Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
16-07-2021 22:32
Static task
static1
Behavioral task
behavioral1
Sample
4bf9e15f2936e1201a46a45bb182711c.exe
Resource
win7v20210408
General
-
Target
4bf9e15f2936e1201a46a45bb182711c.exe
-
Size
195KB
-
MD5
4bf9e15f2936e1201a46a45bb182711c
-
SHA1
42957d62a81b5765cf23bb266a1f08d50fa8bdb0
-
SHA256
b218ed444bb65e5b46205b77d875a4cf3029be704b0109d58e3dd20e774c1b93
-
SHA512
2b25a9d13a9c46c4d21aca6ec2677b121ad00a7bda966e27e560733e026c76cba60c3658275a43b39cf7498a9ad55d0c6ed91e7d191118b42436a6c2bad15060
Malware Config
Extracted
pony
http://209.59.216.85/pony/gate.php
http://66.175.218.106/pony/gate.php
-
payload_url
http://ssquarehospitality.com/to04gp5h/ewR7.exe
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 812 cmd.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
4bf9e15f2936e1201a46a45bb182711c.exedescription pid process Token: SeImpersonatePrivilege 736 4bf9e15f2936e1201a46a45bb182711c.exe Token: SeTcbPrivilege 736 4bf9e15f2936e1201a46a45bb182711c.exe Token: SeChangeNotifyPrivilege 736 4bf9e15f2936e1201a46a45bb182711c.exe Token: SeCreateTokenPrivilege 736 4bf9e15f2936e1201a46a45bb182711c.exe Token: SeBackupPrivilege 736 4bf9e15f2936e1201a46a45bb182711c.exe Token: SeRestorePrivilege 736 4bf9e15f2936e1201a46a45bb182711c.exe Token: SeIncreaseQuotaPrivilege 736 4bf9e15f2936e1201a46a45bb182711c.exe Token: SeAssignPrimaryTokenPrivilege 736 4bf9e15f2936e1201a46a45bb182711c.exe Token: SeImpersonatePrivilege 736 4bf9e15f2936e1201a46a45bb182711c.exe Token: SeTcbPrivilege 736 4bf9e15f2936e1201a46a45bb182711c.exe Token: SeChangeNotifyPrivilege 736 4bf9e15f2936e1201a46a45bb182711c.exe Token: SeCreateTokenPrivilege 736 4bf9e15f2936e1201a46a45bb182711c.exe Token: SeBackupPrivilege 736 4bf9e15f2936e1201a46a45bb182711c.exe Token: SeRestorePrivilege 736 4bf9e15f2936e1201a46a45bb182711c.exe Token: SeIncreaseQuotaPrivilege 736 4bf9e15f2936e1201a46a45bb182711c.exe Token: SeAssignPrimaryTokenPrivilege 736 4bf9e15f2936e1201a46a45bb182711c.exe Token: SeImpersonatePrivilege 736 4bf9e15f2936e1201a46a45bb182711c.exe Token: SeTcbPrivilege 736 4bf9e15f2936e1201a46a45bb182711c.exe Token: SeChangeNotifyPrivilege 736 4bf9e15f2936e1201a46a45bb182711c.exe Token: SeCreateTokenPrivilege 736 4bf9e15f2936e1201a46a45bb182711c.exe Token: SeBackupPrivilege 736 4bf9e15f2936e1201a46a45bb182711c.exe Token: SeRestorePrivilege 736 4bf9e15f2936e1201a46a45bb182711c.exe Token: SeIncreaseQuotaPrivilege 736 4bf9e15f2936e1201a46a45bb182711c.exe Token: SeAssignPrimaryTokenPrivilege 736 4bf9e15f2936e1201a46a45bb182711c.exe Token: SeImpersonatePrivilege 736 4bf9e15f2936e1201a46a45bb182711c.exe Token: SeTcbPrivilege 736 4bf9e15f2936e1201a46a45bb182711c.exe Token: SeChangeNotifyPrivilege 736 4bf9e15f2936e1201a46a45bb182711c.exe Token: SeCreateTokenPrivilege 736 4bf9e15f2936e1201a46a45bb182711c.exe Token: SeBackupPrivilege 736 4bf9e15f2936e1201a46a45bb182711c.exe Token: SeRestorePrivilege 736 4bf9e15f2936e1201a46a45bb182711c.exe Token: SeIncreaseQuotaPrivilege 736 4bf9e15f2936e1201a46a45bb182711c.exe Token: SeAssignPrimaryTokenPrivilege 736 4bf9e15f2936e1201a46a45bb182711c.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
4bf9e15f2936e1201a46a45bb182711c.exepid process 736 4bf9e15f2936e1201a46a45bb182711c.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
4bf9e15f2936e1201a46a45bb182711c.exedescription pid process target process PID 736 wrote to memory of 812 736 4bf9e15f2936e1201a46a45bb182711c.exe cmd.exe PID 736 wrote to memory of 812 736 4bf9e15f2936e1201a46a45bb182711c.exe cmd.exe PID 736 wrote to memory of 812 736 4bf9e15f2936e1201a46a45bb182711c.exe cmd.exe PID 736 wrote to memory of 812 736 4bf9e15f2936e1201a46a45bb182711c.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4bf9e15f2936e1201a46a45bb182711c.exe"C:\Users\Admin\AppData\Local\Temp\4bf9e15f2936e1201a46a45bb182711c.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\abcd.bat" "C:\Users\Admin\AppData\Local\Temp\4bf9e15f2936e1201a46a45bb182711c.exe" "2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\abcd.batMD5
0849cfe65b98ba5fcd9a9ec61a671d09
SHA19d0ccb383c32b1bc07fd9064b9324a18e1276902
SHA25644f6a1e48081deccfb61075e585bcb36c6d8e8feeb6ebae50bab41677822c643
SHA512afdeda8122b4cefcf7549018c40d3142985e88a6d8f13eb58e9a59aa312b73608123de5f9feebc2ce25b6ec215d23c324b9f3a9a0e97041d67d863a25e15e57a
-
memory/736-60-0x0000000075891000-0x0000000075893000-memory.dmpFilesize
8KB
-
memory/736-61-0x0000000000230000-0x0000000000249000-memory.dmpFilesize
100KB
-
memory/736-63-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/736-62-0x0000000000250000-0x0000000000287000-memory.dmpFilesize
220KB
-
memory/812-64-0x0000000000000000-mapping.dmp