp

Loads dropped DLL 14 IoCs

pid	Process
2032	f5914258c41db889e402903ac67ed4f6_JaffaCakes118.exe
2032	f5914258c41db889e402903ac67ed4f6_JaffaCakes118.exe
2032	f5914258c41db889e402903ac67ed4f6_JaffaCakes118.exe
2032	f5914258c41db889e402903ac67ed4f6_JaffaCakes118.exe
2032	f5914258c41db889e402903ac67ed4f6_JaffaCakes118.exe
2032	f5914258c41db889e402903ac67ed4f6_JaffaCakes118.exe
2800	AV Protection 2011v121.exe
2800	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
1468	dwme.exe
1468	dwme.exe
1468	dwme.exe
1468	dwme.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WTXqjUCekBzNx0v8234A = "C:\\Windows\\system32\\AV Protection 2011v121.exe"	f5914258c41db889e402903ac67ed4f6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WekIVrzONx0c2b3 = "C:\\Users\\Admin\\AppData\\Roaming\\dwme.exe"	f5914258c41db889e402903ac67ed4f6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vjUVelIBtPyAu8234A = "C:\\Users\\Admin\\AppData\\Roaming\\TUVelOBtz0c1v2n\\AV Protection 2011v121.exe"	AV Protection 2011v121.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\9F7.exe = "C:\\Program Files (x86)\\LP\\24F5\\9F7.exe"	dwme.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\AV Protection 2011v121.exe	f5914258c41db889e402903ac67ed4f6_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\AV Protection 2011v121.exe	AV Protection 2011v121.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2032-10-0x0000000000400000-0x00000000008EC800-memory.dmp	upx
behavioral1/memory/2032-35-0x0000000000400000-0x00000000008EC800-memory.dmp	upx
behavioral1/memory/2032-42-0x0000000000400000-0x00000000008E4000-memory.dmp	upx
behavioral1/memory/2800-53-0x0000000000400000-0x00000000008EC800-memory.dmp	upx
behavioral1/memory/2396-63-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1468-101-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1356-103-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2724-108-0x0000000000400000-0x00000000008EC800-memory.dmp	upx
behavioral1/memory/1468-174-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2088-180-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2724-181-0x0000000000400000-0x00000000008EC800-memory.dmp	upx
behavioral1/memory/2724-262-0x0000000000400000-0x00000000008EC800-memory.dmp	upx
behavioral1/memory/1468-284-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2724-289-0x0000000000400000-0x00000000008EC800-memory.dmp	upx
behavioral1/memory/2724-303-0x0000000000400000-0x00000000008EC800-memory.dmp	upx
behavioral1/memory/1468-357-0x0000000000400000-0x000000000046B000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LP\24F5\9F7.exe	dwme.exe
File opened for modification	C:\Program Files (x86)\LP\24F5\9F7.exe	dwme.exe
File opened for modification	C:\Program Files (x86)\LP\24F5\2B16.tmp	dwme.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2B16.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5914258c41db889e402903ac67ed4f6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AV Protection 2011v121.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AV Protection 2011v121.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2800	AV Protection 2011v121.exe
2800	AV Protection 2011v121.exe
2800	AV Protection 2011v121.exe
2800	AV Protection 2011v121.exe
2800	AV Protection 2011v121.exe
2800	AV Protection 2011v121.exe
1468	dwme.exe
1468	dwme.exe
1468	dwme.exe
1468	dwme.exe
1468	dwme.exe
1468	dwme.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
1468	dwme.exe
1468	dwme.exe
1468	dwme.exe
1468	dwme.exe
1468	dwme.exe
1468	dwme.exe
1468	dwme.exe
1468	dwme.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2724	AV Protection 2011v121.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeRestorePrivilege	2812	msiexec.exe
Token: SeTakeOwnershipPrivilege	2812	msiexec.exe
Token: SeSecurityPrivilege	2812	msiexec.exe
Token: SeShutdownPrivilege	2268	explorer.exe
Token: SeShutdownPrivilege	2268	explorer.exe
Token: SeShutdownPrivilege	2268	explorer.exe
Token: SeShutdownPrivilege	2268	explorer.exe
Token: SeShutdownPrivilege	2268	explorer.exe
Token: SeShutdownPrivilege	2268	explorer.exe
Token: SeShutdownPrivilege	2268	explorer.exe
Token: SeShutdownPrivilege	2268	explorer.exe
Token: SeShutdownPrivilege	2268	explorer.exe
Token: SeShutdownPrivilege	2268	explorer.exe
Token: SeShutdownPrivilege	2268	explorer.exe
Token: SeShutdownPrivilege	2268	explorer.exe
Token: SeShutdownPrivilege	2268	explorer.exe
Token: SeShutdownPrivilege	2268	explorer.exe
Token: SeShutdownPrivilege	2268	explorer.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2032	f5914258c41db889e402903ac67ed4f6_JaffaCakes118.exe
2800	AV Protection 2011v121.exe
2800	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe
2724	AV Protection 2011v121.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1468	2032	f5914258c41db889e402903ac67ed4f6_JaffaCakes118.exe	30
PID 2032 wrote to memory of 1468	2032	f5914258c41db889e402903ac67ed4f6_JaffaCakes118.exe	30
PID 2032 wrote to memory of 1468	2032	f5914258c41db889e402903ac67ed4f6_JaffaCakes118.exe	30
PID 2032 wrote to memory of 1468	2032	f5914258c41db889e402903ac67ed4f6_JaffaCakes118.exe	30
PID 2032 wrote to memory of 2396	2032	f5914258c41db889e402903ac67ed4f6_JaffaCakes118.exe	31
PID 2032 wrote to memory of 2396	2032	f5914258c41db889e402903ac67ed4f6_JaffaCakes118.exe	31
PID 2032 wrote to memory of 2396	2032	f5914258c41db889e402903ac67ed4f6_JaffaCakes118.exe	31
PID 2032 wrote to memory of 2396	2032	f5914258c41db889e402903ac67ed4f6_JaffaCakes118.exe	31
PID 2032 wrote to memory of 2800	2032	f5914258c41db889e402903ac67ed4f6_JaffaCakes118.exe	32
PID 2032 wrote to memory of 2800	2032	f5914258c41db889e402903ac67ed4f6_JaffaCakes118.exe	32
PID 2032 wrote to memory of 2800	2032	f5914258c41db889e402903ac67ed4f6_JaffaCakes118.exe	32
PID 2032 wrote to memory of 2800	2032	f5914258c41db889e402903ac67ed4f6_JaffaCakes118.exe	32
PID 2800 wrote to memory of 2724	2800	AV Protection 2011v121.exe	33
PID 2800 wrote to memory of 2724	2800	AV Protection 2011v121.exe	33
PID 2800 wrote to memory of 2724	2800	AV Protection 2011v121.exe	33
PID 2800 wrote to memory of 2724	2800	AV Protection 2011v121.exe	33
PID 1468 wrote to memory of 1356	1468	dwme.exe	36
PID 1468 wrote to memory of 1356	1468	dwme.exe	36
PID 1468 wrote to memory of 1356	1468	dwme.exe	36
PID 1468 wrote to memory of 1356	1468	dwme.exe	36
PID 1468 wrote to memory of 2088	1468	dwme.exe	38
PID 1468 wrote to memory of 2088	1468	dwme.exe	38
PID 1468 wrote to memory of 2088	1468	dwme.exe	38
PID 1468 wrote to memory of 2088	1468	dwme.exe	38
PID 1468 wrote to memory of 2860	1468	dwme.exe	41
PID 1468 wrote to memory of 2860	1468	dwme.exe	41
PID 1468 wrote to memory of 2860	1468	dwme.exe	41
PID 1468 wrote to memory of 2860	1468	dwme.exe	41

