Analysis
-
max time kernel
47s -
max time network
51s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
14-05-2022 15:13
Static task
static1
Behavioral task
behavioral1
Sample
11d89ad526b17037587b7f48f84b90f7.exe
Resource
win7-20220414-en
General
-
Target
11d89ad526b17037587b7f48f84b90f7.exe
-
Size
496KB
-
MD5
11d89ad526b17037587b7f48f84b90f7
-
SHA1
9905ee159e8884f4e33585621d7ddad6afdb2bdd
-
SHA256
4368229ecac528a7352f2eafaaf193efeb725c6c6d40c75af82c635cb6f1e8ef
-
SHA512
dbdd87cb5e8abc1579a6039efdda32f10059ada0fcffbf9b40f11211f80749a95ee1fdc5a19a927e3629209e2bc392e6638027e01e0440d48fb62d391ca536c9
Malware Config
Extracted
pony
https://goodservices.co.vu/netpro/panel/gate.php
-
payload_url
https://goodservices.co.vu/shit.exe
Signatures
-
suricata: ET MALWARE Fareit/Pony Downloader Checkin 3
suricata: ET MALWARE Fareit/Pony Downloader Checkin 3
-
suricata: ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98
suricata: ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 796 cmd.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
11d89ad526b17037587b7f48f84b90f7.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts 11d89ad526b17037587b7f48f84b90f7.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
11d89ad526b17037587b7f48f84b90f7.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 11d89ad526b17037587b7f48f84b90f7.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
11d89ad526b17037587b7f48f84b90f7.exedescription pid process target process PID 1528 set thread context of 1252 1528 11d89ad526b17037587b7f48f84b90f7.exe 11d89ad526b17037587b7f48f84b90f7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
11d89ad526b17037587b7f48f84b90f7.exepid process 1528 11d89ad526b17037587b7f48f84b90f7.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
11d89ad526b17037587b7f48f84b90f7.exe11d89ad526b17037587b7f48f84b90f7.exedescription pid process Token: SeDebugPrivilege 1528 11d89ad526b17037587b7f48f84b90f7.exe Token: SeImpersonatePrivilege 1252 11d89ad526b17037587b7f48f84b90f7.exe Token: SeTcbPrivilege 1252 11d89ad526b17037587b7f48f84b90f7.exe Token: SeChangeNotifyPrivilege 1252 11d89ad526b17037587b7f48f84b90f7.exe Token: SeCreateTokenPrivilege 1252 11d89ad526b17037587b7f48f84b90f7.exe Token: SeBackupPrivilege 1252 11d89ad526b17037587b7f48f84b90f7.exe Token: SeRestorePrivilege 1252 11d89ad526b17037587b7f48f84b90f7.exe Token: SeIncreaseQuotaPrivilege 1252 11d89ad526b17037587b7f48f84b90f7.exe Token: SeAssignPrimaryTokenPrivilege 1252 11d89ad526b17037587b7f48f84b90f7.exe Token: SeImpersonatePrivilege 1252 11d89ad526b17037587b7f48f84b90f7.exe Token: SeTcbPrivilege 1252 11d89ad526b17037587b7f48f84b90f7.exe Token: SeChangeNotifyPrivilege 1252 11d89ad526b17037587b7f48f84b90f7.exe Token: SeCreateTokenPrivilege 1252 11d89ad526b17037587b7f48f84b90f7.exe Token: SeBackupPrivilege 1252 11d89ad526b17037587b7f48f84b90f7.exe Token: SeRestorePrivilege 1252 11d89ad526b17037587b7f48f84b90f7.exe Token: SeIncreaseQuotaPrivilege 1252 11d89ad526b17037587b7f48f84b90f7.exe Token: SeAssignPrimaryTokenPrivilege 1252 11d89ad526b17037587b7f48f84b90f7.exe Token: SeImpersonatePrivilege 1252 11d89ad526b17037587b7f48f84b90f7.exe Token: SeTcbPrivilege 1252 11d89ad526b17037587b7f48f84b90f7.exe Token: SeChangeNotifyPrivilege 1252 11d89ad526b17037587b7f48f84b90f7.exe Token: SeCreateTokenPrivilege 1252 11d89ad526b17037587b7f48f84b90f7.exe Token: SeBackupPrivilege 1252 11d89ad526b17037587b7f48f84b90f7.exe Token: SeRestorePrivilege 1252 11d89ad526b17037587b7f48f84b90f7.exe Token: SeIncreaseQuotaPrivilege 1252 11d89ad526b17037587b7f48f84b90f7.exe Token: SeAssignPrimaryTokenPrivilege 1252 11d89ad526b17037587b7f48f84b90f7.exe Token: SeImpersonatePrivilege 1252 11d89ad526b17037587b7f48f84b90f7.exe Token: SeTcbPrivilege 1252 11d89ad526b17037587b7f48f84b90f7.exe Token: SeChangeNotifyPrivilege 1252 11d89ad526b17037587b7f48f84b90f7.exe Token: SeCreateTokenPrivilege 1252 11d89ad526b17037587b7f48f84b90f7.exe Token: SeBackupPrivilege 1252 11d89ad526b17037587b7f48f84b90f7.exe Token: SeRestorePrivilege 1252 11d89ad526b17037587b7f48f84b90f7.exe Token: SeIncreaseQuotaPrivilege 1252 11d89ad526b17037587b7f48f84b90f7.exe Token: SeAssignPrimaryTokenPrivilege 1252 11d89ad526b17037587b7f48f84b90f7.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
11d89ad526b17037587b7f48f84b90f7.exe11d89ad526b17037587b7f48f84b90f7.exedescription pid process target process PID 1528 wrote to memory of 900 1528 11d89ad526b17037587b7f48f84b90f7.exe schtasks.exe PID 1528 wrote to memory of 900 1528 11d89ad526b17037587b7f48f84b90f7.exe schtasks.exe PID 1528 wrote to memory of 900 1528 11d89ad526b17037587b7f48f84b90f7.exe schtasks.exe PID 1528 wrote to memory of 900 1528 11d89ad526b17037587b7f48f84b90f7.exe schtasks.exe PID 1528 wrote to memory of 1252 1528 11d89ad526b17037587b7f48f84b90f7.exe 11d89ad526b17037587b7f48f84b90f7.exe PID 1528 wrote to memory of 1252 1528 11d89ad526b17037587b7f48f84b90f7.exe 11d89ad526b17037587b7f48f84b90f7.exe PID 1528 wrote to memory of 1252 1528 11d89ad526b17037587b7f48f84b90f7.exe 11d89ad526b17037587b7f48f84b90f7.exe PID 1528 wrote to memory of 1252 1528 11d89ad526b17037587b7f48f84b90f7.exe 11d89ad526b17037587b7f48f84b90f7.exe PID 1528 wrote to memory of 1252 1528 11d89ad526b17037587b7f48f84b90f7.exe 11d89ad526b17037587b7f48f84b90f7.exe PID 1528 wrote to memory of 1252 1528 11d89ad526b17037587b7f48f84b90f7.exe 11d89ad526b17037587b7f48f84b90f7.exe PID 1528 wrote to memory of 1252 1528 11d89ad526b17037587b7f48f84b90f7.exe 11d89ad526b17037587b7f48f84b90f7.exe PID 1528 wrote to memory of 1252 1528 11d89ad526b17037587b7f48f84b90f7.exe 11d89ad526b17037587b7f48f84b90f7.exe PID 1528 wrote to memory of 1252 1528 11d89ad526b17037587b7f48f84b90f7.exe 11d89ad526b17037587b7f48f84b90f7.exe PID 1252 wrote to memory of 796 1252 11d89ad526b17037587b7f48f84b90f7.exe cmd.exe PID 1252 wrote to memory of 796 1252 11d89ad526b17037587b7f48f84b90f7.exe cmd.exe PID 1252 wrote to memory of 796 1252 11d89ad526b17037587b7f48f84b90f7.exe cmd.exe PID 1252 wrote to memory of 796 1252 11d89ad526b17037587b7f48f84b90f7.exe cmd.exe -
outlook_win_path 1 IoCs
Processes:
11d89ad526b17037587b7f48f84b90f7.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 11d89ad526b17037587b7f48f84b90f7.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\11d89ad526b17037587b7f48f84b90f7.exe"C:\Users\Admin\AppData\Local\Temp\11d89ad526b17037587b7f48f84b90f7.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kRptwxFrOyJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8C87.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\11d89ad526b17037587b7f48f84b90f7.exe"{path}"2⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7121976.bat" "C:\Users\Admin\AppData\Local\Temp\11d89ad526b17037587b7f48f84b90f7.exe" "3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7121976.batFilesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
C:\Users\Admin\AppData\Local\Temp\tmp8C87.tmpFilesize
1KB
MD561922d376e482fbb8006bad40fe95f17
SHA1a8e697ed9b50611a4df111aa3dd9d2fc39688572
SHA25610fd29ba69af8acb1232b9927aa58876dc462591bdc9b7933b11d145338e386c
SHA512226354f1bcdf908d2b830f09ef43f423b61c3dd8f835eaeb7a62d07315d075dd1071a2b0108d4ec4f3be624c8236cdc6eab4255441b34918cd8a9ba99d95ff5d
-
memory/796-73-0x0000000000000000-mapping.dmp
-
memory/900-59-0x0000000000000000-mapping.dmp
-
memory/1252-68-0x0000000000410621-mapping.dmp
-
memory/1252-61-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1252-62-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1252-64-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1252-65-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1252-67-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1252-71-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1252-72-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1528-58-0x0000000000800000-0x000000000081E000-memory.dmpFilesize
120KB
-
memory/1528-57-0x0000000005040000-0x00000000050B0000-memory.dmpFilesize
448KB
-
memory/1528-54-0x00000000011E0000-0x0000000001262000-memory.dmpFilesize
520KB
-
memory/1528-56-0x0000000000600000-0x000000000060A000-memory.dmpFilesize
40KB
-
memory/1528-55-0x0000000075391000-0x0000000075393000-memory.dmpFilesize
8KB