pony | 4c3eb1c67531d16013dd0d55a30403945e5649367b0be7473764aa1998245993

Analysis

max time kernel
142s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-09-2024 23:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb1b32c15b3ad5034efbe479e210076d_JaffaCakes118.exe
Size

1.2MB
MD5

fb1b32c15b3ad5034efbe479e210076d
SHA1

04c12f504481c36754277c593e80fcc43be69eb3
SHA256

4c3eb1c67531d16013dd0d55a30403945e5649367b0be7473764aa1998245993
SHA512

9e6cbee35909468698df7bd561b33b845d9b6f13f79bf1b39b07004afad0a5ebd622fc7259befbcb442d046eb431c18ec950b211a471ea64a67ca83ae95df975
SSDEEP

24576:VWPKPd38f8LJDCePQPhSbcxjtxplwW2HOoWK5vnUYlIF/3tUHDFhbQMZ:gvOJDHQPhSgRtxpFBQlolUHDFhbQMZ

Score

10^/10

pony credential_access defense_evasion discovery evasion persistence rat spyware stealer upx

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3"	3R2R.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 9 IoCs

pid	Process
2796	Wolfe, Gene - Book of the New Sun 02 - Sword and Citadel.exe
2708	ic5.exe
2612	2 Gansta.exe
908	4tbp.exe
2816	3R2R.exe
336	csrss.exe
1640	3R2R.exe
2636	3R2R.exe
1956	756E.tmp

