Analysis
-
max time kernel
10s -
max time network
56s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
15-07-2021 17:41
Static task
static1
Behavioral task
behavioral1
Sample
57933BC5C60DE83FDDBC7A2C6522E6481C9E684E342FE.exe
Resource
win7v20210410
General
-
Target
57933BC5C60DE83FDDBC7A2C6522E6481C9E684E342FE.exe
-
Size
1.2MB
-
MD5
63533e07c471cf29ce6fc5887e933494
-
SHA1
01eea47a0f55b7df7d8275110fa159e5b82be64e
-
SHA256
57933bc5c60de83fddbc7a2c6522e6481c9e684e342fed86a4c38bf08c4a6b0f
-
SHA512
a3ad09374b933b11a26864d931fd5324443f68b15492767c44ad1da826e80f391796e8aeecc210bfd2c7d1facc72462fd3b96aa3a541eacf2a23e44026b820ec
Malware Config
Extracted
pony
http://www.ptsinar.co/ymg/apisiylo/gate.php
-
payload_url
http://www.ptsinar.co/ymg/apisiylo/shit.exe
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 2 IoCs
Processes:
Resm1.exeResm1.exepid process 1608 Resm1.exe 1104 Resm1.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Resm1.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Resm1.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
Resm1.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Wine Resm1.exe -
Loads dropped DLL 6 IoCs
Processes:
57933BC5C60DE83FDDBC7A2C6522E6481C9E684E342FE.exeResm1.exepid process 1932 57933BC5C60DE83FDDBC7A2C6522E6481C9E684E342FE.exe 1932 57933BC5C60DE83FDDBC7A2C6522E6481C9E684E342FE.exe 1932 57933BC5C60DE83FDDBC7A2C6522E6481C9E684E342FE.exe 1932 57933BC5C60DE83FDDBC7A2C6522E6481C9E684E342FE.exe 1932 57933BC5C60DE83FDDBC7A2C6522E6481C9E684E342FE.exe 1608 Resm1.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
Resm1.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Resm1.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Resm1.exedescription pid process target process PID 1608 set thread context of 1104 1608 Resm1.exe Resm1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
Resm1.exedescription pid process Token: SeImpersonatePrivilege 1104 Resm1.exe Token: SeTcbPrivilege 1104 Resm1.exe Token: SeChangeNotifyPrivilege 1104 Resm1.exe Token: SeCreateTokenPrivilege 1104 Resm1.exe Token: SeBackupPrivilege 1104 Resm1.exe Token: SeRestorePrivilege 1104 Resm1.exe Token: SeIncreaseQuotaPrivilege 1104 Resm1.exe Token: SeAssignPrimaryTokenPrivilege 1104 Resm1.exe Token: SeImpersonatePrivilege 1104 Resm1.exe Token: SeTcbPrivilege 1104 Resm1.exe Token: SeChangeNotifyPrivilege 1104 Resm1.exe Token: SeCreateTokenPrivilege 1104 Resm1.exe Token: SeBackupPrivilege 1104 Resm1.exe Token: SeRestorePrivilege 1104 Resm1.exe Token: SeIncreaseQuotaPrivilege 1104 Resm1.exe Token: SeAssignPrimaryTokenPrivilege 1104 Resm1.exe Token: SeImpersonatePrivilege 1104 Resm1.exe Token: SeTcbPrivilege 1104 Resm1.exe Token: SeChangeNotifyPrivilege 1104 Resm1.exe Token: SeCreateTokenPrivilege 1104 Resm1.exe Token: SeBackupPrivilege 1104 Resm1.exe Token: SeRestorePrivilege 1104 Resm1.exe Token: SeIncreaseQuotaPrivilege 1104 Resm1.exe Token: SeAssignPrimaryTokenPrivilege 1104 Resm1.exe Token: SeImpersonatePrivilege 1104 Resm1.exe Token: SeTcbPrivilege 1104 Resm1.exe Token: SeChangeNotifyPrivilege 1104 Resm1.exe Token: SeCreateTokenPrivilege 1104 Resm1.exe Token: SeBackupPrivilege 1104 Resm1.exe Token: SeRestorePrivilege 1104 Resm1.exe Token: SeIncreaseQuotaPrivilege 1104 Resm1.exe Token: SeAssignPrimaryTokenPrivilege 1104 Resm1.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Resm1.exepid process 1608 Resm1.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