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	dwme.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	dwme.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f5914258c41db889e402903ac67ed4f6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f5914258c41db889e402903ac67ed4f6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Local\Temp\dwme.exe
  "C:\Users\Admin\AppData\Local\Temp\dwme.exe"
  2⤵
  - Modifies security service
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1468
- - C:\Users\Admin\AppData\Local\Temp\dwme.exe
    C:\Users\Admin\AppData\Local\Temp\dwme.exe startC:\Users\Admin\AppData\Roaming\5A2A8\93024.exe%C:\Users\Admin\AppData\Roaming\5A2A8
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1356
- - C:\Users\Admin\AppData\Local\Temp\dwme.exe
    C:\Users\Admin\AppData\Local\Temp\dwme.exe startC:\Program Files (x86)\A8674\lvvm.exe%C:\Program Files (x86)\A8674
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2088
- - C:\Program Files (x86)\LP\24F5\2B16.tmp
    "C:\Program Files (x86)\LP\24F5\2B16.tmp"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2860
- C:\Users\Admin\AppData\Roaming\dwme.exe
  C:\Users\Admin\AppData\Roaming\dwme.exe auto
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2396
- C:\Windows\SysWOW64\AV Protection 2011v121.exe
  C:\Windows\system32\AV Protection 2011v121.exe 5985C:\Users\Admin\AppData\Local\Temp\f5914258c41db889e402903ac67ed4f6_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Users\Admin\AppData\Roaming\TUVelOBtz0c1v2n\AV Protection 2011v121.exe
    C:\Users\Admin\AppData\Roaming\TUVelOBtz0c1v2n\AV Protection 2011v121.exe 5985C:\Windows\SysWOW64\AV Protection 2011v121.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2724

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2812

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\LP\24F5\2B16.tmp

Filesize
100KB

MD5
de4945aedb66456dc2f3ee1acfba3246

SHA1
1b0bc34168f1735ad4ac66155309102fb566ea63

SHA256
91f6bb5318ef3615012be80cfb8cc4ed8e81b31bf52215c15684d700fb8b8b5b

SHA512
ede90603a8645063d3180e6283f6c12b26d66a0238cc54187090d80e02455c5a0cc68d0a232ce785c55a1fd4a890292f077ceef35141658a0e32849f8576acd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nfbA831.tmp

Filesize
228B

MD5
27b4354e7db4fc75f357cd7d7cdf3c6d

SHA1
6a8f0172da7d8b7937ab0485336fce17b9ba99fc

SHA256
cab01e7d2f99648f5cad4850308f64e8768613551c4b8650ab096b6459bc68da

SHA512
da86ab1091422383c66b3b86c2f721d8964d0417a503c573dfaa5d008ad3a4ad022afe52020a781c8894be9f849ef089a4c4bee614c35e9e5ab88cbdf5de75cf

Download Submit
C:\Users\Admin\AppData\Roaming\5A2A8\8674.A2A

Filesize
300B

MD5
082b7e47cfe1335f3fbca8f1e3db0f08

SHA1
dfdef8d0404fcbe5f72587aebe7d8c49e9c1277b

SHA256
4fc6539ee75c7f4e988fca21e4509f314da372f7a5feea3e647385d94007b93e

SHA512
f1bf4af53662b2fb03fcb7f89bef95c6d2feb54326fa8d627015040654363f4b5b53a5e4b6cb89b264065315995aec3fae86e80c536cbf540d9298973b0ecda8

Download Submit
C:\Users\Admin\AppData\Roaming\5A2A8\8674.A2A

Filesize
696B

MD5
ca1a5a31d3ada4ed24fe581d7e5480b3

SHA1
fdee774d691e6700c76de826a5333a37ad7b2f89

SHA256
d20f73755a275f93f2f077b5532b3f43e95165372d173161f5072373aee7de83

SHA512
455f3170ea856cfd3d713646a7c9c134c174c955bfb1624c8fa8d9b9af8a0d7bb6f421abcaa12e79ac0e352dc6f92cb44506ed63bb8a7aa5b39fda142a373756

Download Submit
C:\Users\Admin\AppData\Roaming\5A2A8\8674.A2A

Filesize
1KB

MD5
d3da92166a18571a72a4fef75549f8aa

SHA1
6aabfe6b9af1e0bb98454b07a6c289916ea0a90e

SHA256
fb08871c2410e0ec7e9ec95de8637a0f27ea3597ab9b96206d464b1804866fb2

SHA512
2e485aa70bd262f73ae437a2c8f6b186ba6451be67599549bd5cfc7cc6a385d8be88814eba01a503bef453f2c68a4090d7d8c04c4933a1d4741c6fc03e2cc296

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AV Protection 2011\AV Protection 2011.lnk

Filesize
1KB

MD5
ff361efbb843a87658cc00f8fb093fde

SHA1
1ca0e44aae64cb4a62410c75112d813f27d9ba04

SHA256
bcb864ac116acfaefb03e1c54efb5d69f54e175c809bf6263c28ebec4ab4d75e

SHA512
c2634e37e0d12565f5090c06d5bf02b6be34ba3e61d2560c7b7f1f539555138e387ee2706ce84299c3734c2d8694d00bfa4d43285bd006d8a28d96bc42f93f01

Download Submit
C:\Users\Admin\AppData\Roaming\ZA0ucS2ib\AV Protection 2011.ico

Filesize
12KB

MD5
bb87f71a6e7f979fcb716926d452b6a8

SHA1
f41e3389760eaea099720e980e599a160f0413b9

SHA256
14c9c49d8ead9ab59a56c328008f59c20b32c3ad22c00e02d34e16ad7086fe84

SHA512
e1d14363274e367ea600afc357d012233fc68f0636e8d05b29992e762d31e9a55b4fa38b08613c2ca528d7fb0f547774a3a3dc79aada32c2c7359c3edcdb549d

Download Submit
C:\Users\Admin\AppData\Roaming\ldr.ini

Filesize
1KB

MD5
2f4b8a0ac8fd3a835684dcd15e5558f3

SHA1
c6eaf564c0e83aecaa2706113fc8e548305bf540

SHA256
9bd3f411905883d6c1fd871244c7e84675bca98ce79dd811b4ee61fef4a4e8ad

SHA512
1f5d35208b8ab0123e7a4180dad27767170336346b8485a9ca731ab54d08b3ac3b1539ff6bbd874f9ddf3e519fc70b07b41f56f512edb4807595d49707148eab

Download Submit
C:\Users\Admin\AppData\Roaming\ldr.ini

Filesize
611B

MD5
d90c0a1619e206c40930f3b95be62f02

SHA1
2dc7c09151548f64f2cf1a74e6eb728396f48326

SHA256
f6985402bd79ed6968d1f3e6da90d1a6b0a95541cf8008b9060d4271ecf6164c

SHA512
c48e0fcf44dc6ef446b48d7ecabbcf87c68ff0e6977d3a157495763308b47af421d4cd64135a0537e22621005a2c42d4a26b82c91cacb55ec13ae83d635fd9cc

Download Submit
C:\Users\Admin\Desktop\AV Protection 2011.lnk

Filesize
1KB

MD5
db616a4d8e626dda8b7e090961c9d153

SHA1
ea225c7324e4868ce9ab0b11fbe42bf4e1f8b0f7

SHA256
a0944130b1a57b62c453ade222680e53c80b4fef73e6bcdf72ca77e9ffc55c0c

SHA512
d7122da1a3396de20d53a2b9ce871aef35d3ccb2ad24cd96fd3104bf2a2e8d1afc6a4642b7867cab242750723c909f2874200dc67dab49d73db5d3df9d75b1f6

Download Submit
C:\Windows\SysWOW64\AV Protection 2011v121.exe

Filesize
2.8MB

MD5
f5914258c41db889e402903ac67ed4f6

SHA1
83e793ac1f9035755fa51bc49a0714343a317156

SHA256
4f81092552663aaf57c5c961ca378193dca0ff0e8d6981899a201e26e22e18fd

SHA512
6a9b995e337c2d9007c01973e6c90befd25e9df97f4e9374c93d3226536c70b5b4a0819aaf6affa79879bca8aa3b1d2a85d201730b9f51b89959279962677137

Download Submit
\Users\Admin\AppData\Local\Temp\dwme.exe

Filesize
283KB

MD5
cc6f0b2fd70c63672de6c1249f0e9cbb

SHA1
72caa65da6f0a4ce78a0c22b5ad64540b87e2912

SHA256
3e4d6fd109879dc3f608f08e0e152b26b93dce0d08e10d4c2308aedf2fbc1177

SHA512
a8b2199357092780aa62db1959bc631cd8138e54fb62312fbc10738fa5543afa3e252e0fc3ec08399e7c80e2cfcfa795262b0060ad4386811219cac94b032db6

Download Submit
memory/1356-103-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1468-357-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1468-284-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1468-174-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1468-101-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2032-8-0x0000000000400000-0x00000000008EC800-memory.dmp

Filesize
4.9MB

Download
memory/2032-9-0x00000000030D0000-0x00000000034C1000-memory.dmp

Filesize
3.9MB

Download
memory/2032-7-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/2032-42-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/2032-35-0x0000000000400000-0x00000000008EC800-memory.dmp

Filesize
4.9MB

Download
memory/2032-10-0x0000000000400000-0x00000000008EC800-memory.dmp

Filesize
4.9MB

Download
memory/2032-6-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2088-180-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2396-62-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2396-63-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2724-181-0x0000000000400000-0x00000000008EC800-memory.dmp

Filesize
4.9MB

Download
memory/2724-262-0x0000000000400000-0x00000000008EC800-memory.dmp

Filesize
4.9MB

Download
memory/2724-303-0x0000000000400000-0x00000000008EC800-memory.dmp

Filesize
4.9MB

Download
memory/2724-65-0x0000000003130000-0x0000000003521000-memory.dmp

Filesize
3.9MB

Download
memory/2724-108-0x0000000000400000-0x00000000008EC800-memory.dmp

Filesize
4.9MB

Download
memory/2724-289-0x0000000000400000-0x00000000008EC800-memory.dmp

Filesize
4.9MB

Download
memory/2800-53-0x0000000000400000-0x00000000008EC800-memory.dmp

Filesize
4.9MB

Download
memory/2800-44-0x0000000003190000-0x0000000003581000-memory.dmp

Filesize
3.9MB

Download
memory/2860-291-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2860-290-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download