Loads dropped DLL 46 IoCs

pid	Process
2648	fb1b32c15b3ad5034efbe479e210076d_JaffaCakes118.exe
2796	Wolfe, Gene - Book of the New Sun 02 - Sword and Citadel.exe
2796	Wolfe, Gene - Book of the New Sun 02 - Sword and Citadel.exe
2648	fb1b32c15b3ad5034efbe479e210076d_JaffaCakes118.exe
2648	fb1b32c15b3ad5034efbe479e210076d_JaffaCakes118.exe
2708	ic5.exe
2708	ic5.exe
2708	ic5.exe
2648	fb1b32c15b3ad5034efbe479e210076d_JaffaCakes118.exe
2648	fb1b32c15b3ad5034efbe479e210076d_JaffaCakes118.exe
2648	fb1b32c15b3ad5034efbe479e210076d_JaffaCakes118.exe
2648	fb1b32c15b3ad5034efbe479e210076d_JaffaCakes118.exe
2648	fb1b32c15b3ad5034efbe479e210076d_JaffaCakes118.exe
2648	fb1b32c15b3ad5034efbe479e210076d_JaffaCakes118.exe
2612	2 Gansta.exe
2612	2 Gansta.exe
2612	2 Gansta.exe
908	4tbp.exe
908	4tbp.exe
908	4tbp.exe
2816	3R2R.exe
2816	3R2R.exe
2816	3R2R.exe
2600	rundll32.exe
2600	rundll32.exe
2600	rundll32.exe
2600	rundll32.exe
1008	Process not Found
2816	3R2R.exe
2816	3R2R.exe
1640	3R2R.exe
1640	3R2R.exe
1640	3R2R.exe
1908	DllHost.exe
2816	3R2R.exe
2636	3R2R.exe
2636	3R2R.exe
2636	3R2R.exe
900	rundll32.exe
900	rundll32.exe
900	rundll32.exe
900	rundll32.exe
2816	3R2R.exe
2816	3R2R.exe
1956	756E.tmp
900	rundll32.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tpazucamunumatoy = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\APINlg.dll\",Startup"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\82B.exe = "C:\\Program Files (x86)\\LP\\AF02\\82B.exe"	3R2R.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000015fa6-62.dat	upx
behavioral1/memory/2612-63-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/1640-153-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2612-188-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2816-193-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2636-260-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2816-262-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2816-357-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2816-386-0x0000000000400000-0x000000000046D000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LP\AF02\82B.exe	3R2R.exe
File opened for modification	C:\Program Files (x86)\LP\AF02\756E.tmp	3R2R.exe
File opened for modification	C:\Program Files (x86)\LP\AF02\82B.exe	3R2R.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3R2R.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3R2R.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3R2R.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ic5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wolfe, Gene - Book of the New Sun 02 - Sword and Citadel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2 Gansta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4tbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	756E.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb1b32c15b3ad5034efbe479e210076d_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	Wolfe, Gene - Book of the New Sun 02 - Sword and Citadel.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\registry\machine\Software\Classes\Interface\{1694bb7d-3d49-8c91-f5a4-cbcd3994eab3}	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1694bb7d-3d49-8c91-f5a4-cbcd3994eab3}\u = "860049491"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1694bb7d-3d49-8c91-f5a4-cbcd3994eab3}\cid = "2734013986588452879"	explorer.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2816	3R2R.exe
2816	3R2R.exe
2816	3R2R.exe
2816	3R2R.exe
2816	3R2R.exe
2816	3R2R.exe
1404	explorer.exe
1404	explorer.exe
1404	explorer.exe
2600	rundll32.exe
2816	3R2R.exe
2816	3R2R.exe
2816	3R2R.exe
2816	3R2R.exe
2816	3R2R.exe
2816	3R2R.exe
2816	3R2R.exe
2816	3R2R.exe
2600	rundll32.exe
336	csrss.exe
2600	rundll32.exe
2600	rundll32.exe
2600	rundll32.exe
2600	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1464	msiexec.exe
Token: SeTakeOwnershipPrivilege	1464	msiexec.exe
Token: SeSecurityPrivilege	1464	msiexec.exe
Token: SeDebugPrivilege	1404	explorer.exe
Token: SeIncBasePriorityPrivilege	2612	2 Gansta.exe
Token: SeShutdownPrivilege	1692	explorer.exe
Token: SeShutdownPrivilege	1692	explorer.exe
Token: SeShutdownPrivilege	1692	explorer.exe
Token: SeShutdownPrivilege	1692	explorer.exe
Token: SeShutdownPrivilege	1692	explorer.exe
Token: SeShutdownPrivilege	1692	explorer.exe
Token: SeShutdownPrivilege	1692	explorer.exe
Token: SeShutdownPrivilege	1692	explorer.exe
Token: SeShutdownPrivilege	1692	explorer.exe
Token: SeShutdownPrivilege	1692	explorer.exe
Token: SeShutdownPrivilege	1692	explorer.exe
Token: SeShutdownPrivilege	1692	explorer.exe
Token: SeAssignPrimaryTokenPrivilege	852	svchost.exe
Token: SeIncreaseQuotaPrivilege	852	svchost.exe
Token: SeSecurityPrivilege	852	svchost.exe
Token: SeTakeOwnershipPrivilege	852	svchost.exe
Token: SeLoadDriverPrivilege	852	svchost.exe
Token: SeSystemtimePrivilege	852	svchost.exe
Token: SeBackupPrivilege	852	svchost.exe
Token: SeRestorePrivilege	852	svchost.exe
Token: SeShutdownPrivilege	852	svchost.exe
Token: SeSystemEnvironmentPrivilege	852	svchost.exe
Token: SeUndockPrivilege	852	svchost.exe
Token: SeManageVolumePrivilege	852	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	852	svchost.exe
Token: SeIncreaseQuotaPrivilege	852	svchost.exe
Token: SeSecurityPrivilege	852	svchost.exe
Token: SeTakeOwnershipPrivilege	852	svchost.exe
Token: SeLoadDriverPrivilege	852	svchost.exe
Token: SeSystemtimePrivilege	852	svchost.exe
Token: SeBackupPrivilege	852	svchost.exe
Token: SeRestorePrivilege	852	svchost.exe
Token: SeShutdownPrivilege	852	svchost.exe
Token: SeSystemEnvironmentPrivilege	852	svchost.exe
Token: SeUndockPrivilege	852	svchost.exe
Token: SeManageVolumePrivilege	852	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	852	svchost.exe
Token: SeIncreaseQuotaPrivilege	852	svchost.exe
Token: SeSecurityPrivilege	852	svchost.exe
Token: SeTakeOwnershipPrivilege	852	svchost.exe
Token: SeLoadDriverPrivilege	852	svchost.exe
Token: SeSystemtimePrivilege	852	svchost.exe
Token: SeBackupPrivilege	852	svchost.exe
Token: SeRestorePrivilege	852	svchost.exe
Token: SeShutdownPrivilege	852	svchost.exe
Token: SeSystemEnvironmentPrivilege	852	svchost.exe
Token: SeUndockPrivilege	852	svchost.exe
Token: SeManageVolumePrivilege	852	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	852	svchost.exe
Token: SeIncreaseQuotaPrivilege	852	svchost.exe
Token: SeSecurityPrivilege	852	svchost.exe
Token: SeTakeOwnershipPrivilege	852	svchost.exe
Token: SeLoadDriverPrivilege	852	svchost.exe
Token: SeSystemtimePrivilege	852	svchost.exe
Token: SeBackupPrivilege	852	svchost.exe
Token: SeRestorePrivilege	852	svchost.exe
Token: SeShutdownPrivilege	852	svchost.exe
Token: SeSystemEnvironmentPrivilege	852	svchost.exe
Token: SeUndockPrivilege	852	svchost.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2796	Wolfe, Gene - Book of the New Sun 02 - Sword and Citadel.exe
2796	Wolfe, Gene - Book of the New Sun 02 - Sword and Citadel.exe
908	4tbp.exe
2600	rundll32.exe
900	rundll32.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
336	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2796	2648	fb1b32c15b3ad5034efbe479e210076d_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2796	2648	fb1b32c15b3ad5034efbe479e210076d_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2796	2648	fb1b32c15b3ad5034efbe479e210076d_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2796	2648	fb1b32c15b3ad5034efbe479e210076d_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2796	2648	fb1b32c15b3ad5034efbe479e210076d_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2796	2648	fb1b32c15b3ad5034efbe479e210076d_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2796	2648	fb1b32c15b3ad5034efbe479e210076d_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2708	2648	fb1b32c15b3ad5034efbe479e210076d_JaffaCakes118.exe	31