57933BC5C60DE83FDDBC7A2C6522E6481C9E684E342FE.exeResm1.exeResm1.exedescription pid process target process PID 1932 wrote to memory of 1608 1932 57933BC5C60DE83FDDBC7A2C6522E6481C9E684E342FE.exe Resm1.exe PID 1932 wrote to memory of 1608 1932 57933BC5C60DE83FDDBC7A2C6522E6481C9E684E342FE.exe Resm1.exe PID 1932 wrote to memory of 1608 1932 57933BC5C60DE83FDDBC7A2C6522E6481C9E684E342FE.exe Resm1.exe PID 1932 wrote to memory of 1608 1932 57933BC5C60DE83FDDBC7A2C6522E6481C9E684E342FE.exe Resm1.exe PID 1608 wrote to memory of 1104 1608 Resm1.exe Resm1.exe PID 1608 wrote to memory of 1104 1608 Resm1.exe Resm1.exe PID 1608 wrote to memory of 1104 1608 Resm1.exe Resm1.exe PID 1608 wrote to memory of 1104 1608 Resm1.exe Resm1.exe PID 1608 wrote to memory of 1104 1608 Resm1.exe Resm1.exe PID 1608 wrote to memory of 1104 1608 Resm1.exe Resm1.exe PID 1608 wrote to memory of 1104 1608 Resm1.exe Resm1.exe PID 1608 wrote to memory of 1104 1608 Resm1.exe Resm1.exe PID 1608 wrote to memory of 1104 1608 Resm1.exe Resm1.exe PID 1104 wrote to memory of 1720 1104 Resm1.exe cmd.exe PID 1104 wrote to memory of 1720 1104 Resm1.exe cmd.exe PID 1104 wrote to memory of 1720 1104 Resm1.exe cmd.exe PID 1104 wrote to memory of 1720 1104 Resm1.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\57933BC5C60DE83FDDBC7A2C6522E6481C9E684E342FE.exe"C:\Users\Admin\AppData\Local\Temp\57933BC5C60DE83FDDBC7A2C6522E6481C9E684E342FE.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Resm1.exe"C:\Users\Admin\AppData\Local\Temp\Resm1.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Resm1.exe"C:\Users\Admin\AppData\Local\Temp\Resm1.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\259317638.bat" "C:\Users\Admin\AppData\Local\Temp\Resm1.exe" "4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\259317638.batMD5
3880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
C:\Users\Admin\AppData\Local\Temp\Resm1.exeMD5
d8e14a9ccc62c5521cc0185e70a4b3ac
SHA1dee2d62258264afe66e20434658b66bc8bbcc317
SHA2562f481a7ba5a0016e2cdcc9ba3ac91cf9fe00f00bd5726aba3b0d0cf3d155d357
SHA5128e47a49f4b19b2ec36ea6897accaa10a2c331c59eecc8dcd56d45f16aca003ad8d544ec32f8694e8e6de68cad1a33194e9ff72f50b214fbc6294680604692920
-
C:\Users\Admin\AppData\Local\Temp\Resm1.exeMD5
d8e14a9ccc62c5521cc0185e70a4b3ac
SHA1dee2d62258264afe66e20434658b66bc8bbcc317
SHA2562f481a7ba5a0016e2cdcc9ba3ac91cf9fe00f00bd5726aba3b0d0cf3d155d357
SHA5128e47a49f4b19b2ec36ea6897accaa10a2c331c59eecc8dcd56d45f16aca003ad8d544ec32f8694e8e6de68cad1a33194e9ff72f50b214fbc6294680604692920
-
C:\Users\Admin\AppData\Local\Temp\Resm1.exeMD5
d8e14a9ccc62c5521cc0185e70a4b3ac
SHA1dee2d62258264afe66e20434658b66bc8bbcc317
SHA2562f481a7ba5a0016e2cdcc9ba3ac91cf9fe00f00bd5726aba3b0d0cf3d155d357
SHA5128e47a49f4b19b2ec36ea6897accaa10a2c331c59eecc8dcd56d45f16aca003ad8d544ec32f8694e8e6de68cad1a33194e9ff72f50b214fbc6294680604692920
-
C:\Users\Admin\AppData\Local\Temp\Resm2.jpgMD5
