Analysis Overview
SHA256
d7430680c994bc488209aa05c2e72de9ffe5d858111404a2ffb7715bae4f0758
Threat Level: Known bad
The file D7430680C994BC488209AA05C2E72DE9FFE5D85811140.exe was found to be: Known bad.
Malicious Activity Summary
CrypVault
Pony,Fareit
suricata: ET MALWARE Fareit/Pony Downloader Checkin 2
Process spawned unexpected child process
Modifies boot configuration data using bcdedit
Deletes shadow copies
UPX packed file
Drops startup file
Reads user/profile data of web browsers
Checks computer location settings
Checks installed software on the system
Accesses Microsoft Outlook profiles
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Interacts with shadow copies
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
outlook_win_path
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-24 04:43
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-24 04:43
Reported
2022-06-24 04:45
Platform
win7-20220414-en
Max time kernel
42s
Max time network
45s
Command Line
Signatures
CrypVault
Pony,Fareit
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\cmd.exe |
suricata: ET MALWARE Fareit/Pony Downloader Checkin 2
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta | C:\Users\Admin\AppData\Local\Temp\D7430680C994BC488209AA05C2E72DE9FFE5D85811140.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta | C:\Users\Admin\AppData\Local\Temp\D7430680C994BC488209AA05C2E72DE9FFE5D85811140.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\D7430680C994BC488209AA05C2E72DE9FFE5D85811140.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\D7430680C994BC488209AA05C2E72DE9FFE5D85811140.exe | N/A |
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 880 set thread context of 1496 | N/A | C:\Users\Admin\AppData\Local\Temp\D7430680C994BC488209AA05C2E72DE9FFE5D85811140.exe | C:\Users\Admin\AppData\Local\Temp\D7430680C994BC488209AA05C2E72DE9FFE5D85811140.exe |
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D7430680C994BC488209AA05C2E72DE9FFE5D85811140.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D7430680C994BC488209AA05C2E72DE9FFE5D85811140.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D7430680C994BC488209AA05C2E72DE9FFE5D85811140.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D7430680C994BC488209AA05C2E72DE9FFE5D85811140.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\D7430680C994BC488209AA05C2E72DE9FFE5D85811140.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\D7430680C994BC488209AA05C2E72DE9FFE5D85811140.exe
"C:\Users\Admin\AppData\Local\Temp\D7430680C994BC488209AA05C2E72DE9FFE5D85811140.exe"
C:\Users\Admin\AppData\Local\Temp\D7430680C994BC488209AA05C2E72DE9FFE5D85811140.exe
C:\Users\Admin\AppData\Local\Temp\D7430680C994BC488209AA05C2E72DE9FFE5D85811140.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\VAULT.hta"
C:\Windows\SysWOW64\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" process call create "cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"
C:\Windows\system32\cmd.exe
cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | dinom.spb.ru | udp |
| RU | 193.164.150.217:80 | dinom.spb.ru | tcp |
| RU | 193.164.150.217:80 | dinom.spb.ru | tcp |
| RU | 193.164.150.217:80 | dinom.spb.ru | tcp |
| RU | 193.164.150.217:80 | dinom.spb.ru | tcp |
Files
memory/880-54-0x0000000075711000-0x0000000075713000-memory.dmp
memory/1496-55-0x0000000000300000-0x0000000000400000-memory.dmp
memory/1496-56-0x0000000000400000-0x0000000000E28000-memory.dmp
memory/1496-57-0x0000000000400000-0x0000000000E28000-memory.dmp
memory/1496-59-0x0000000000400000-0x0000000000E28000-memory.dmp
memory/1496-60-0x0000000000400000-0x0000000000E28000-memory.dmp
memory/1496-62-0x0000000000400000-0x0000000000E28000-memory.dmp
memory/1496-64-0x0000000000418A40-mapping.dmp
memory/880-65-0x0000000000350000-0x0000000000355000-memory.dmp
memory/1496-63-0x0000000000400000-0x0000000000E28000-memory.dmp
memory/1496-67-0x0000000000400000-0x0000000000E28000-memory.dmp
memory/1496-69-0x0000000000400000-0x000000000041A000-memory.dmp
memory/1496-68-0x0000000000400000-0x0000000000E28000-memory.dmp
memory/1496-71-0x00000000002B0000-0x00000000002BF000-memory.dmp
memory/1272-73-0x0000000000000000-mapping.dmp
C:\Users\Admin\Desktop\VAULT.hta
| MD5 | b71751d104ed8f256ae64a7d02821be0 |
| SHA1 | bc3e6ac19bf1431a5872597684b2982b8ba07d87 |
| SHA256 | 6a37244fbabb6238f178c7b769b3d0f15c93d70fece941b416c8e71140538004 |
| SHA512 | b3bee8dd51f874f5677dbb37989077776d0169d97760395d38ab52ac422ce3a9db78df3970a6c1ac6e18538d8e014fc72f3481964976a5f26b2c7e63efe0ffdf |
memory/692-75-0x0000000000000000-mapping.dmp
memory/1596-76-0x0000000000000000-mapping.dmp
memory/1608-77-0x0000000000000000-mapping.dmp
memory/1752-78-0x0000000000000000-mapping.dmp
memory/1496-79-0x0000000000400000-0x000000000041A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-24 04:43
Reported
2022-06-24 04:45
Platform
win10v2004-20220414-en
Max time kernel
91s
Max time network
129s
Command Line
Signatures
CrypVault
Pony,Fareit
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\cmd.exe |
suricata: ET MALWARE Fareit/Pony Downloader Checkin 2
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\D7430680C994BC488209AA05C2E72DE9FFE5D85811140.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta | C:\Users\Admin\AppData\Local\Temp\D7430680C994BC488209AA05C2E72DE9FFE5D85811140.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta | C:\Users\Admin\AppData\Local\Temp\D7430680C994BC488209AA05C2E72DE9FFE5D85811140.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\D7430680C994BC488209AA05C2E72DE9FFE5D85811140.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\D7430680C994BC488209AA05C2E72DE9FFE5D85811140.exe | N/A |
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5024 set thread context of 1428 | N/A | C:\Users\Admin\AppData\Local\Temp\D7430680C994BC488209AA05C2E72DE9FFE5D85811140.exe | C:\Users\Admin\AppData\Local\Temp\D7430680C994BC488209AA05C2E72DE9FFE5D85811140.exe |
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\D7430680C994BC488209AA05C2E72DE9FFE5D85811140.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D7430680C994BC488209AA05C2E72DE9FFE5D85811140.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D7430680C994BC488209AA05C2E72DE9FFE5D85811140.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D7430680C994BC488209AA05C2E72DE9FFE5D85811140.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D7430680C994BC488209AA05C2E72DE9FFE5D85811140.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D7430680C994BC488209AA05C2E72DE9FFE5D85811140.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D7430680C994BC488209AA05C2E72DE9FFE5D85811140.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\D7430680C994BC488209AA05C2E72DE9FFE5D85811140.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\D7430680C994BC488209AA05C2E72DE9FFE5D85811140.exe
"C:\Users\Admin\AppData\Local\Temp\D7430680C994BC488209AA05C2E72DE9FFE5D85811140.exe"
C:\Users\Admin\AppData\Local\Temp\D7430680C994BC488209AA05C2E72DE9FFE5D85811140.exe
C:\Users\Admin\AppData\Local\Temp\D7430680C994BC488209AA05C2E72DE9FFE5D85811140.exe
C:\Windows\SysWOW64\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" process call create "cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\VAULT.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\system32\cmd.exe
cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | dinom.spb.ru | udp |
| RU | 193.164.150.217:80 | dinom.spb.ru | tcp |
| RU | 193.164.150.217:80 | dinom.spb.ru | tcp |
| FR | 2.18.109.224:443 | tcp | |
| US | 104.18.24.243:80 | tcp | |
| RU | 193.164.150.217:80 | dinom.spb.ru | tcp |
| RU | 193.164.150.217:80 | dinom.spb.ru | tcp |
| AU | 104.46.162.226:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp |
Files
memory/1428-130-0x0000000000000000-mapping.dmp
memory/1428-131-0x0000000000400000-0x0000000000E28000-memory.dmp
memory/5024-133-0x0000000002250000-0x0000000002255000-memory.dmp
memory/1428-134-0x0000000000400000-0x0000000000E28000-memory.dmp
memory/1428-135-0x0000000000400000-0x0000000000E28000-memory.dmp
memory/1428-136-0x0000000000400000-0x000000000041A000-memory.dmp
memory/1428-137-0x0000000000400000-0x000000000041A000-memory.dmp
memory/1428-138-0x0000000001000000-0x000000000100F000-memory.dmp
memory/4120-140-0x0000000000000000-mapping.dmp
memory/2284-141-0x0000000000000000-mapping.dmp
C:\Users\Admin\Desktop\VAULT.hta
| MD5 | b71751d104ed8f256ae64a7d02821be0 |
| SHA1 | bc3e6ac19bf1431a5872597684b2982b8ba07d87 |
| SHA256 | 6a37244fbabb6238f178c7b769b3d0f15c93d70fece941b416c8e71140538004 |
| SHA512 | b3bee8dd51f874f5677dbb37989077776d0169d97760395d38ab52ac422ce3a9db78df3970a6c1ac6e18538d8e014fc72f3481964976a5f26b2c7e63efe0ffdf |
memory/3136-143-0x0000000000000000-mapping.dmp
memory/2380-144-0x0000000000000000-mapping.dmp
memory/2776-145-0x0000000000000000-mapping.dmp
memory/1428-146-0x0000000000400000-0x000000000041A000-memory.dmp