pony | 60b8de3f10b1dcbc38598e6d1d04ef201715d13b3ccfe26c60f9a6862f4e9f5f

Analysis

max time kernel
60s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-10-2024 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60b8de3f10b1dcbc38598e6d1d04ef201715d13b3ccfe26c60f9a6862f4e9f5f.exe
Size

2.2MB
MD5

faa41e9bb60d2b1f71ccb77fcb3e27a7
SHA1

a60d03db4eac4e3d5cacd9eabc286714bba6ef39
SHA256

60b8de3f10b1dcbc38598e6d1d04ef201715d13b3ccfe26c60f9a6862f4e9f5f
SHA512

acabd423e74cd5911f9675dc6f7765e337c8eec99f142ad47fe5ad241438779b4175705f7aaf82c5e12ce7ef8e54f08fb22ecb6317efca87231d692f1012b737
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZf:0UzeyQMS4DqodCnoe+iitjWwwD

Score

10^/10

pony discovery evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\60b8de3f10b1dcbc38598e6d1d04ef201715d13b3ccfe26c60f9a6862f4e9f5f.exe	60b8de3f10b1dcbc38598e6d1d04ef201715d13b3ccfe26c60f9a6862f4e9f5f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\60b8de3f10b1dcbc38598e6d1d04ef201715d13b3ccfe26c60f9a6862f4e9f5f.exe	60b8de3f10b1dcbc38598e6d1d04ef201715d13b3ccfe26c60f9a6862f4e9f5f.exe

Executes dropped EXE 38 IoCs

pid	Process
1916	explorer.exe
1548	explorer.exe
1856	spoolsv.exe
2808	spoolsv.exe
2100	spoolsv.exe
2900	spoolsv.exe
2248	spoolsv.exe
1888	spoolsv.exe
1672	spoolsv.exe
2940	spoolsv.exe
2168	spoolsv.exe
1476	spoolsv.exe
468	spoolsv.exe
2112	spoolsv.exe
784	spoolsv.exe
644	spoolsv.exe
2832	spoolsv.exe
3016	spoolsv.exe
2800	spoolsv.exe
2776	spoolsv.exe
2128	spoolsv.exe
1184	spoolsv.exe
2268	spoolsv.exe
1536	spoolsv.exe
2148	spoolsv.exe
272	spoolsv.exe
856	spoolsv.exe
1716	spoolsv.exe
1692	spoolsv.exe
2252	spoolsv.exe
2656	spoolsv.exe
264	spoolsv.exe
1540	spoolsv.exe
2436	spoolsv.exe
976	spoolsv.exe
1432	spoolsv.exe
2912	spoolsv.exe
2992	spoolsv.exe

Loads dropped DLL 64 IoCs

pid	Process
2624	60b8de3f10b1dcbc38598e6d1d04ef201715d13b3ccfe26c60f9a6862f4e9f5f.exe
2624	60b8de3f10b1dcbc38598e6d1d04ef201715d13b3ccfe26c60f9a6862f4e9f5f.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3068 set thread context of 2624	3068	60b8de3f10b1dcbc38598e6d1d04ef201715d13b3ccfe26c60f9a6862f4e9f5f.exe	29
PID 1916 set thread context of 1548	1916	explorer.exe	33

