Analysis
-
max time kernel
98s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14-05-2022 15:12
Static task
static1
Behavioral task
behavioral1
Sample
11d89ad526b17037587b7f48f84b90f7.exe
Resource
win7-20220414-en
General
-
Target
11d89ad526b17037587b7f48f84b90f7.exe
-
Size
496KB
-
MD5
11d89ad526b17037587b7f48f84b90f7
-
SHA1
9905ee159e8884f4e33585621d7ddad6afdb2bdd
-
SHA256
4368229ecac528a7352f2eafaaf193efeb725c6c6d40c75af82c635cb6f1e8ef
-
SHA512
dbdd87cb5e8abc1579a6039efdda32f10059ada0fcffbf9b40f11211f80749a95ee1fdc5a19a927e3629209e2bc392e6638027e01e0440d48fb62d391ca536c9
Malware Config
Extracted
pony
https://goodservices.co.vu/netpro/panel/gate.php
-
payload_url
https://goodservices.co.vu/shit.exe
Signatures
-
suricata: ET MALWARE Fareit/Pony Downloader Checkin 3
suricata: ET MALWARE Fareit/Pony Downloader Checkin 3
-
suricata: ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98
suricata: ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
11d89ad526b17037587b7f48f84b90f7.exe11d89ad526b17037587b7f48f84b90f7.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 11d89ad526b17037587b7f48f84b90f7.exe Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 11d89ad526b17037587b7f48f84b90f7.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
11d89ad526b17037587b7f48f84b90f7.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts 11d89ad526b17037587b7f48f84b90f7.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
11d89ad526b17037587b7f48f84b90f7.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 11d89ad526b17037587b7f48f84b90f7.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
11d89ad526b17037587b7f48f84b90f7.exedescription pid process target process PID 4300 set thread context of 4460 4300 11d89ad526b17037587b7f48f84b90f7.exe 11d89ad526b17037587b7f48f84b90f7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
11d89ad526b17037587b7f48f84b90f7.exepid process 4300 11d89ad526b17037587b7f48f84b90f7.exe 4300 11d89ad526b17037587b7f48f84b90f7.exe 4300 11d89ad526b17037587b7f48f84b90f7.exe 4300 11d89ad526b17037587b7f48f84b90f7.exe 4300 11d89ad526b17037587b7f48f84b90f7.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
Processes:
11d89ad526b17037587b7f48f84b90f7.exe11d89ad526b17037587b7f48f84b90f7.exedescription pid process Token: SeDebugPrivilege 4300 11d89ad526b17037587b7f48f84b90f7.exe Token: SeImpersonatePrivilege 4460 11d89ad526b17037587b7f48f84b90f7.exe Token: SeTcbPrivilege 4460 11d89ad526b17037587b7f48f84b90f7.exe Token: SeChangeNotifyPrivilege 4460 11d89ad526b17037587b7f48f84b90f7.exe Token: SeCreateTokenPrivilege 4460 11d89ad526b17037587b7f48f84b90f7.exe Token: SeBackupPrivilege 4460 11d89ad526b17037587b7f48f84b90f7.exe Token: SeRestorePrivilege 4460 11d89ad526b17037587b7f48f84b90f7.exe Token: SeIncreaseQuotaPrivilege 4460 11d89ad526b17037587b7f48f84b90f7.exe Token: SeAssignPrimaryTokenPrivilege 4460 11d89ad526b17037587b7f48f84b90f7.exe Token: SeImpersonatePrivilege 4460 11d89ad526b17037587b7f48f84b90f7.exe Token: SeTcbPrivilege 4460 11d89ad526b17037587b7f48f84b90f7.exe Token: SeChangeNotifyPrivilege 4460 11d89ad526b17037587b7f48f84b90f7.exe Token: SeCreateTokenPrivilege 4460 11d89ad526b17037587b7f48f84b90f7.exe Token: SeBackupPrivilege 4460 11d89ad526b17037587b7f48f84b90f7.exe Token: SeRestorePrivilege 4460 11d89ad526b17037587b7f48f84b90f7.exe Token: SeIncreaseQuotaPrivilege 4460 11d89ad526b17037587b7f48f84b90f7.exe Token: SeAssignPrimaryTokenPrivilege 4460 11d89ad526b17037587b7f48f84b90f7.exe Token: SeImpersonatePrivilege 4460 11d89ad526b17037587b7f48f84b90f7.exe Token: SeTcbPrivilege 4460 11d89ad526b17037587b7f48f84b90f7.exe Token: SeChangeNotifyPrivilege 4460 11d89ad526b17037587b7f48f84b90f7.exe Token: SeCreateTokenPrivilege 4460 11d89ad526b17037587b7f48f84b90f7.exe Token: SeBackupPrivilege 4460 11d89ad526b17037587b7f48f84b90f7.exe Token: SeRestorePrivilege 4460 11d89ad526b17037587b7f48f84b90f7.exe Token: SeIncreaseQuotaPrivilege 4460 11d89ad526b17037587b7f48f84b90f7.exe Token: SeAssignPrimaryTokenPrivilege 4460 11d89ad526b17037587b7f48f84b90f7.exe Token: SeImpersonatePrivilege 4460 11d89ad526b17037587b7f48f84b90f7.exe Token: SeTcbPrivilege 4460 11d89ad526b17037587b7f48f84b90f7.exe Token: SeChangeNotifyPrivilege 4460 11d89ad526b17037587b7f48f84b90f7.exe Token: SeCreateTokenPrivilege 4460 11d89ad526b17037587b7f48f84b90f7.exe Token: SeBackupPrivilege 4460 11d89ad526b17037587b7f48f84b90f7.exe Token: SeRestorePrivilege 4460 11d89ad526b17037587b7f48f84b90f7.exe Token: SeIncreaseQuotaPrivilege 4460 11d89ad526b17037587b7f48f84b90f7.exe Token: SeAssignPrimaryTokenPrivilege 4460 11d89ad526b17037587b7f48f84b90f7.exe Token: SeImpersonatePrivilege 4460 11d89ad526b17037587b7f48f84b90f7.exe Token: SeTcbPrivilege 4460 11d89ad526b17037587b7f48f84b90f7.exe Token: SeChangeNotifyPrivilege 4460 11d89ad526b17037587b7f48f84b90f7.exe Token: SeCreateTokenPrivilege 4460 11d89ad526b17037587b7f48f84b90f7.exe Token: SeBackupPrivilege 4460 11d89ad526b17037587b7f48f84b90f7.exe Token: SeRestorePrivilege 4460 11d89ad526b17037587b7f48f84b90f7.exe Token: SeIncreaseQuotaPrivilege 4460 11d89ad526b17037587b7f48f84b90f7.exe Token: SeAssignPrimaryTokenPrivilege 4460 11d89ad526b17037587b7f48f84b90f7.exe Token: SeImpersonatePrivilege 4460 11d89ad526b17037587b7f48f84b90f7.exe Token: SeTcbPrivilege 4460 11d89ad526b17037587b7f48f84b90f7.exe Token: SeChangeNotifyPrivilege 4460 11d89ad526b17037587b7f48f84b90f7.exe Token: SeCreateTokenPrivilege 4460 11d89ad526b17037587b7f48f84b90f7.exe Token: SeBackupPrivilege 4460 11d89ad526b17037587b7f48f84b90f7.exe Token: SeRestorePrivilege 4460 11d89ad526b17037587b7f48f84b90f7.exe Token: SeIncreaseQuotaPrivilege 4460 11d89ad526b17037587b7f48f84b90f7.exe Token: SeAssignPrimaryTokenPrivilege 4460 11d89ad526b17037587b7f48f84b90f7.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
11d89ad526b17037587b7f48f84b90f7.exe11d89ad526b17037587b7f48f84b90f7.exedescription pid process target process PID 4300 wrote to memory of 3180 4300 11d89ad526b17037587b7f48f84b90f7.exe schtasks.exe PID 4300 wrote to memory of 3180 4300 11d89ad526b17037587b7f48f84b90f7.exe schtasks.exe PID 4300 wrote to memory of 3180 4300 11d89ad526b17037587b7f48f84b90f7.exe schtasks.exe PID 4300 wrote to memory of 4792 4300 11d89ad526b17037587b7f48f84b90f7.exe 11d89ad526b17037587b7f48f84b90f7.exe PID 4300 wrote to memory of 4792 4300 11d89ad526b17037587b7f48f84b90f7.exe 11d89ad526b17037587b7f48f84b90f7.exe PID 4300 wrote to memory of 4792 4300 11d89ad526b17037587b7f48f84b90f7.exe 11d89ad526b17037587b7f48f84b90f7.exe PID 4300 wrote to memory of 2852 4300 11d89ad526b17037587b7f48f84b90f7.exe 11d89ad526b17037587b7f48f84b90f7.exe PID 4300 wrote to memory of 2852 4300 11d89ad526b17037587b7f48f84b90f7.exe 11d89ad526b17037587b7f48f84b90f7.exe PID 4300 wrote to memory of 2852 4300 11d89ad526b17037587b7f48f84b90f7.exe 11d89ad526b17037587b7f48f84b90f7.exe PID 4300 wrote to memory of 4460 4300 11d89ad526b17037587b7f48f84b90f7.exe 11d89ad526b17037587b7f48f84b90f7.exe PID 4300 wrote to memory of 4460 4300 11d89ad526b17037587b7f48f84b90f7.exe 11d89ad526b17037587b7f48f84b90f7.exe PID 4300 wrote to memory of 4460 4300 11d89ad526b17037587b7f48f84b90f7.exe 11d89ad526b17037587b7f48f84b90f7.exe PID 4300 wrote to memory of 4460 4300 11d89ad526b17037587b7f48f84b90f7.exe 11d89ad526b17037587b7f48f84b90f7.exe PID 4300 wrote to memory of 4460 4300 11d89ad526b17037587b7f48f84b90f7.exe 11d89ad526b17037587b7f48f84b90f7.exe PID 4300 wrote to memory of 4460 4300 11d89ad526b17037587b7f48f84b90f7.exe 11d89ad526b17037587b7f48f84b90f7.exe PID 4300 wrote to memory of 4460 4300 11d89ad526b17037587b7f48f84b90f7.exe 11d89ad526b17037587b7f48f84b90f7.exe PID 4300 wrote to memory of 4460 4300 11d89ad526b17037587b7f48f84b90f7.exe 11d89ad526b17037587b7f48f84b90f7.exe PID 4460 wrote to memory of 1680 4460 11d89ad526b17037587b7f48f84b90f7.exe cmd.exe PID 4460 wrote to memory of 1680 4460 11d89ad526b17037587b7f48f84b90f7.exe cmd.exe PID 4460 wrote to memory of 1680 4460 11d89ad526b17037587b7f48f84b90f7.exe cmd.exe -
outlook_win_path 1 IoCs
Processes:
11d89ad526b17037587b7f48f84b90f7.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 11d89ad526b17037587b7f48f84b90f7.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\11d89ad526b17037587b7f48f84b90f7.exe"C:\Users\Admin\AppData\Local\Temp\11d89ad526b17037587b7f48f84b90f7.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kRptwxFrOyJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2971.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\11d89ad526b17037587b7f48f84b90f7.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\11d89ad526b17037587b7f48f84b90f7.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\11d89ad526b17037587b7f48f84b90f7.exe"{path}"2⤵
- Checks computer location settings
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240595687.bat" "C:\Users\Admin\AppData\Local\Temp\11d89ad526b17037587b7f48f84b90f7.exe" "3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\240595687.batFilesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
C:\Users\Admin\AppData\Local\Temp\tmp2971.tmpFilesize
1KB
MD5431522c045a23c36d7a33d2d438187d1
SHA1b42c59610c6919f2794e37bdae57374d4a4dff55
SHA2560be26770471f3a198aea1bef944ad80c2fe9d73c0241d62e96f9fddb45bf284a
SHA5122d2eedd25c54a1eb1908defe6499afe975ec9f99b639a872a22947edc06d006504cb448ba98bd241f0a9629a7ec4dddc0d9364dec42583e38ed957f3a4fdaa1f
-
memory/1680-144-0x0000000000000000-mapping.dmp
-
memory/2852-138-0x0000000000000000-mapping.dmp
-
memory/3180-135-0x0000000000000000-mapping.dmp
-
memory/4300-133-0x0000000004FA0000-0x000000000503C000-memory.dmpFilesize
624KB
-
memory/4300-134-0x0000000004EB0000-0x0000000004EBA000-memory.dmpFilesize
40KB
-
memory/4300-130-0x00000000005D0000-0x0000000000652000-memory.dmpFilesize
520KB
-
memory/4300-132-0x0000000004F00000-0x0000000004F92000-memory.dmpFilesize
584KB
-
memory/4300-131-0x0000000005600000-0x0000000005BA4000-memory.dmpFilesize
5.6MB
-
memory/4460-139-0x0000000000000000-mapping.dmp
-
memory/4460-140-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/4460-142-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/4460-143-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/4792-137-0x0000000000000000-mapping.dmp