PID 2648 wrote to memory of 2708	2648	fb1b32c15b3ad5034efbe479e210076d_JaffaCakes118.exe	31
PID 2648 wrote to memory of 2708	2648	fb1b32c15b3ad5034efbe479e210076d_JaffaCakes118.exe	31
PID 2648 wrote to memory of 2708	2648	fb1b32c15b3ad5034efbe479e210076d_JaffaCakes118.exe	31
PID 2648 wrote to memory of 2708	2648	fb1b32c15b3ad5034efbe479e210076d_JaffaCakes118.exe	31
PID 2648 wrote to memory of 2708	2648	fb1b32c15b3ad5034efbe479e210076d_JaffaCakes118.exe	31
PID 2648 wrote to memory of 2708	2648	fb1b32c15b3ad5034efbe479e210076d_JaffaCakes118.exe	31
PID 2648 wrote to memory of 2612	2648	fb1b32c15b3ad5034efbe479e210076d_JaffaCakes118.exe	32
PID 2648 wrote to memory of 2612	2648	fb1b32c15b3ad5034efbe479e210076d_JaffaCakes118.exe	32
PID 2648 wrote to memory of 2612	2648	fb1b32c15b3ad5034efbe479e210076d_JaffaCakes118.exe	32
PID 2648 wrote to memory of 2612	2648	fb1b32c15b3ad5034efbe479e210076d_JaffaCakes118.exe	32
PID 2648 wrote to memory of 2612	2648	fb1b32c15b3ad5034efbe479e210076d_JaffaCakes118.exe	32
PID 2648 wrote to memory of 2612	2648	fb1b32c15b3ad5034efbe479e210076d_JaffaCakes118.exe	32
PID 2648 wrote to memory of 2612	2648	fb1b32c15b3ad5034efbe479e210076d_JaffaCakes118.exe	32
PID 2648 wrote to memory of 2816	2648	fb1b32c15b3ad5034efbe479e210076d_JaffaCakes118.exe	33
PID 2648 wrote to memory of 2816	2648	fb1b32c15b3ad5034efbe479e210076d_JaffaCakes118.exe	33
PID 2648 wrote to memory of 2816	2648	fb1b32c15b3ad5034efbe479e210076d_JaffaCakes118.exe	33
PID 2648 wrote to memory of 2816	2648	fb1b32c15b3ad5034efbe479e210076d_JaffaCakes118.exe	33
PID 2648 wrote to memory of 2816	2648	fb1b32c15b3ad5034efbe479e210076d_JaffaCakes118.exe	33
PID 2648 wrote to memory of 2816	2648	fb1b32c15b3ad5034efbe479e210076d_JaffaCakes118.exe	33
PID 2648 wrote to memory of 2816	2648	fb1b32c15b3ad5034efbe479e210076d_JaffaCakes118.exe	33
PID 2648 wrote to memory of 908	2648	fb1b32c15b3ad5034efbe479e210076d_JaffaCakes118.exe	34
PID 2648 wrote to memory of 908	2648	fb1b32c15b3ad5034efbe479e210076d_JaffaCakes118.exe	34
PID 2648 wrote to memory of 908	2648	fb1b32c15b3ad5034efbe479e210076d_JaffaCakes118.exe	34
PID 2648 wrote to memory of 908	2648	fb1b32c15b3ad5034efbe479e210076d_JaffaCakes118.exe	34
PID 2648 wrote to memory of 908	2648	fb1b32c15b3ad5034efbe479e210076d_JaffaCakes118.exe	34
PID 2648 wrote to memory of 908	2648	fb1b32c15b3ad5034efbe479e210076d_JaffaCakes118.exe	34
PID 2648 wrote to memory of 908	2648	fb1b32c15b3ad5034efbe479e210076d_JaffaCakes118.exe	34
PID 908 wrote to memory of 2600	908	4tbp.exe	35
PID 908 wrote to memory of 2600	908	4tbp.exe	35
PID 908 wrote to memory of 2600	908	4tbp.exe	35
PID 908 wrote to memory of 2600	908	4tbp.exe	35
PID 908 wrote to memory of 2600	908	4tbp.exe	35
PID 908 wrote to memory of 2600	908	4tbp.exe	35
PID 908 wrote to memory of 2600	908	4tbp.exe	35
PID 2708 wrote to memory of 1404	2708	ic5.exe	36
PID 2708 wrote to memory of 1404	2708	ic5.exe	36
PID 2708 wrote to memory of 1404	2708	ic5.exe	36
PID 2708 wrote to memory of 1404	2708	ic5.exe	36
PID 2708 wrote to memory of 1404	2708	ic5.exe	36
PID 2708 wrote to memory of 1404	2708	ic5.exe	36
PID 1404 wrote to memory of 336	1404	explorer.exe	2
PID 2816 wrote to memory of 1640	2816	3R2R.exe	38
PID 2816 wrote to memory of 1640	2816	3R2R.exe	38
PID 2816 wrote to memory of 1640	2816	3R2R.exe	38
PID 2816 wrote to memory of 1640	2816	3R2R.exe	38
PID 2816 wrote to memory of 1640	2816	3R2R.exe	38
PID 2816 wrote to memory of 1640	2816	3R2R.exe	38
PID 2816 wrote to memory of 1640	2816	3R2R.exe	38
PID 336 wrote to memory of 1908	336	csrss.exe	39
PID 2816 wrote to memory of 2636	2816	3R2R.exe	40
PID 2816 wrote to memory of 2636	2816	3R2R.exe	40
PID 2816 wrote to memory of 2636	2816	3R2R.exe	40
PID 2816 wrote to memory of 2636	2816	3R2R.exe	40
PID 2816 wrote to memory of 2636	2816	3R2R.exe	40
PID 2816 wrote to memory of 2636	2816	3R2R.exe	40
PID 2816 wrote to memory of 2636	2816	3R2R.exe	40

