Analysis
-
max time kernel
161s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14-05-2022 13:50
Static task
static1
Behavioral task
behavioral1
Sample
1e56c1313b99673d1b705d9916df0b8e0f9da9f46b3fa59a1f99b64168404100.exe
Resource
win7-20220414-en
General
-
Target
1e56c1313b99673d1b705d9916df0b8e0f9da9f46b3fa59a1f99b64168404100.exe
-
Size
485KB
-
MD5
6629933020c2ba9ceabd5243ef6a8a5c
-
SHA1
d28fe16ecdf545bf3bc25d1ca43a749f4aa54d86
-
SHA256
1e56c1313b99673d1b705d9916df0b8e0f9da9f46b3fa59a1f99b64168404100
-
SHA512
06d1b85bd6c2b8e256ef59b0bd20d9debd203d11248000babe9077213fd24104a312a0c88f3f2cf267ce72d85b5a3c609ef0d2e286d0420004ab01d926fb1a85
Malware Config
Extracted
pony
http://al-shifaa.com/cubby/gate.php
Signatures
-
suricata: ET MALWARE Fareit/Pony Downloader Checkin 3
suricata: ET MALWARE Fareit/Pony Downloader Checkin 3
-
suricata: ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98
suricata: ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98
-
Processes:
resource yara_rule behavioral2/memory/3056-132-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/3056-134-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/3056-136-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/3056-137-0x0000000000400000-0x000000000041C000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
RegAsm.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation RegAsm.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts RegAsm.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook RegAsm.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
1e56c1313b99673d1b705d9916df0b8e0f9da9f46b3fa59a1f99b64168404100.exedescription pid process target process PID 3792 set thread context of 3056 3792 1e56c1313b99673d1b705d9916df0b8e0f9da9f46b3fa59a1f99b64168404100.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 49 IoCs
Processes:
1e56c1313b99673d1b705d9916df0b8e0f9da9f46b3fa59a1f99b64168404100.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 3792 1e56c1313b99673d1b705d9916df0b8e0f9da9f46b3fa59a1f99b64168404100.exe Token: SeImpersonatePrivilege 3056 RegAsm.exe Token: SeTcbPrivilege 3056 RegAsm.exe Token: SeChangeNotifyPrivilege 3056 RegAsm.exe Token: SeCreateTokenPrivilege 3056 RegAsm.exe Token: SeBackupPrivilege 3056 RegAsm.exe Token: SeRestorePrivilege 3056 RegAsm.exe Token: SeIncreaseQuotaPrivilege 3056 RegAsm.exe Token: SeAssignPrimaryTokenPrivilege 3056 RegAsm.exe Token: SeImpersonatePrivilege 3056 RegAsm.exe Token: SeTcbPrivilege 3056 RegAsm.exe Token: SeChangeNotifyPrivilege 3056 RegAsm.exe Token: SeCreateTokenPrivilege 3056 RegAsm.exe Token: SeBackupPrivilege 3056 RegAsm.exe Token: SeRestorePrivilege 3056 RegAsm.exe Token: SeIncreaseQuotaPrivilege 3056 RegAsm.exe Token: SeAssignPrimaryTokenPrivilege 3056 RegAsm.exe Token: SeImpersonatePrivilege 3056 RegAsm.exe Token: SeTcbPrivilege 3056 RegAsm.exe Token: SeChangeNotifyPrivilege 3056 RegAsm.exe Token: SeCreateTokenPrivilege 3056 RegAsm.exe Token: SeBackupPrivilege 3056 RegAsm.exe Token: SeRestorePrivilege 3056 RegAsm.exe Token: SeIncreaseQuotaPrivilege 3056 RegAsm.exe Token: SeAssignPrimaryTokenPrivilege 3056 RegAsm.exe Token: SeImpersonatePrivilege 3056 RegAsm.exe Token: SeTcbPrivilege 3056 RegAsm.exe Token: SeChangeNotifyPrivilege 3056 RegAsm.exe Token: SeCreateTokenPrivilege 3056 RegAsm.exe Token: SeBackupPrivilege 3056 RegAsm.exe Token: SeRestorePrivilege 3056 RegAsm.exe Token: SeIncreaseQuotaPrivilege 3056 RegAsm.exe Token: SeAssignPrimaryTokenPrivilege 3056 RegAsm.exe Token: SeImpersonatePrivilege 3056 RegAsm.exe Token: SeTcbPrivilege 3056 RegAsm.exe Token: SeChangeNotifyPrivilege 3056 RegAsm.exe Token: SeCreateTokenPrivilege 3056 RegAsm.exe Token: SeBackupPrivilege 3056 RegAsm.exe Token: SeRestorePrivilege 3056 RegAsm.exe Token: SeIncreaseQuotaPrivilege 3056 RegAsm.exe Token: SeAssignPrimaryTokenPrivilege 3056 RegAsm.exe Token: SeImpersonatePrivilege 3056 RegAsm.exe Token: SeTcbPrivilege 3056 RegAsm.exe Token: SeChangeNotifyPrivilege 3056 RegAsm.exe Token: SeCreateTokenPrivilege 3056 RegAsm.exe Token: SeBackupPrivilege 3056 RegAsm.exe Token: SeRestorePrivilege 3056 RegAsm.exe Token: SeIncreaseQuotaPrivilege 3056 RegAsm.exe Token: SeAssignPrimaryTokenPrivilege 3056 RegAsm.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
1e56c1313b99673d1b705d9916df0b8e0f9da9f46b3fa59a1f99b64168404100.exeRegAsm.exedescription pid process target process PID 3792 wrote to memory of 3056 3792 1e56c1313b99673d1b705d9916df0b8e0f9da9f46b3fa59a1f99b64168404100.exe RegAsm.exe PID 3792 wrote to memory of 3056 3792 1e56c1313b99673d1b705d9916df0b8e0f9da9f46b3fa59a1f99b64168404100.exe RegAsm.exe PID 3792 wrote to memory of 3056 3792 1e56c1313b99673d1b705d9916df0b8e0f9da9f46b3fa59a1f99b64168404100.exe RegAsm.exe PID 3792 wrote to memory of 3056 3792 1e56c1313b99673d1b705d9916df0b8e0f9da9f46b3fa59a1f99b64168404100.exe RegAsm.exe PID 3792 wrote to memory of 3056 3792 1e56c1313b99673d1b705d9916df0b8e0f9da9f46b3fa59a1f99b64168404100.exe RegAsm.exe PID 3792 wrote to memory of 3056 3792 1e56c1313b99673d1b705d9916df0b8e0f9da9f46b3fa59a1f99b64168404100.exe RegAsm.exe PID 3792 wrote to memory of 3056 3792 1e56c1313b99673d1b705d9916df0b8e0f9da9f46b3fa59a1f99b64168404100.exe RegAsm.exe PID 3056 wrote to memory of 3548 3056 RegAsm.exe cmd.exe PID 3056 wrote to memory of 3548 3056 RegAsm.exe cmd.exe PID 3056 wrote to memory of 3548 3056 RegAsm.exe cmd.exe -
outlook_win_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e56c1313b99673d1b705d9916df0b8e0f9da9f46b3fa59a1f99b64168404100.exe"C:\Users\Admin\AppData\Local\Temp\1e56c1313b99673d1b705d9916df0b8e0f9da9f46b3fa59a1f99b64168404100.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Checks computer location settings
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240622906.bat" "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\240622906.batFilesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
memory/3056-131-0x0000000000000000-mapping.dmp
-
memory/3056-132-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/3056-134-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/3056-136-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/3056-137-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/3548-138-0x0000000000000000-mapping.dmp
-
memory/3792-130-0x0000000075480000-0x0000000075A31000-memory.dmpFilesize
5.7MB