cd7dab4af922c2e5c7d03a0e0d973b37
SHA10bce45fe7d0eb0b5da797fac00d5fc639c3570d2
SHA25611e58d94f929782e1267df6d8bde5dc781320fb6082acaefda6352880fda7674
SHA5120868a97478b73ad78d9c43365f92ccffdfb999bef4d0293de57cba138db3cfccce1de6e6422d50ec0bd03ca9acbcd64082254860bec0d1a7241d34f135ecaf9d
-
\Users\Admin\AppData\Local\Temp\Resm1.exeMD5
d8e14a9ccc62c5521cc0185e70a4b3ac
SHA1dee2d62258264afe66e20434658b66bc8bbcc317
SHA2562f481a7ba5a0016e2cdcc9ba3ac91cf9fe00f00bd5726aba3b0d0cf3d155d357
SHA5128e47a49f4b19b2ec36ea6897accaa10a2c331c59eecc8dcd56d45f16aca003ad8d544ec32f8694e8e6de68cad1a33194e9ff72f50b214fbc6294680604692920
-
\Users\Admin\AppData\Local\Temp\Resm1.exeMD5
d8e14a9ccc62c5521cc0185e70a4b3ac
SHA1dee2d62258264afe66e20434658b66bc8bbcc317
SHA2562f481a7ba5a0016e2cdcc9ba3ac91cf9fe00f00bd5726aba3b0d0cf3d155d357
SHA5128e47a49f4b19b2ec36ea6897accaa10a2c331c59eecc8dcd56d45f16aca003ad8d544ec32f8694e8e6de68cad1a33194e9ff72f50b214fbc6294680604692920
-
\Users\Admin\AppData\Local\Temp\Resm1.exeMD5
d8e14a9ccc62c5521cc0185e70a4b3ac
SHA1dee2d62258264afe66e20434658b66bc8bbcc317
SHA2562f481a7ba5a0016e2cdcc9ba3ac91cf9fe00f00bd5726aba3b0d0cf3d155d357
SHA5128e47a49f4b19b2ec36ea6897accaa10a2c331c59eecc8dcd56d45f16aca003ad8d544ec32f8694e8e6de68cad1a33194e9ff72f50b214fbc6294680604692920
-
\Users\Admin\AppData\Local\Temp\Resm1.exeMD5
d8e14a9ccc62c5521cc0185e70a4b3ac
SHA1dee2d62258264afe66e20434658b66bc8bbcc317
SHA2562f481a7ba5a0016e2cdcc9ba3ac91cf9fe00f00bd5726aba3b0d0cf3d155d357
SHA5128e47a49f4b19b2ec36ea6897accaa10a2c331c59eecc8dcd56d45f16aca003ad8d544ec32f8694e8e6de68cad1a33194e9ff72f50b214fbc6294680604692920
-
\Users\Admin\AppData\Local\Temp\Resm1.exeMD5
d8e14a9ccc62c5521cc0185e70a4b3ac
SHA1dee2d62258264afe66e20434658b66bc8bbcc317
SHA2562f481a7ba5a0016e2cdcc9ba3ac91cf9fe00f00bd5726aba3b0d0cf3d155d357
SHA5128e47a49f4b19b2ec36ea6897accaa10a2c331c59eecc8dcd56d45f16aca003ad8d544ec32f8694e8e6de68cad1a33194e9ff72f50b214fbc6294680604692920
-
\Users\Admin\AppData\Local\Temp\Resm1.exeMD5
d8e14a9ccc62c5521cc0185e70a4b3ac
SHA1dee2d62258264afe66e20434658b66bc8bbcc317
SHA2562f481a7ba5a0016e2cdcc9ba3ac91cf9fe00f00bd5726aba3b0d0cf3d155d357
SHA5128e47a49f4b19b2ec36ea6897accaa10a2c331c59eecc8dcd56d45f16aca003ad8d544ec32f8694e8e6de68cad1a33194e9ff72f50b214fbc6294680604692920
-
memory/1104-122-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1104-119-0x0000000000410621-mapping.dmp
-
memory/1104-118-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1608-89-0x0000000002460000-0x0000000002461000-memory.dmpFilesize
4KB
-
memory/1608-97-0x0000000003210000-0x0000000003211000-memory.dmpFilesize
4KB
-
memory/1608-73-0x0000000002530000-0x0000000002531000-memory.dmpFilesize
4KB
-
memory/1608-74-0x0000000002570000-0x0000000002571000-memory.dmpFilesize
4KB
-
memory/1608-75-0x0000000002550000-0x0000000002551000-memory.dmpFilesize
4KB
-
memory/1608-76-0x0000000003220000-0x0000000003221000-memory.dmpFilesize
4KB
-
memory/1608-77-0x0000000003210000-0x0000000003211000-memory.dmpFilesize
4KB
-
memory/1608-78-0x0000000003210000-0x0000000003211000-memory.dmpFilesize
4KB
-
memory/1608-79-0x0000000003210000-0x0000000003211000-memory.dmpFilesize
4KB
-
memory/1608-80-0x0000000003210000-0x0000000003211000-memory.dmpFilesize
