Analysis
-
max time kernel
38s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02-10-2022 09:45
Static task
static1
Behavioral task
behavioral1
Sample
2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe
Resource
win10v2004-20220812-en
General
-
Target
2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe
-
Size
88KB
-
MD5
65cac1988793cbffda3ad67b065cade0
-
SHA1
b5711cad13bd7d22444a74e78ff5d05d363d2d97
-
SHA256
2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170
-
SHA512
7172495113c311a55cae793de701baa345d627705db9a797fbb576b05cbb519d368413d65a8220aea6fc536a7f3315c48b39b746e707f97d69339f812d9f3797
-
SSDEEP
1536:29aTff+Vt58Nir18lhGm8BuMyZTPjvcVuL1AzrSMVx55ZS+G8USRlE4O3zzmOEC1:2gf+8iZCGWMejLcVmYrSexTjr1RK3nmy
Malware Config
Extracted
pony
http://podaro-vk.esy.es/gate.php
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1724-61-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1724-58-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1724-64-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1724-67-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1724-68-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1724-71-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1724-73-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Local\\Temp\\File.exe" 2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exedescription pid process target process PID 756 set thread context of 1724 756 2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exevbc.exedescription pid process Token: SeDebugPrivilege 756 2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe Token: SeImpersonatePrivilege 1724 vbc.exe Token: SeTcbPrivilege 1724 vbc.exe Token: SeChangeNotifyPrivilege 1724 vbc.exe Token: SeCreateTokenPrivilege 1724 vbc.exe Token: SeBackupPrivilege 1724 vbc.exe Token: SeRestorePrivilege 1724 vbc.exe Token: SeIncreaseQuotaPrivilege 1724 vbc.exe Token: SeAssignPrimaryTokenPrivilege 1724 vbc.exe Token: SeImpersonatePrivilege 1724 vbc.exe Token: SeTcbPrivilege 1724 vbc.exe Token: SeChangeNotifyPrivilege 1724 vbc.exe Token: SeCreateTokenPrivilege 1724 vbc.exe Token: SeBackupPrivilege 1724 vbc.exe Token: SeRestorePrivilege 1724 vbc.exe Token: SeIncreaseQuotaPrivilege 1724 vbc.exe Token: SeAssignPrimaryTokenPrivilege 1724 vbc.exe Token: SeImpersonatePrivilege 1724 vbc.exe Token: SeTcbPrivilege 1724 vbc.exe Token: SeChangeNotifyPrivilege 1724 vbc.exe Token: SeCreateTokenPrivilege 1724 vbc.exe Token: SeBackupPrivilege 1724 vbc.exe Token: SeRestorePrivilege 1724 vbc.exe Token: SeIncreaseQuotaPrivilege 1724 vbc.exe Token: SeAssignPrimaryTokenPrivilege 1724 vbc.exe Token: SeImpersonatePrivilege 1724 vbc.exe Token: SeTcbPrivilege 1724 vbc.exe Token: SeChangeNotifyPrivilege 1724 vbc.exe Token: SeCreateTokenPrivilege 1724 vbc.exe Token: SeBackupPrivilege 1724 vbc.exe Token: SeRestorePrivilege 1724 vbc.exe Token: SeIncreaseQuotaPrivilege 1724 vbc.exe Token: SeAssignPrimaryTokenPrivilege 1724 vbc.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exevbc.exedescription pid process target process PID 756 wrote to memory of 960 756 2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe WScript.exe PID 756 wrote to memory of 960 756 2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe WScript.exe PID 756 wrote to memory of 960 756 2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe WScript.exe PID 756 wrote to memory of 960 756 2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe WScript.exe PID 756 wrote to memory of 1724 756 2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe vbc.exe PID 756 wrote to memory of 1724 756 2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe vbc.exe PID 756 wrote to memory of 1724 756 2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe vbc.exe PID 756 wrote to memory of 1724 756 2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe vbc.exe PID 756 wrote to memory of 1724 756 2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe vbc.exe PID 756 wrote to memory of 1724 756 2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe vbc.exe PID 756 wrote to memory of 1724 756 2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe vbc.exe PID 756 wrote to memory of 1724 756 2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe vbc.exe PID 1724 wrote to memory of 1196 1724 vbc.exe cmd.exe PID 1724 wrote to memory of 1196 1724 vbc.exe cmd.exe PID 1724 wrote to memory of 1196 1724 vbc.exe cmd.exe PID 1724 wrote to memory of 1196 1724 vbc.exe cmd.exe -
outlook_win_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe"C:\Users\Admin\AppData\Local\Temp\2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\FUCKING_USG_ME.vbs"2⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7101149.bat" "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" "3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7101149.batFilesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
C:\Users\Admin\AppData\Roaming\FUCKING_USG_ME.vbsFilesize
515B
MD5543de9b9f119a1a93dc1ce0cce74b78a
SHA176cadc4d3b8235b67df5d9ef4157605a4c1f8854
SHA256dcd90f682d770f6e03ff468a31391bca12891759284be7f791697933207b7b48
SHA5122ee6de9c7a81c9947e75ba414afaaf1171a4dccaf66b9299b3e8338ffa33ea6cdae1e58131e6565030a2b9ccd03a8259cc5fe928f3452095658512de73f81869
-
memory/756-54-0x0000000075ED1000-0x0000000075ED3000-memory.dmpFilesize
8KB
-
memory/756-55-0x0000000074DC0000-0x000000007536B000-memory.dmpFilesize
5.7MB
-
memory/756-69-0x0000000074DC0000-0x000000007536B000-memory.dmpFilesize
5.7MB
-
memory/960-56-0x0000000000000000-mapping.dmp
-
memory/1196-72-0x0000000000000000-mapping.dmp
-
memory/1724-64-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1724-65-0x000000000041D060-mapping.dmp
-
memory/1724-67-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1724-68-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1724-58-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1724-71-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1724-61-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1724-73-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1724-57-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB