Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
25-10-2021 21:36
Static task
static1
Behavioral task
behavioral1
Sample
F39EF7CE3A2843B13F216E0BBDD89DEDDAC251095040B.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
F39EF7CE3A2843B13F216E0BBDD89DEDDAC251095040B.exe
Resource
win10-en-20211014
General
-
Target
F39EF7CE3A2843B13F216E0BBDD89DEDDAC251095040B.exe
-
Size
484KB
-
MD5
7914aaf5bf0c50822416aec74e15a0f5
-
SHA1
711de8acdebb6e0fd3829890fe69d61fc2aa0730
-
SHA256
f39ef7ce3a2843b13f216e0bbdd89deddac251095040bcb9c6a898f35764c31a
-
SHA512
f954b39568f0c23d6e93f4522ae59044269b45c7687c705c4a31fb21e901c9c0bb8d64a4d96d356a88417b8dd54af050e37575c1a55a34a809fa400289606370
Malware Config
Extracted
pony
http://www.divypower.com/dhl3/pony/gate.php
-
payload_url
http://www.divypower.com/dhl3/pony/shit.exe
Signatures
-
suricata: ET MALWARE Fareit/Pony Downloader Checkin 3
suricata: ET MALWARE Fareit/Pony Downloader Checkin 3
-
suricata: ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98
suricata: ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98
-
Executes dropped EXE 2 IoCs
Processes:
filename.exefilename.exepid process 1972 filename.exe 108 filename.exe -
Loads dropped DLL 3 IoCs
Processes:
WScript.exefilename.exepid process 816 WScript.exe 816 WScript.exe 1972 filename.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
filename.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts filename.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
filename.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook filename.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WScript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Registry Key Name = "C:\\Users\\Admin\\AppData\\Local\\Temp\\subfolder\\filename.vbs" WScript.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce WScript.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
filename.exedescription pid process target process PID 1972 set thread context of 108 1972 filename.exe filename.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
filename.exedescription pid process Token: SeImpersonatePrivilege 108 filename.exe Token: SeTcbPrivilege 108 filename.exe Token: SeChangeNotifyPrivilege 108 filename.exe Token: SeCreateTokenPrivilege 108 filename.exe Token: SeBackupPrivilege 108 filename.exe Token: SeRestorePrivilege 108 filename.exe Token: SeIncreaseQuotaPrivilege 108 filename.exe Token: SeAssignPrimaryTokenPrivilege 108 filename.exe Token: SeImpersonatePrivilege 108 filename.exe Token: SeTcbPrivilege 108 filename.exe Token: SeChangeNotifyPrivilege 108 filename.exe Token: SeCreateTokenPrivilege 108 filename.exe Token: SeBackupPrivilege 108 filename.exe Token: SeRestorePrivilege 108 filename.exe Token: SeIncreaseQuotaPrivilege 108 filename.exe Token: SeAssignPrimaryTokenPrivilege 108 filename.exe Token: SeImpersonatePrivilege 108 filename.exe Token: SeTcbPrivilege 108 filename.exe Token: SeChangeNotifyPrivilege 108 filename.exe Token: SeCreateTokenPrivilege 108 filename.exe Token: SeBackupPrivilege 108 filename.exe Token: SeRestorePrivilege 108 filename.exe Token: SeIncreaseQuotaPrivilege 108 filename.exe Token: SeAssignPrimaryTokenPrivilege 108 filename.exe Token: SeImpersonatePrivilege 108 filename.exe Token: SeTcbPrivilege 108 filename.exe Token: SeChangeNotifyPrivilege 108 filename.exe Token: SeCreateTokenPrivilege 108 filename.exe Token: SeBackupPrivilege 108 filename.exe Token: SeRestorePrivilege 108 filename.exe Token: SeIncreaseQuotaPrivilege 108 filename.exe Token: SeAssignPrimaryTokenPrivilege 108 filename.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
F39EF7CE3A2843B13F216E0BBDD89DEDDAC251095040B.exefilename.exepid process 612 F39EF7CE3A2843B13F216E0BBDD89DEDDAC251095040B.exe 1972 filename.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
F39EF7CE3A2843B13F216E0BBDD89DEDDAC251095040B.exeWScript.exefilename.exefilename.exedescription pid process target process PID 612 wrote to memory of 816 612 F39EF7CE3A2843B13F216E0BBDD89DEDDAC251095040B.exe WScript.exe PID 612 wrote to memory of 816 612 F39EF7CE3A2843B13F216E0BBDD89DEDDAC251095040B.exe WScript.exe PID 612 wrote to memory of 816 612 F39EF7CE3A2843B13F216E0BBDD89DEDDAC251095040B.exe WScript.exe PID 612 wrote to memory of 816 612 F39EF7CE3A2843B13F216E0BBDD89DEDDAC251095040B.exe WScript.exe PID 816 wrote to memory of 1972 816 WScript.exe filename.exe PID 816 wrote to memory of 1972 816 WScript.exe filename.exe PID 816 wrote to memory of 1972 816 WScript.exe filename.exe PID 816 wrote to memory of 1972 816 WScript.exe filename.exe PID 1972 wrote to memory of 108 1972 filename.exe filename.exe PID 1972 wrote to memory of 108 1972 filename.exe filename.exe PID 1972 wrote to memory of 108 1972 filename.exe filename.exe PID 1972 wrote to memory of 108 1972 filename.exe filename.exe PID 1972 wrote to memory of 108 1972 filename.exe filename.exe PID 1972 wrote to memory of 108 1972 filename.exe filename.exe PID 1972 wrote to memory of 108 1972 filename.exe filename.exe PID 1972 wrote to memory of 108 1972 filename.exe filename.exe PID 1972 wrote to memory of 108 1972 filename.exe filename.exe PID 1972 wrote to memory of 108 1972 filename.exe filename.exe PID 108 wrote to memory of 1584 108 filename.exe cmd.exe PID 108 wrote to memory of 1584 108 filename.exe cmd.exe PID 108 wrote to memory of 1584 108 filename.exe cmd.exe PID 108 wrote to memory of 1584 108 filename.exe cmd.exe -
outlook_win_path 1 IoCs
Processes:
filename.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook filename.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\F39EF7CE3A2843B13F216E0BBDD89DEDDAC251095040B.exe"C:\Users\Admin\AppData\Local\Temp\F39EF7CE3A2843B13F216E0BBDD89DEDDAC251095040B.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\subfolder\filename.vbs"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe"C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe"C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\259418836.bat" "C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe" "5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\259418836.batMD5
3880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exeMD5
9d06314ebb63a800258613571a93c77b
SHA191a72acae15e4f65f8eff73ac62b9596254b0a46
SHA256d4a82633a4fbc656b7640d45f0df335642e12f225d2b8b1f50f8a4a08d286ccd
SHA512fb647b5a5e83e383aa7f5c180ffd06ace8e44c200b2c40812276e6437cd4f2ec50fe516ca36929a48d5c328447f40aeb0a6fab97d48af78b65c63a44c251ecbe
-
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exeMD5
9d06314ebb63a800258613571a93c77b
SHA191a72acae15e4f65f8eff73ac62b9596254b0a46
SHA256d4a82633a4fbc656b7640d45f0df335642e12f225d2b8b1f50f8a4a08d286ccd
SHA512fb647b5a5e83e383aa7f5c180ffd06ace8e44c200b2c40812276e6437cd4f2ec50fe516ca36929a48d5c328447f40aeb0a6fab97d48af78b65c63a44c251ecbe
-
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exeMD5
9d06314ebb63a800258613571a93c77b
SHA191a72acae15e4f65f8eff73ac62b9596254b0a46
SHA256d4a82633a4fbc656b7640d45f0df335642e12f225d2b8b1f50f8a4a08d286ccd
SHA512fb647b5a5e83e383aa7f5c180ffd06ace8e44c200b2c40812276e6437cd4f2ec50fe516ca36929a48d5c328447f40aeb0a6fab97d48af78b65c63a44c251ecbe
-
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.vbsMD5
61303679134d10e8f1f35236fec661e6
SHA1ed31726523d21be75c47e699eec4b76aeaa376d5
SHA256047c78d7dbb5709dc8eee29b69d2a42aebe9249723105a56b8689c4657cb5331
SHA5128fe11c1e624fbbc600f0402514b67f1b61c5123eba826bb50113858b96f283792cc9defdf1aa5c101c64e8ef65c0dd9ed6032debcb6f94dcbf8fcde90f2c3610
-
\Users\Admin\AppData\Local\Temp\subfolder\filename.exeMD5
9d06314ebb63a800258613571a93c77b
SHA191a72acae15e4f65f8eff73ac62b9596254b0a46
SHA256d4a82633a4fbc656b7640d45f0df335642e12f225d2b8b1f50f8a4a08d286ccd
SHA512fb647b5a5e83e383aa7f5c180ffd06ace8e44c200b2c40812276e6437cd4f2ec50fe516ca36929a48d5c328447f40aeb0a6fab97d48af78b65c63a44c251ecbe
-
\Users\Admin\AppData\Local\Temp\subfolder\filename.exeMD5
9d06314ebb63a800258613571a93c77b
SHA191a72acae15e4f65f8eff73ac62b9596254b0a46
SHA256d4a82633a4fbc656b7640d45f0df335642e12f225d2b8b1f50f8a4a08d286ccd
SHA512fb647b5a5e83e383aa7f5c180ffd06ace8e44c200b2c40812276e6437cd4f2ec50fe516ca36929a48d5c328447f40aeb0a6fab97d48af78b65c63a44c251ecbe
-
\Users\Admin\AppData\Local\Temp\subfolder\filename.exeMD5
9d06314ebb63a800258613571a93c77b
SHA191a72acae15e4f65f8eff73ac62b9596254b0a46
SHA256d4a82633a4fbc656b7640d45f0df335642e12f225d2b8b1f50f8a4a08d286ccd
SHA512fb647b5a5e83e383aa7f5c180ffd06ace8e44c200b2c40812276e6437cd4f2ec50fe516ca36929a48d5c328447f40aeb0a6fab97d48af78b65c63a44c251ecbe
-
memory/108-74-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/108-71-0x0000000000410621-mapping.dmp
-
memory/108-70-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/612-54-0x0000000000230000-0x0000000000236000-memory.dmpFilesize
24KB
-
memory/612-57-0x0000000075821000-0x0000000075823000-memory.dmpFilesize
8KB
-
memory/612-56-0x0000000000270000-0x0000000000276000-memory.dmpFilesize
24KB
-
memory/612-55-0x0000000000230000-0x000000000023A000-memory.dmpFilesize
40KB
-
memory/816-58-0x0000000000000000-mapping.dmp
-
memory/1584-75-0x0000000000000000-mapping.dmp
-
memory/1972-67-0x00000000002A0000-0x00000000002AA000-memory.dmpFilesize
40KB
-
memory/1972-66-0x00000000002A0000-0x00000000002A6000-memory.dmpFilesize
24KB
-
memory/1972-64-0x0000000000000000-mapping.dmp