4KB
-
memory/1608-81-0x00000000005E0000-0x00000000005E1000-memory.dmpFilesize
4KB
-
memory/1608-82-0x00000000005D0000-0x00000000005D1000-memory.dmpFilesize
4KB
-
memory/1608-83-0x0000000000630000-0x0000000000631000-memory.dmpFilesize
4KB
-
memory/1608-84-0x0000000000600000-0x0000000000601000-memory.dmpFilesize
4KB
-
memory/1608-85-0x00000000005C0000-0x00000000005C1000-memory.dmpFilesize
4KB
-
memory/1608-86-0x0000000000640000-0x0000000000641000-memory.dmpFilesize
4KB
-
memory/1608-87-0x0000000003210000-0x0000000003211000-memory.dmpFilesize
4KB
-
memory/1608-90-0x0000000002450000-0x0000000002451000-memory.dmpFilesize
4KB
-
memory/1608-71-0x00000000024F0000-0x00000000024F1000-memory.dmpFilesize
4KB
-
memory/1608-88-0x0000000003210000-0x0000000003211000-memory.dmpFilesize
4KB
-
memory/1608-92-0x0000000002440000-0x0000000002441000-memory.dmpFilesize
4KB
-
memory/1608-91-0x00000000024B0000-0x00000000024B1000-memory.dmpFilesize
4KB
-
memory/1608-93-0x00000000024D0000-0x00000000024D1000-memory.dmpFilesize
4KB
-
memory/1608-94-0x0000000002480000-0x0000000002481000-memory.dmpFilesize
4KB
-
memory/1608-96-0x0000000003210000-0x0000000003211000-memory.dmpFilesize
4KB
-
memory/1608-72-0x0000000002580000-0x0000000002581000-memory.dmpFilesize
4KB
-
memory/1608-95-0x00000000024C0000-0x00000000024C1000-memory.dmpFilesize
4KB
-
memory/1608-99-0x0000000003210000-0x0000000003211000-memory.dmpFilesize
4KB
-
memory/1608-98-0x0000000003210000-0x0000000003211000-memory.dmpFilesize
4KB
-
memory/1608-101-0x00000000005B0000-0x00000000005B1000-memory.dmpFilesize
4KB
-
memory/1608-102-0x00000000025C0000-0x00000000025C1000-memory.dmpFilesize
4KB
-
memory/1608-100-0x0000000003210000-0x0000000003211000-memory.dmpFilesize
4KB
-
memory/1608-104-0x0000000002610000-0x0000000002611000-memory.dmpFilesize
4KB
-
memory/1608-103-0x00000000025B0000-0x00000000025B1000-memory.dmpFilesize
4KB
-
memory/1608-106-0x0000000002630000-0x0000000002631000-memory.dmpFilesize
4KB
-
memory/1608-105-0x00000000025A0000-0x00000000025A1000-memory.dmpFilesize
4KB
-
memory/1608-107-0x00000000025E0000-0x00000000025E1000-memory.dmpFilesize
4KB
-
memory/1608-109-0x00000000005B0000-0x00000000005B1000-memory.dmpFilesize
4KB
-
memory/1608-110-0x00000000005B0000-0x00000000005B1000-memory.dmpFilesize
4KB
-
memory/1608-108-0x0000000002620000-0x0000000002621000-memory.dmpFilesize
4KB
-
memory/1608-112-0x0000000000670000-0x0000000000671000-memory.dmpFilesize
4KB
-
memory/1608-70-0x0000000002560000-0x0000000002561000-memory.dmpFilesize
4KB
-
memory/1608-69-0x0000000002500000-0x0000000002501000-memory.dmpFilesize
4KB
-
memory/1608-68-0x0000000002510000-0x0000000002511000-memory.dmpFilesize
4KB
-
memory/1608-67-0x0000000000340000-0x00000000003A0000-memory.dmpFilesize
384KB
-
memory/1608-111-0x00000000025D0000-0x00000000025D1000-memory.dmpFilesize
4KB
-
memory/1608-113-0x00000000005B0000-0x00000000005B1000-memory.dmpFilesize
4KB
-
memory/1608-114-0x00000000005B0000-0x00000000005B1000-memory.dmpFilesize
4KB
-
memory/1608-65-0x0000000000000000-mapping.dmp
-
memory/1720-123-0x0000000000000000-mapping.dmp
-
memory/1932-59-0x0000000074FB1000-0x0000000074FB3000-memory.dmpFilesize
8KB