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	3R2R.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	3R2R.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:852

C:\Users\Admin\AppData\Local\Temp\fb1b32c15b3ad5034efbe479e210076d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fb1b32c15b3ad5034efbe479e210076d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Users\Admin\AppData\Local\Temp\nsjF94F.tmp\Wolfe, Gene - Book of the New Sun 02 - Sword and Citadel.exe
  "C:\Users\Admin\AppData\Local\Temp\nsjF94F.tmp\Wolfe, Gene - Book of the New Sun 02 - Sword and Citadel.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2796
- C:\Users\Admin\AppData\Local\Temp\nsjF94F.tmp\ic5.exe
  "C:\Users\Admin\AppData\Local\Temp\nsjF94F.tmp\ic5.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\explorer.exe
    00000110*
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1404
- C:\Users\Admin\AppData\Local\Temp\nsjF94F.tmp\2 Gansta.exe
  "C:\Users\Admin\AppData\Local\Temp\nsjF94F.tmp\2 Gansta.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2612
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\nsjF94F.tmp\2GANST~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2096
- C:\Users\Admin\AppData\Local\Temp\nsjF94F.tmp\3R2R.exe
  "C:\Users\Admin\AppData\Local\Temp\nsjF94F.tmp\3R2R.exe"
  2⤵
  - Modifies security service
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2816
- - C:\Users\Admin\AppData\Local\Temp\nsjF94F.tmp\3R2R.exe
    C:\Users\Admin\AppData\Local\Temp\nsjF94F.tmp\3R2R.exe startC:\Users\Admin\AppData\Roaming\2371C\EC9AF.exe%C:\Users\Admin\AppData\Roaming\2371C
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1640
- - C:\Users\Admin\AppData\Local\Temp\nsjF94F.tmp\3R2R.exe
    C:\Users\Admin\AppData\Local\Temp\nsjF94F.tmp\3R2R.exe startC:\Program Files (x86)\1C32E\lvvm.exe%C:\Program Files (x86)\1C32E
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2636
- - C:\Program Files (x86)\LP\AF02\756E.tmp
    "C:\Program Files (x86)\LP\AF02\756E.tmp"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1956
- C:\Users\Admin\AppData\Local\Temp\nsjF94F.tmp\4tbp.exe
  "C:\Users\Admin\AppData\Local\Temp\nsjF94F.tmp\4tbp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:908
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\APINlg.dll",Startup
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2600
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\APINlg.dll",iep
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:900

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
- Loads dropped DLL
PID:1908

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1692

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsjF94F.tmp\2 Gansta.exe

Filesize
6KB

MD5
bee76c79e2e63e198038e01f0d571038

SHA1
fcffdd6bb030f516a46e9d303ebae2ab33af222e

SHA256
50a3c7134460bfe5f2840bd8dc957edfaa76da5beaaff70f8da5e0fef80ae876

SHA512
dd2e9488ad365c02722e1a2466acffb8beaf4dbb68d7093e01c50cd915418ca0642cb6bdd43f2f2b014455803f3c69dec24ca9dfee11bdf7790379181cd2f6f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjF94F.tmp\3R2R.exe

Filesize
281KB

MD5
f25c5ce835570548f56fb76d200e5a85

SHA1
4546ff42a0124ddce6fba8c741f243a13ea62070

SHA256
c2e7735af27176afe00cf5b13b8340517fd01299691a54427ce5fd7591db9759

SHA512
2cc92b646241f3bdcd5d9ffd546574c3d2bf36fff08a54b4dc29284f855c3b47928f7bc40bc174bc3b68d0805fe8a6f4739a17aef07b7e0af4903a19133b59a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjF94F.tmp\4tbp.exe

Filesize
108KB

MD5
03b927c7c418bb244c2080e40bc7c20e

SHA1
f8abf451378cbc13ec4c336456d0ba096ed64459

SHA256
317d95ad3f8b58b6e7d7623e4ead965aea9eff10934280ca3cfa104f3d176f48

SHA512
329102dee848ed482c07e3d7cd528088a7526179382d72cf9c5a8325519fe40a5adbb1f8bb560ccd4a8e876f4ca3f0e893f8983195ad775249844dcdf4e39747

Download Submit
C:\Users\Admin\AppData\Roaming\2371C\C32E.371

Filesize
300B

MD5
c2d3c08bf2d2f422649f46aeeff7a81e

SHA1
764bafa18f96b463cc516d3db3ceb3aa061c27d9

SHA256
a2b353a75fd73e356ab45de6519b621eb21889f5a204e201175e491d9d331319

SHA512
c054c5429b917e04d283fb0c70e5e0b50404f35cbdc92157b9c49fa701d8c7e22d98ff226e310433faf39dec332c0a3377e910d39b2c7a3ebd1df54b78bfa78d

Download Submit
C:\Users\Admin\AppData\Roaming\2371C\C32E.371

Filesize
600B

MD5
b7cdbcf83299ca5639678263eaea6cbd

SHA1
599d8adb1abd462651107abc0e1e69f75428a59b

SHA256
6eeacafa2e59cea23dddd68aa12b2c9c2412559ac8773fb154c90008c6423e8c

SHA512
86b0083d6abf16f8c3e6d53eddb4fe743879e348bcb9c2a2f0f32a79ec06e6b8fb6b9f463d21ad7c946945dd0f0447b0bda66f0b5d6cd3575ecedf991d16732f

Download Submit
C:\Users\Admin\AppData\Roaming\2371C\C32E.371

Filesize
1KB

MD5
fbae4beccee9dbf436f85c468dd4c01a

SHA1
864a97d108767754f25155307440152fba65ec17

SHA256
38b271eb71f6ae93b98549a3f284d33214ffd2179972c9d0bdc1a3e2983357d6

SHA512
408df97e84b569514b05601a1ad2b20b1cdfd2258f38678f81abf0419b9917e667742fd840e28e3bb594c6f5d82d1ae260b24641425eeb55673fbde5ee42421a

Download Submit
C:\Windows\system32\consrv.DLL

Filesize
52KB

MD5
c7570a7e24b29ee04a48c2c99da2587b

SHA1
b6e3635a8de44b1635e8d362ac131e14281feb24

SHA256
717cd7661c09701ee39c505d8b604ea3dd6c1151ef18e7ed1cab3832552ac34b

SHA512
57479d2f5386ace8cc5e5ed543e6ad2c2b7b58accc849807d804a8cf0d03080f328f7b42442422fa1483a01ad473ca302f9eca97b9eb24e699e22db56641c572

Download Submit
\??\globalroot\systemroot\assembly\temp\@

Filesize
2KB

MD5
55d8e7533a2e5c23a9d0ed9f066e71a2

SHA1
abbaa777c0719da7703ae8b349184a5594262f3d

SHA256
8d677ccf26ba16c86d819b20c9a678ce5639e069626624dbbfe2f10c768c7be3

SHA512
70e88da3938d1cc5a3779e499257c075e429c53aa96560e96b29c82ce12dab521b0f2b58608747c7c595ad637d35e641378f74333b7849833761eb49d36ed263

Download Submit
\Program Files (x86)\LP\AF02\756E.tmp

Filesize
100KB

MD5
bc4366d0a577f23038c4078b9daa6529

SHA1
057b8992c93e8eb027190cddf22b4953b2038418

SHA256
a5b375d932be3fa254012d6a15047dbdde68744fb323cada056bf1056a36a627

SHA512
e29f546c1d978e3663872c8a532ec8f4c05c06b14554f06f6403cd049d202a9c6cdc73f8955ba0e8215e5ef1dbdbf40f61d6ed6ccdfaa70f8033c18c346ca274

Download Submit
\Users\Admin\AppData\Local\APINlg.dll

Filesize
108KB

MD5
7d7679b1493c32da08daae1949e9724c

SHA1
32da402420f912e637f2a54c73d54d31c73d4912

SHA256
5f73756e6fafd121ddff05750d8c21a4d9a29d319b8022591787451af7766aa5

SHA512
6a57805aa0d0df5020b0290d4b0121621a278dc97f31c93dfd64420a597d90212037e7559fe5550d2f68e850714fbfc326a887ec48651e3617725edf5258d15d

Download Submit
\Users\Admin\AppData\Local\Temp\nsjF94F.tmp\Wolfe, Gene - Book of the New Sun 02 - Sword and Citadel.exe

