Analysis
-
max time kernel
102s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-06-2022 14:38
Static task
static1
Behavioral task
behavioral1
Sample
5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe
Resource
win7-20220414-en
General
-
Target
5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe
-
Size
218KB
-
MD5
eb6009f8d970345d2bda321bda243b06
-
SHA1
0d77001fd776db124b2e01abfef61720d3708763
-
SHA256
5f0798cdb628b90fa0507427cfad23ac606c781d630526e15c20e0150a9ece04
-
SHA512
01fac880e92ead6fe3127a680549b4ecae013a0bab95c086b4c1399cfc892deee16af6dddf2edd8d20f8b62891dfae3a909023b4940ef010e07fadcc7b2f4059
Malware Config
Extracted
pony
http://dinom.spb.ru/api/index.php
Signatures
-
CrypVault
Ransomware family which makes encrypted files look like they have been quarantined by AV.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3016 724 cmd.exe 26 -
suricata: ET MALWARE Fareit/Pony Downloader Checkin 2
suricata: ET MALWARE Fareit/Pony Downloader Checkin 2
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 4272 bcdedit.exe 4064 bcdedit.exe -
Executes dropped EXE 2 IoCs
pid Process 400 0150CEAF8E32.exe 1608 0150CEAF8E32.exe -
resource yara_rule behavioral2/memory/1608-142-0x0000000000400000-0x0000000000E28000-memory.dmp upx behavioral2/memory/1608-148-0x0000000000400000-0x0000000000E28000-memory.dmp upx behavioral2/memory/1608-149-0x0000000000400000-0x0000000000E28000-memory.dmp upx behavioral2/memory/1608-153-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral2/memory/1608-167-0x0000000000400000-0x000000000041A000-memory.dmp upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 0150CEAF8E32.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta 0150CEAF8E32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta 0150CEAF8E32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts 0150CEAF8E32.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 0150CEAF8E32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 400 set thread context of 1608 400 0150CEAF8E32.exe 93 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1296 vssadmin.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings 5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings 0150CEAF8E32.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1720 WINWORD.EXE 1720 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 400 0150CEAF8E32.exe 400 0150CEAF8E32.exe 1608 0150CEAF8E32.exe 1608 0150CEAF8E32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeImpersonatePrivilege 1608 0150CEAF8E32.exe Token: SeTcbPrivilege 1608 0150CEAF8E32.exe Token: SeChangeNotifyPrivilege 1608 0150CEAF8E32.exe Token: SeCreateTokenPrivilege 1608 0150CEAF8E32.exe Token: SeBackupPrivilege 1608 0150CEAF8E32.exe Token: SeRestorePrivilege 1608 0150CEAF8E32.exe Token: SeIncreaseQuotaPrivilege 1608 0150CEAF8E32.exe Token: SeAssignPrimaryTokenPrivilege 1608 0150CEAF8E32.exe Token: SeIncreaseQuotaPrivilege 4484 WMIC.exe Token: SeSecurityPrivilege 4484 WMIC.exe Token: SeTakeOwnershipPrivilege 4484 WMIC.exe Token: SeLoadDriverPrivilege 4484 WMIC.exe Token: SeSystemProfilePrivilege 4484 WMIC.exe Token: SeSystemtimePrivilege 4484 WMIC.exe Token: SeProfSingleProcessPrivilege 4484 WMIC.exe Token: SeIncBasePriorityPrivilege 4484 WMIC.exe Token: SeCreatePagefilePrivilege 4484 WMIC.exe Token: SeBackupPrivilege 4484 WMIC.exe Token: SeRestorePrivilege 4484 WMIC.exe Token: SeShutdownPrivilege 4484 WMIC.exe Token: SeDebugPrivilege 4484 WMIC.exe Token: SeSystemEnvironmentPrivilege 4484 WMIC.exe Token: SeRemoteShutdownPrivilege 4484 WMIC.exe Token: SeUndockPrivilege 4484 WMIC.exe Token: SeManageVolumePrivilege 4484 WMIC.exe Token: 33 4484 WMIC.exe Token: 34 4484 WMIC.exe Token: 35 4484 WMIC.exe Token: 36 4484 WMIC.exe Token: SeIncreaseQuotaPrivilege 4484 WMIC.exe Token: SeSecurityPrivilege 4484 WMIC.exe Token: SeTakeOwnershipPrivilege 4484 WMIC.exe Token: SeLoadDriverPrivilege 4484 WMIC.exe Token: SeSystemProfilePrivilege 4484 WMIC.exe Token: SeSystemtimePrivilege 4484 WMIC.exe Token: SeProfSingleProcessPrivilege 4484 WMIC.exe Token: SeIncBasePriorityPrivilege 4484 WMIC.exe Token: SeCreatePagefilePrivilege 4484 WMIC.exe Token: SeBackupPrivilege 4484 WMIC.exe Token: SeRestorePrivilege 4484 WMIC.exe Token: SeShutdownPrivilege 4484 WMIC.exe Token: SeDebugPrivilege 4484 WMIC.exe Token: SeSystemEnvironmentPrivilege 4484 WMIC.exe Token: SeRemoteShutdownPrivilege 4484 WMIC.exe Token: SeUndockPrivilege 4484 WMIC.exe Token: SeManageVolumePrivilege 4484 WMIC.exe Token: 33 4484 WMIC.exe Token: 34 4484 WMIC.exe Token: 35 4484 WMIC.exe Token: 36 4484 WMIC.exe Token: SeBackupPrivilege 2672 vssvc.exe Token: SeRestorePrivilege 2672 vssvc.exe Token: SeAuditPrivilege 2672 vssvc.exe Token: SeImpersonatePrivilege 1608 0150CEAF8E32.exe Token: SeTcbPrivilege 1608 0150CEAF8E32.exe Token: SeChangeNotifyPrivilege 1608 0150CEAF8E32.exe Token: SeCreateTokenPrivilege 1608 0150CEAF8E32.exe Token: SeBackupPrivilege 1608 0150CEAF8E32.exe Token: SeRestorePrivilege 1608 0150CEAF8E32.exe Token: SeIncreaseQuotaPrivilege 1608 0150CEAF8E32.exe Token: SeAssignPrimaryTokenPrivilege 1608 0150CEAF8E32.exe Token: SeImpersonatePrivilege 1608 0150CEAF8E32.exe Token: SeTcbPrivilege 1608 0150CEAF8E32.exe Token: SeChangeNotifyPrivilege 1608 0150CEAF8E32.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 400 0150CEAF8E32.exe 400 0150CEAF8E32.exe 1720 WINWORD.EXE 1720 WINWORD.EXE 1720 WINWORD.EXE 1720 WINWORD.EXE -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 4780 wrote to memory of 5104 4780 5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe 80 PID 4780 wrote to memory of 5104 4780 5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe 80 PID 4780 wrote to memory of 5104 4780 5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe 80 PID 4780 wrote to memory of 4936 4780 5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe 84 PID 4780 wrote to memory of 4936 4780 5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe 84 PID 4780 wrote to memory of 4936 4780 5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe 84 PID 4780 wrote to memory of 5112 4780 5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe 83 PID 4780 wrote to memory of 5112 4780 5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe 83 PID 4780 wrote to memory of 5112 4780 5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe 83 PID 4780 wrote to memory of 4504 4780 5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe 87 PID 4780 wrote to memory of 4504 4780 5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe 87 PID 4780 wrote to memory of 4504 4780 5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe 87 PID 4780 wrote to memory of 400 4780 5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe 88 PID 4780 wrote to memory of 400 4780 5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe 88 PID 4780 wrote to memory of 400 4780 5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe 88 PID 4780 wrote to memory of 2116 4780 5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe 89 PID 4780 wrote to memory of 2116 4780 5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe 89 PID 4780 wrote to memory of 2116 4780 5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe 89 PID 4780 wrote to memory of 384 4780 5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe 92 PID 4780 wrote to memory of 384 4780 5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe 92 PID 4780 wrote to memory of 384 4780 5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe 92 PID 400 wrote to memory of 1608 400 0150CEAF8E32.exe 93 PID 400 wrote to memory of 1608 400 0150CEAF8E32.exe 93 PID 400 wrote to memory of 1608 400 0150CEAF8E32.exe 93 PID 400 wrote to memory of 1608 400 0150CEAF8E32.exe 93 PID 400 wrote to memory of 1608 400 0150CEAF8E32.exe 93 PID 400 wrote to memory of 1608 400 0150CEAF8E32.exe 93 PID 400 wrote to memory of 1608 400 0150CEAF8E32.exe 93 PID 400 wrote to memory of 1608 400 0150CEAF8E32.exe 93 PID 400 wrote to memory of 1608 400 0150CEAF8E32.exe 93 PID 400 wrote to memory of 1608 400 0150CEAF8E32.exe 93 PID 400 wrote to memory of 1608 400 0150CEAF8E32.exe 93 PID 4780 wrote to memory of 1720 4780 5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe 94 PID 4780 wrote to memory of 1720 4780 5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe 94 PID 4780 wrote to memory of 1124 4780 5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe 95 PID 4780 wrote to memory of 1124 4780 5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe 95 PID 4780 wrote to memory of 1124 4780 5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe 95 PID 1608 wrote to memory of 4484 1608 0150CEAF8E32.exe 97 PID 1608 wrote to memory of 4484 1608 0150CEAF8E32.exe 97 PID 1608 wrote to memory of 4484 1608 0150CEAF8E32.exe 97 PID 1608 wrote to memory of 208 1608 0150CEAF8E32.exe 100 PID 1608 wrote to memory of 208 1608 0150CEAF8E32.exe 100 PID 1608 wrote to memory of 208 1608 0150CEAF8E32.exe 100 PID 3016 wrote to memory of 1296 3016 cmd.exe 103 PID 3016 wrote to memory of 1296 3016 cmd.exe 103 PID 3016 wrote to memory of 4272 3016 cmd.exe 107 PID 3016 wrote to memory of 4272 3016 cmd.exe 107 PID 3016 wrote to memory of 4064 3016 cmd.exe 108 PID 3016 wrote to memory of 4064 3016 cmd.exe 108 -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 0150CEAF8E32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe"C:\Users\Admin\AppData\Local\Temp\5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo 0150CEAF8E322⤵PID:5104
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32" 0150CEAF8E32.exe2⤵PID:5112
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo 3319E073582⤵PID:4936
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo 0150CEAF8E322⤵PID:4504
-
-
C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe"C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exeC:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe3⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:1608 -
C:\Windows\SysWOW64\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" process call create "cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4484
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\VAULT.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}4⤵PID:208
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\3319E07358" 3319E07358.doc2⤵PID:2116
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo 0150CEAF8E322⤵PID:384
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\3319E07358.doc" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1720
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo 0150CEAF8E323319E073582⤵PID:1124
-
-
C:\Windows\system32\cmd.execmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1296
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:4272
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:4064
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2672
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
148KB
MD5d1f6d486c4afb6aca38ee45ed8ae4e3c
SHA13343a6203db587c257252d5b493ea16d5ac93e13
SHA256d7430680c994bc488209aa05c2e72de9ffe5d858111404a2ffb7715bae4f0758
SHA512634e77f6dc9ff159742cabb90d9c3ce62c5f392b96f2cb01b93d86989369e374e9a473327ece255fc784348e9c3ac710a9e18192b686fc3b264793470d36208d
-
Filesize
148KB
MD5d1f6d486c4afb6aca38ee45ed8ae4e3c
SHA13343a6203db587c257252d5b493ea16d5ac93e13
SHA256d7430680c994bc488209aa05c2e72de9ffe5d858111404a2ffb7715bae4f0758
SHA512634e77f6dc9ff159742cabb90d9c3ce62c5f392b96f2cb01b93d86989369e374e9a473327ece255fc784348e9c3ac710a9e18192b686fc3b264793470d36208d
-
Filesize
148KB
MD5d1f6d486c4afb6aca38ee45ed8ae4e3c
SHA13343a6203db587c257252d5b493ea16d5ac93e13
SHA256d7430680c994bc488209aa05c2e72de9ffe5d858111404a2ffb7715bae4f0758
SHA512634e77f6dc9ff159742cabb90d9c3ce62c5f392b96f2cb01b93d86989369e374e9a473327ece255fc784348e9c3ac710a9e18192b686fc3b264793470d36208d
-
Filesize
23KB
MD53d495e763086f50096365b14d0037cb0
SHA1bf29341e57e15abf6d3433ebbaf7c3ecda33fa71
SHA256bfe141ce37886121d25e706cc9217d8311e104016162eb23509d178f43fc2a46
SHA512e896016bfbd30fa00ed3ea89062c51a6d490d54c543930d3b655c3270a5240a64c50ad0a42649f8e1621a429d6274f7c9e88aa168ba0178722acb669352da267
-
Filesize
4KB
MD5b71751d104ed8f256ae64a7d02821be0
SHA1bc3e6ac19bf1431a5872597684b2982b8ba07d87
SHA2566a37244fbabb6238f178c7b769b3d0f15c93d70fece941b416c8e71140538004
SHA512b3bee8dd51f874f5677dbb37989077776d0169d97760395d38ab52ac422ce3a9db78df3970a6c1ac6e18538d8e014fc72f3481964976a5f26b2c7e63efe0ffdf