Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
01-10-2022 22:15
Static task
static1
Behavioral task
behavioral1
Sample
c5a48a8322d05e088c6f64872d87a02108e739497dd70176ab2fc4e894842910.exe
Resource
win7-20220812-en
General
-
Target
c5a48a8322d05e088c6f64872d87a02108e739497dd70176ab2fc4e894842910.exe
-
Size
235KB
-
MD5
782bf83934e23b701fe82e2758bd3270
-
SHA1
a12f64aef769958101bda0370a8fb7065ee46a06
-
SHA256
c5a48a8322d05e088c6f64872d87a02108e739497dd70176ab2fc4e894842910
-
SHA512
3524622fe8e7ee606d7638efdfc6b8d9ffce3c56d16fafb84586fe710a52f2ed99b06d8e360d1bd1222489a18e991f0528fb5e6409a1bb5c9d279f15604d76d0
-
SSDEEP
3072:CeNVOhiPoML3O07vuzaeVYPQaXhQB07Uxri+4/7u5BChYiABdVLZrWMXDDu5ofKj:nOhWLluOeweBxW+4/7uyhYpXp3hK
Malware Config
Extracted
pony
http://www.retetethermomix.ro/wp-includes/fonts/fonts.php
http://www.sumterswebdesign.com/wp-content/themes/throttle.php
http://www.schenkdirgesundheit.com/wp-content/plugins/plugins.php
http://youngswanky.com/wp-includes/pomo/com_jumi.php
http://www.savingmummy.com.au/wp-content/upgrade/upgrade.php
http://alejandropawliszyn.com//apweb/wp-adminshortcut.php
http://ankaraotodoseme.org/wp-includes/fonts/fonts.php
http://arabicgermany.com/wp-includes/certificates/88nicholasroberts.php
http://artemis.isolutiontank.com/wp-includes/pomo/i.php
http://beatcancerinms.com//yahoo_site_admin/credentialspierwsza-pomoc.php
http://canyonsdelmaresme.cat/wp-content/languages/languages.php
http://campoflor.com/wp-includes/pomo/Circolari.php
http://cekharga.ariefew.com/wp-includes/certificates/boredbreak.php
http://cekharga.ariefew.com/wp-admin/js/arealsoft2.0.php
http://castleconifer.com/wp-admin/includes/payment.php
http://christcommunitycogic.org/pwksfmaw/klsjdvbss/th-TH.php
http://cinema175.com/ecupidthemovie/contact/contact.php
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
c5a48a8322d05e088c6f64872d87a02108e739497dd70176ab2fc4e894842910.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts c5a48a8322d05e088c6f64872d87a02108e739497dd70176ab2fc4e894842910.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
c5a48a8322d05e088c6f64872d87a02108e739497dd70176ab2fc4e894842910.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook c5a48a8322d05e088c6f64872d87a02108e739497dd70176ab2fc4e894842910.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
c5a48a8322d05e088c6f64872d87a02108e739497dd70176ab2fc4e894842910.exedescription pid process target process PID 1208 set thread context of 1676 1208 c5a48a8322d05e088c6f64872d87a02108e739497dd70176ab2fc4e894842910.exe c5a48a8322d05e088c6f64872d87a02108e739497dd70176ab2fc4e894842910.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
c5a48a8322d05e088c6f64872d87a02108e739497dd70176ab2fc4e894842910.exedescription pid process Token: SeImpersonatePrivilege 1676 c5a48a8322d05e088c6f64872d87a02108e739497dd70176ab2fc4e894842910.exe Token: SeTcbPrivilege 1676 c5a48a8322d05e088c6f64872d87a02108e739497dd70176ab2fc4e894842910.exe Token: SeChangeNotifyPrivilege 1676 c5a48a8322d05e088c6f64872d87a02108e739497dd70176ab2fc4e894842910.exe Token: SeCreateTokenPrivilege 1676 c5a48a8322d05e088c6f64872d87a02108e739497dd70176ab2fc4e894842910.exe Token: SeBackupPrivilege 1676 c5a48a8322d05e088c6f64872d87a02108e739497dd70176ab2fc4e894842910.exe Token: SeRestorePrivilege 1676 c5a48a8322d05e088c6f64872d87a02108e739497dd70176ab2fc4e894842910.exe Token: SeIncreaseQuotaPrivilege 1676 c5a48a8322d05e088c6f64872d87a02108e739497dd70176ab2fc4e894842910.exe Token: SeAssignPrimaryTokenPrivilege 1676 c5a48a8322d05e088c6f64872d87a02108e739497dd70176ab2fc4e894842910.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