Filesize
807KB

MD5
161ec2a78b8fd2b740cab4ccc7ebecaf

SHA1
5d4ae2d0a90314cdf4952848c5206dbc75b13a10

SHA256
8a963016dea52ba8b2190d2ad2f38ea6283dd1394641814e4b9c6ebce32e21d2

SHA512
4a1efc7abbf7875faf67f22ae96e75add70ff74f1f0a017cd7b65c404fcbd3dfd3a6ca2546056a7263ea19347bc71f36fcd094fc0bcbd07d6355825259efd30f

Download Submit
\Users\Admin\AppData\Local\Temp\nsjF94F.tmp\ic5.exe

Filesize
150KB

MD5
58ab20cd01024368a62cc6501c663a89

SHA1
6e156412ab82920aae95bb375a5efc8c82436f54

SHA256
cde043a40ee019077541e722b0d120395997c0bf944444966da691b10dfd8937

SHA512
9feed6407c64afcbd52c59faccbf9d1f51b6447144f5404c2b6a51c3ee07c99896af04c2a309daa3682adf0bd2ff4be0cce5427f6d7e1e7744bc8cf1fe9be19f

Download Submit
\Windows\assembly\GAC_32\Desktop.ini

Filesize
4KB

MD5
80dbc7d15fdf94f16bb4a739cd9c3f98

SHA1
c0f3f20b360ce78cc153fa514e5f62c06f68feb7

SHA256
20b2d1e1b5348ed92f7e2eaedba4348e446970c13c6226f34a816503aa956c91

SHA512
cf8d820104ee3db4a103fb19d38267fe2f5095a29777bf3bcde95d4299360681cedd421251af92038da3f8709e68f101f7326ad9abdd087a59ca83adec87bc48

Download Submit
\Windows\assembly\GAC_64\Desktop.ini

Filesize
5KB

MD5
78ab98fd9228277f2638fd93cd703016

SHA1
1640ee7f500074c155a5af431e9d125a4ec2cea5

SHA256
e0517a9584af6cfd4f1e6d280e086b20fd576b90b32f9ddac916de03a53b766c

SHA512
d98ed49a83d5b50737a674e4421cea4cbe353f80234d2d5a8df82995a0d81e9524f23919ca600afb98bc676a8f93e7c0df73c22cae9b3fc624027800ba9dcc76

Download Submit
memory/336-109-0x0000000002580000-0x0000000002592000-memory.dmp

Filesize
72KB

Download
memory/336-373-0x0000000002580000-0x0000000002592000-memory.dmp

Filesize
72KB

Download
memory/852-383-0x0000000000CC0000-0x0000000000CCB000-memory.dmp

Filesize
44KB

Download
memory/852-384-0x0000000000CD0000-0x0000000000CDB000-memory.dmp

Filesize
44KB

Download
memory/852-379-0x0000000000CC0000-0x0000000000CCB000-memory.dmp

Filesize
44KB

Download
memory/852-375-0x0000000000CC0000-0x0000000000CCB000-memory.dmp

Filesize
44KB

Download
memory/900-366-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/908-78-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/908-88-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/1404-93-0x0000000000300000-0x0000000000319000-memory.dmp

Filesize
100KB

Download
memory/1404-103-0x0000000000300000-0x0000000000319000-memory.dmp

Filesize
100KB

Download
memory/1404-98-0x0000000000300000-0x0000000000319000-memory.dmp

Filesize
100KB

Download
memory/1640-153-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1956-362-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2600-89-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/2600-358-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/2600-365-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/2600-194-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/2612-188-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2612-191-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/2612-190-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/2612-189-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/2612-82-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/2612-81-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/2612-63-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2636-260-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2648-32-0x0000000002BA0000-0x0000000002BE4000-memory.dmp

Filesize
272KB

Download
memory/2648-31-0x0000000002BA0000-0x0000000002BE4000-memory.dmp

Filesize
272KB

Download
memory/2708-33-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2708-91-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2816-262-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2816-357-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2816-193-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2816-386-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download