Drops file in Windows directory 41 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	60b8de3f10b1dcbc38598e6d1d04ef201715d13b3ccfe26c60f9a6862f4e9f5f.exe
File opened for modification	\??\c:\windows\system\explorer.exe	60b8de3f10b1dcbc38598e6d1d04ef201715d13b3ccfe26c60f9a6862f4e9f5f.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 40 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	60b8de3f10b1dcbc38598e6d1d04ef201715d13b3ccfe26c60f9a6862f4e9f5f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	60b8de3f10b1dcbc38598e6d1d04ef201715d13b3ccfe26c60f9a6862f4e9f5f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
2624	60b8de3f10b1dcbc38598e6d1d04ef201715d13b3ccfe26c60f9a6862f4e9f5f.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2624	60b8de3f10b1dcbc38598e6d1d04ef201715d13b3ccfe26c60f9a6862f4e9f5f.exe
2624	60b8de3f10b1dcbc38598e6d1d04ef201715d13b3ccfe26c60f9a6862f4e9f5f.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 3064	3068	60b8de3f10b1dcbc38598e6d1d04ef201715d13b3ccfe26c60f9a6862f4e9f5f.exe	28
PID 3068 wrote to memory of 3064	3068	60b8de3f10b1dcbc38598e6d1d04ef201715d13b3ccfe26c60f9a6862f4e9f5f.exe	28
PID 3068 wrote to memory of 3064	3068	60b8de3f10b1dcbc38598e6d1d04ef201715d13b3ccfe26c60f9a6862f4e9f5f.exe	28
PID 3068 wrote to memory of 3064	3068	60b8de3f10b1dcbc38598e6d1d04ef201715d13b3ccfe26c60f9a6862f4e9f5f.exe	28
PID 3068 wrote to memory of 2624	3068	60b8de3f10b1dcbc38598e6d1d04ef201715d13b3ccfe26c60f9a6862f4e9f5f.exe	29
PID 3068 wrote to memory of 2624	3068	60b8de3f10b1dcbc38598e6d1d04ef201715d13b3ccfe26c60f9a6862f4e9f5f.exe	29
PID 3068 wrote to memory of 2624	3068	60b8de3f10b1dcbc38598e6d1d04ef201715d13b3ccfe26c60f9a6862f4e9f5f.exe	29
PID 3068 wrote to memory of 2624	3068	60b8de3f10b1dcbc38598e6d1d04ef201715d13b3ccfe26c60f9a6862f4e9f5f.exe	29
PID 3068 wrote to memory of 2624	3068	60b8de3f10b1dcbc38598e6d1d04ef201715d13b3ccfe26c60f9a6862f4e9f5f.exe	29
PID 3068 wrote to memory of 2624	3068	60b8de3f10b1dcbc38598e6d1d04ef201715d13b3ccfe26c60f9a6862f4e9f5f.exe	29
PID 2624 wrote to memory of 1916	2624	60b8de3f10b1dcbc38598e6d1d04ef201715d13b3ccfe26c60f9a6862f4e9f5f.exe	30
PID 2624 wrote to memory of 1916	2624	60b8de3f10b1dcbc38598e6d1d04ef201715d13b3ccfe26c60f9a6862f4e9f5f.exe	30
PID 2624 wrote to memory of 1916	2624	60b8de3f10b1dcbc38598e6d1d04ef201715d13b3ccfe26c60f9a6862f4e9f5f.exe	30
PID 2624 wrote to memory of 1916	2624	60b8de3f10b1dcbc38598e6d1d04ef201715d13b3ccfe26c60f9a6862f4e9f5f.exe	30
PID 1916 wrote to memory of 1548	1916	explorer.exe	33
PID 1916 wrote to memory of 1548	1916	explorer.exe	33
PID 1916 wrote to memory of 1548	1916	explorer.exe	33
PID 1916 wrote to memory of 1548	1916	explorer.exe	33
PID 1916 wrote to memory of 1548	1916	explorer.exe	33
PID 1916 wrote to memory of 1548	1916	explorer.exe	33
PID 1548 wrote to memory of 1856	1548	explorer.exe	34
PID 1548 wrote to memory of 1856	1548	explorer.exe	34
PID 1548 wrote to memory of 1856	1548	explorer.exe	34
PID 1548 wrote to memory of 1856	1548	explorer.exe	34
PID 1548 wrote to memory of 2808	1548	explorer.exe	35
PID 1548 wrote to memory of 2808	1548	explorer.exe	35
PID 1548 wrote to memory of 2808	1548	explorer.exe	35
PID 1548 wrote to memory of 2808	1548	explorer.exe	35
PID 1548 wrote to memory of 2100	1548	explorer.exe	36
PID 1548 wrote to memory of 2100	1548	explorer.exe	36
PID 1548 wrote to memory of 2100	1548	explorer.exe	36
PID 1548 wrote to memory of 2100	1548	explorer.exe	36
PID 1548 wrote to memory of 2900	1548	explorer.exe	37
PID 1548 wrote to memory of 2900	1548	explorer.exe	37
PID 1548 wrote to memory of 2900	1548	explorer.exe	37
PID 1548 wrote to memory of 2900	1548	explorer.exe	37
PID 1548 wrote to memory of 2248	1548	explorer.exe	38
PID 1548 wrote to memory of 2248	1548	explorer.exe	38
PID 1548 wrote to memory of 2248	1548	explorer.exe	38
PID 1548 wrote to memory of 2248	1548	explorer.exe	38
PID 1548 wrote to memory of 1888	1548	explorer.exe	39
PID 1548 wrote to memory of 1888	1548	explorer.exe	39
PID 1548 wrote to memory of 1888	1548	explorer.exe	39
PID 1548 wrote to memory of 1888	1548	explorer.exe	39
PID 1548 wrote to memory of 1672	1548	explorer.exe	40
PID 1548 wrote to memory of 1672	1548	explorer.exe	40
PID 1548 wrote to memory of 1672	1548	explorer.exe	40
PID 1548 wrote to memory of 1672	1548	explorer.exe	40
PID 1548 wrote to memory of 2940	1548	explorer.exe	41
PID 1548 wrote to memory of 2940	1548	explorer.exe	41
PID 1548 wrote to memory of 2940	1548	explorer.exe	41
PID 1548 wrote to memory of 2940	1548	explorer.exe	41
PID 1548 wrote to memory of 2168	1548	explorer.exe	42
PID 1548 wrote to memory of 2168	1548	explorer.exe	42
PID 1548 wrote to memory of 2168	1548	explorer.exe	42
PID 1548 wrote to memory of 2168	1548	explorer.exe	42
PID 1548 wrote to memory of 1476	1548	explorer.exe	43
PID 1548 wrote to memory of 1476	1548	explorer.exe	43
PID 1548 wrote to memory of 1476	1548	explorer.exe	43
PID 1548 wrote to memory of 1476	1548	explorer.exe	43
PID 1548 wrote to memory of 468	1548	explorer.exe	44
PID 1548 wrote to memory of 468	1548	explorer.exe	44
PID 1548 wrote to memory of 468	1548	explorer.exe	44
PID 1548 wrote to memory of 468	1548	explorer.exe	44

C:\Users\Admin\AppData\Local\Temp\60b8de3f10b1dcbc38598e6d1d04ef201715d13b3ccfe26c60f9a6862f4e9f5f.exe
"C:\Users\Admin\AppData\Local\Temp\60b8de3f10b1dcbc38598e6d1d04ef201715d13b3ccfe26c60f9a6862f4e9f5f.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:3064
- C:\Users\Admin\AppData\Local\Temp\60b8de3f10b1dcbc38598e6d1d04ef201715d13b3ccfe26c60f9a6862f4e9f5f.exe
  "C:\Users\Admin\AppData\Local\Temp\60b8de3f10b1dcbc38598e6d1d04ef201715d13b3ccfe26c60f9a6862f4e9f5f.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2624
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1916
  - - \??\c:\windows\system\explorer.exe
      "c:\windows\system\explorer.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1548
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1856
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2808
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2100
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2900
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2248
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1888
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1672
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2940
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2168
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1476
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:468
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2112
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:784
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:644
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2832
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3016
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2800
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2776
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2128
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1184
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2268
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1536
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2148
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:272
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:856
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1716
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1692
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2252
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2656
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:264
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1540
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2436
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:976
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1432
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2912
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
\Windows\system\explorer.exe

Filesize
2.2MB

MD5
39cf147d0fd1aad21c1a63d75f9780bb

SHA1
dbcfe04f8a6760ff2433d046a1977ba9a280769d

SHA256
cae4b000795f558b1129829771962f8b5f3aabce07742aea4576b15c15fb1d6e

SHA512
8a5ba992f0144a1c0f764d4af159f8f931b833b1f2acdf009e10c80357a301ee9b3b4a1c375b8c268a92007cec09e9c9d1b6008d37ee090157bf1e91734a75e2

Download Submit
\Windows\system\spoolsv.exe

Filesize
2.2MB

MD5
fe7a181b33fc85dee3189f59e8f06aa5

SHA1
bfd68bac1699aff44bf6bd9de75fa2cd254aa34f

SHA256
79ece53eb93cab270db71df2fe9f8e3ca6ebd424356492a6a016cc56473e43d1

SHA512
e24c6df88d4e468d1940e03562593cb646af58dbc5ab4101186da53875f1ee5ce673141811f4c636b0dbdae0abefd6ed127e335ad219145e69c6778e86432e9f

Download Submit
memory/1916-70-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1916-61-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1916-42-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2624-29-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2624-27-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2624-49-0x0000000000440000-0x00000000004A7000-memory.dmp

Filesize
412KB

Download
memory/2624-50-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2624-20-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2624-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3068-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/3068-28-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3068-17-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3068-18-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download