c5a48a8322d05e088c6f64872d87a02108e739497dd70176ab2fc4e894842910.exedescription pid process target process PID 1208 wrote to memory of 1676 1208 c5a48a8322d05e088c6f64872d87a02108e739497dd70176ab2fc4e894842910.exe c5a48a8322d05e088c6f64872d87a02108e739497dd70176ab2fc4e894842910.exe PID 1208 wrote to memory of 1676 1208 c5a48a8322d05e088c6f64872d87a02108e739497dd70176ab2fc4e894842910.exe c5a48a8322d05e088c6f64872d87a02108e739497dd70176ab2fc4e894842910.exe PID 1208 wrote to memory of 1676 1208 c5a48a8322d05e088c6f64872d87a02108e739497dd70176ab2fc4e894842910.exe c5a48a8322d05e088c6f64872d87a02108e739497dd70176ab2fc4e894842910.exe PID 1208 wrote to memory of 1676 1208 c5a48a8322d05e088c6f64872d87a02108e739497dd70176ab2fc4e894842910.exe c5a48a8322d05e088c6f64872d87a02108e739497dd70176ab2fc4e894842910.exe PID 1208 wrote to memory of 1676 1208 c5a48a8322d05e088c6f64872d87a02108e739497dd70176ab2fc4e894842910.exe c5a48a8322d05e088c6f64872d87a02108e739497dd70176ab2fc4e894842910.exe PID 1208 wrote to memory of 1676 1208 c5a48a8322d05e088c6f64872d87a02108e739497dd70176ab2fc4e894842910.exe c5a48a8322d05e088c6f64872d87a02108e739497dd70176ab2fc4e894842910.exe PID 1208 wrote to memory of 1676 1208 c5a48a8322d05e088c6f64872d87a02108e739497dd70176ab2fc4e894842910.exe c5a48a8322d05e088c6f64872d87a02108e739497dd70176ab2fc4e894842910.exe PID 1208 wrote to memory of 1676 1208 c5a48a8322d05e088c6f64872d87a02108e739497dd70176ab2fc4e894842910.exe c5a48a8322d05e088c6f64872d87a02108e739497dd70176ab2fc4e894842910.exe PID 1208 wrote to memory of 1676 1208 c5a48a8322d05e088c6f64872d87a02108e739497dd70176ab2fc4e894842910.exe c5a48a8322d05e088c6f64872d87a02108e739497dd70176ab2fc4e894842910.exe -
outlook_win_path 1 IoCs
Processes:
c5a48a8322d05e088c6f64872d87a02108e739497dd70176ab2fc4e894842910.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook c5a48a8322d05e088c6f64872d87a02108e739497dd70176ab2fc4e894842910.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5a48a8322d05e088c6f64872d87a02108e739497dd70176ab2fc4e894842910.exe"C:\Users\Admin\AppData\Local\Temp\c5a48a8322d05e088c6f64872d87a02108e739497dd70176ab2fc4e894842910.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c5a48a8322d05e088c6f64872d87a02108e739497dd70176ab2fc4e894842910.exe"C:\Users\Admin\AppData\Local\Temp\c5a48a8322d05e088c6f64872d87a02108e739497dd70176ab2fc4e894842910.exe"2⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1208-132-0x0000000075320000-0x00000000758D1000-memory.dmpFilesize
5.7MB
-
memory/1208-136-0x0000000075320000-0x00000000758D1000-memory.dmpFilesize
5.7MB
-
memory/1676-133-0x0000000000000000-mapping.dmp
-
memory/1676-134-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1676-135-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1676-137-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1676-138-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB