Analysis
-
max time kernel
43s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
14-05-2022 15:12
Static task
static1
Behavioral task
behavioral1
Sample
11d89ad526b17037587b7f48f84b90f7.exe
Resource
win7-20220414-en
General
-
Target
11d89ad526b17037587b7f48f84b90f7.exe
-
Size
496KB
-
MD5
11d89ad526b17037587b7f48f84b90f7
-
SHA1
9905ee159e8884f4e33585621d7ddad6afdb2bdd
-
SHA256
4368229ecac528a7352f2eafaaf193efeb725c6c6d40c75af82c635cb6f1e8ef
-
SHA512
dbdd87cb5e8abc1579a6039efdda32f10059ada0fcffbf9b40f11211f80749a95ee1fdc5a19a927e3629209e2bc392e6638027e01e0440d48fb62d391ca536c9
Malware Config
Extracted
pony
https://goodservices.co.vu/netpro/panel/gate.php
-
payload_url
https://goodservices.co.vu/shit.exe
Signatures
-
suricata: ET MALWARE Fareit/Pony Downloader Checkin 3
suricata: ET MALWARE Fareit/Pony Downloader Checkin 3
-
suricata: ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98
suricata: ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1400 cmd.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
11d89ad526b17037587b7f48f84b90f7.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts 11d89ad526b17037587b7f48f84b90f7.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
11d89ad526b17037587b7f48f84b90f7.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 11d89ad526b17037587b7f48f84b90f7.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
11d89ad526b17037587b7f48f84b90f7.exedescription pid process target process PID 1068 set thread context of 1984 1068 11d89ad526b17037587b7f48f84b90f7.exe 11d89ad526b17037587b7f48f84b90f7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
11d89ad526b17037587b7f48f84b90f7.exepid process 1068 11d89ad526b17037587b7f48f84b90f7.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
11d89ad526b17037587b7f48f84b90f7.exe11d89ad526b17037587b7f48f84b90f7.exedescription pid process Token: SeDebugPrivilege 1068 11d89ad526b17037587b7f48f84b90f7.exe Token: SeImpersonatePrivilege 1984 11d89ad526b17037587b7f48f84b90f7.exe Token: SeTcbPrivilege 1984 11d89ad526b17037587b7f48f84b90f7.exe Token: SeChangeNotifyPrivilege 1984 11d89ad526b17037587b7f48f84b90f7.exe Token: SeCreateTokenPrivilege 1984 11d89ad526b17037587b7f48f84b90f7.exe Token: SeBackupPrivilege 1984 11d89ad526b17037587b7f48f84b90f7.exe Token: SeRestorePrivilege 1984 11d89ad526b17037587b7f48f84b90f7.exe Token: SeIncreaseQuotaPrivilege 1984 11d89ad526b17037587b7f48f84b90f7.exe Token: SeAssignPrimaryTokenPrivilege 1984 11d89ad526b17037587b7f48f84b90f7.exe Token: SeImpersonatePrivilege 1984 11d89ad526b17037587b7f48f84b90f7.exe Token: SeTcbPrivilege 1984 11d89ad526b17037587b7f48f84b90f7.exe Token: SeChangeNotifyPrivilege 1984 11d89ad526b17037587b7f48f84b90f7.exe Token: SeCreateTokenPrivilege 1984 11d89ad526b17037587b7f48f84b90f7.exe Token: SeBackupPrivilege 1984 11d89ad526b17037587b7f48f84b90f7.exe Token: SeRestorePrivilege 1984 11d89ad526b17037587b7f48f84b90f7.exe Token: SeIncreaseQuotaPrivilege 1984 11d89ad526b17037587b7f48f84b90f7.exe Token: SeAssignPrimaryTokenPrivilege 1984 11d89ad526b17037587b7f48f84b90f7.exe Token: SeImpersonatePrivilege 1984 11d89ad526b17037587b7f48f84b90f7.exe Token: SeTcbPrivilege 1984 11d89ad526b17037587b7f48f84b90f7.exe Token: SeChangeNotifyPrivilege 1984 11d89ad526b17037587b7f48f84b90f7.exe Token: SeCreateTokenPrivilege 1984 11d89ad526b17037587b7f48f84b90f7.exe Token: SeBackupPrivilege 1984 11d89ad526b17037587b7f48f84b90f7.exe Token: SeRestorePrivilege 1984 11d89ad526b17037587b7f48f84b90f7.exe Token: SeIncreaseQuotaPrivilege 1984 11d89ad526b17037587b7f48f84b90f7.exe Token: SeAssignPrimaryTokenPrivilege 1984 11d89ad526b17037587b7f48f84b90f7.exe Token: SeImpersonatePrivilege 1984 11d89ad526b17037587b7f48f84b90f7.exe Token: SeTcbPrivilege 1984 11d89ad526b17037587b7f48f84b90f7.exe Token: SeChangeNotifyPrivilege 1984 11d89ad526b17037587b7f48f84b90f7.exe Token: SeCreateTokenPrivilege 1984 11d89ad526b17037587b7f48f84b90f7.exe Token: SeBackupPrivilege 1984 11d89ad526b17037587b7f48f84b90f7.exe Token: SeRestorePrivilege 1984 11d89ad526b17037587b7f48f84b90f7.exe Token: SeIncreaseQuotaPrivilege 1984 11d89ad526b17037587b7f48f84b90f7.exe Token: SeAssignPrimaryTokenPrivilege 1984 11d89ad526b17037587b7f48f84b90f7.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
11d89ad526b17037587b7f48f84b90f7.exe11d89ad526b17037587b7f48f84b90f7.exedescription pid process target process PID 1068 wrote to memory of 1744 1068 11d89ad526b17037587b7f48f84b90f7.exe schtasks.exe PID 1068 wrote to memory of 1744 1068 11d89ad526b17037587b7f48f84b90f7.exe schtasks.exe PID 1068 wrote to memory of 1744 1068 11d89ad526b17037587b7f48f84b90f7.exe schtasks.exe PID 1068 wrote to memory of 1744 1068 11d89ad526b17037587b7f48f84b90f7.exe schtasks.exe PID 1068 wrote to memory of 1984 1068 11d89ad526b17037587b7f48f84b90f7.exe 11d89ad526b17037587b7f48f84b90f7.exe PID 1068 wrote to memory of 1984 1068 11d89ad526b17037587b7f48f84b90f7.exe 11d89ad526b17037587b7f48f84b90f7.exe PID 1068 wrote to memory of 1984 1068 11d89ad526b17037587b7f48f84b90f7.exe 11d89ad526b17037587b7f48f84b90f7.exe PID 1068 wrote to memory of 1984 1068 11d89ad526b17037587b7f48f84b90f7.exe 11d89ad526b17037587b7f48f84b90f7.exe PID 1068 wrote to memory of 1984 1068 11d89ad526b17037587b7f48f84b90f7.exe 11d89ad526b17037587b7f48f84b90f7.exe PID 1068 wrote to memory of 1984 1068 11d89ad526b17037587b7f48f84b90f7.exe 11d89ad526b17037587b7f48f84b90f7.exe PID 1068 wrote to memory of 1984 1068 11d89ad526b17037587b7f48f84b90f7.exe 11d89ad526b17037587b7f48f84b90f7.exe PID 1068 wrote to memory of 1984 1068 11d89ad526b17037587b7f48f84b90f7.exe 11d89ad526b17037587b7f48f84b90f7.exe PID 1068 wrote to memory of 1984 1068 11d89ad526b17037587b7f48f84b90f7.exe 11d89ad526b17037587b7f48f84b90f7.exe PID 1984 wrote to memory of 1400 1984 11d89ad526b17037587b7f48f84b90f7.exe cmd.exe PID 1984 wrote to memory of 1400 1984 11d89ad526b17037587b7f48f84b90f7.exe cmd.exe PID 1984 wrote to memory of 1400 1984 11d89ad526b17037587b7f48f84b90f7.exe cmd.exe PID 1984 wrote to memory of 1400 1984 11d89ad526b17037587b7f48f84b90f7.exe cmd.exe -
outlook_win_path 1 IoCs
Processes:
11d89ad526b17037587b7f48f84b90f7.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 11d89ad526b17037587b7f48f84b90f7.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\11d89ad526b17037587b7f48f84b90f7.exe"C:\Users\Admin\AppData\Local\Temp\11d89ad526b17037587b7f48f84b90f7.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kRptwxFrOyJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4931.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\11d89ad526b17037587b7f48f84b90f7.exe"{path}"2⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7104566.bat" "C:\Users\Admin\AppData\Local\Temp\11d89ad526b17037587b7f48f84b90f7.exe" "3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7104566.batFilesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
C:\Users\Admin\AppData\Local\Temp\tmp4931.tmpFilesize
1KB
MD50cff4ac40a5ba15baf20781726c2888b
SHA1774108c3ede77ef3ef4b8e5719ccf9d5cc963816
SHA256031d5282eea5298480e3269b693c0fa3b6f9f4d2fb17957f515318bd806472fe
SHA5128657da498235c5a7ca99559bd7047c7009bb71cd1febd88409b707da32d54248a8d7d2bedef65ccf3cbfa2cdf7b7d0e82e89ee4d36710b16ea810b786b26994a
-
memory/1068-55-0x0000000075C51000-0x0000000075C53000-memory.dmpFilesize
8KB
-
memory/1068-56-0x00000000003E0000-0x00000000003EA000-memory.dmpFilesize
40KB
-
memory/1068-57-0x0000000005000000-0x0000000005070000-memory.dmpFilesize
448KB
-
memory/1068-58-0x0000000000560000-0x000000000057E000-memory.dmpFilesize
120KB
-
memory/1068-54-0x0000000000F20000-0x0000000000FA2000-memory.dmpFilesize
520KB
-
memory/1400-73-0x0000000000000000-mapping.dmp
-
memory/1744-59-0x0000000000000000-mapping.dmp
-
memory/1984-62-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1984-65-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1984-68-0x0000000000410621-mapping.dmp
-
memory/1984-67-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1984-71-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1984-72-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1984-64-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1984-61-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB