Analysis
-
max time kernel
43s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 19:47
Static task
static1
Behavioral task
behavioral1
Sample
e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe
Resource
win7-20220414-en
General
-
Target
e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe
-
Size
1.0MB
-
MD5
90b551346b0b7a6a24960e7254c7d8c3
-
SHA1
615383e32cdea90c89fc858f023c1b21078fe504
-
SHA256
e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4
-
SHA512
6ff55086a1fb9f5734d3831f50490edefea45827c3bcb7cae8b1d7761c7e3a1d4c81add1ab897c6e425cc667e14028a079b2246b4adc57da44a3478423dfaf80
Malware Config
Extracted
pony
http://minhaslaw.co.uk/new/ladi/gate.php
Signatures
-
Drops startup file 1 IoCs
Processes:
e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\filename.vbe e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exedescription pid process target process PID 1096 set thread context of 1252 1096 e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exedescription pid process Token: SeImpersonatePrivilege 1252 e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe Token: SeTcbPrivilege 1252 e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe Token: SeChangeNotifyPrivilege 1252 e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe Token: SeCreateTokenPrivilege 1252 e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe Token: SeBackupPrivilege 1252 e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe Token: SeRestorePrivilege 1252 e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe Token: SeIncreaseQuotaPrivilege 1252 e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe Token: SeAssignPrimaryTokenPrivilege 1252 e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe Token: SeImpersonatePrivilege 1252 e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe Token: SeTcbPrivilege 1252 e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe Token: SeChangeNotifyPrivilege 1252 e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe Token: SeCreateTokenPrivilege 1252 e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe Token: SeBackupPrivilege 1252 e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe Token: SeRestorePrivilege 1252 e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe Token: SeIncreaseQuotaPrivilege 1252 e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe Token: SeAssignPrimaryTokenPrivilege 1252 e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe Token: SeImpersonatePrivilege 1252 e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe Token: SeTcbPrivilege 1252 e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe Token: SeChangeNotifyPrivilege 1252 e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe Token: SeCreateTokenPrivilege 1252 e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe Token: SeBackupPrivilege 1252 e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe Token: SeRestorePrivilege 1252 e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe Token: SeIncreaseQuotaPrivilege 1252 e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe Token: SeAssignPrimaryTokenPrivilege 1252 e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe Token: SeImpersonatePrivilege 1252 e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe Token: SeTcbPrivilege 1252 e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe Token: SeChangeNotifyPrivilege 1252 e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe Token: SeCreateTokenPrivilege 1252 e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe Token: SeBackupPrivilege 1252 e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe Token: SeRestorePrivilege 1252 e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe Token: SeIncreaseQuotaPrivilege 1252 e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe Token: SeAssignPrimaryTokenPrivilege 1252 e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exepid process 1096 e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exedescription pid process target process PID 1096 wrote to memory of 1252 1096 e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe PID 1096 wrote to memory of 1252 1096 e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe PID 1096 wrote to memory of 1252 1096 e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe PID 1096 wrote to memory of 1252 1096 e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe PID 1096 wrote to memory of 1252 1096 e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe PID 1096 wrote to memory of 1252 1096 e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe PID 1096 wrote to memory of 1252 1096 e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe PID 1096 wrote to memory of 1252 1096 e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe PID 1096 wrote to memory of 1252 1096 e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe PID 1096 wrote to memory of 1252 1096 e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe PID 1096 wrote to memory of 1252 1096 e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe -
outlook_win_path 1 IoCs
Processes:
e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe"C:\Users\Admin\AppData\Local\Temp\e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe"C:\Users\Admin\AppData\Local\Temp\e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe"2⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1096-56-0x0000000000270000-0x0000000000277000-memory.dmpFilesize
28KB
-
memory/1096-57-0x0000000075B71000-0x0000000075B73000-memory.dmpFilesize
8KB
-
memory/1252-59-0x0000000000410CF2-mapping.dmp
-
memory/1252-58-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1252-61-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1252-63-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB