Analysis
-
max time kernel
113s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2022 09:45
Static task
static1
Behavioral task
behavioral1
Sample
2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe
Resource
win10v2004-20220812-en
General
-
Target
2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe
-
Size
88KB
-
MD5
65cac1988793cbffda3ad67b065cade0
-
SHA1
b5711cad13bd7d22444a74e78ff5d05d363d2d97
-
SHA256
2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170
-
SHA512
7172495113c311a55cae793de701baa345d627705db9a797fbb576b05cbb519d368413d65a8220aea6fc536a7f3315c48b39b746e707f97d69339f812d9f3797
-
SSDEEP
1536:29aTff+Vt58Nir18lhGm8BuMyZTPjvcVuL1AzrSMVx55ZS+G8USRlE4O3zzmOEC1:2gf+8iZCGWMejLcVmYrSexTjr1RK3nmy
Malware Config
Extracted
pony
http://podaro-vk.esy.es/gate.php
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3984-138-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3984-141-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3984-142-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3984-144-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3984-146-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Local\\Temp\\File.exe" 2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exedescription pid process target process PID 4204 set thread context of 3984 4204 2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
Processes:
2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exevbc.exedescription pid process Token: SeDebugPrivilege 4204 2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe Token: SeImpersonatePrivilege 3984 vbc.exe Token: SeTcbPrivilege 3984 vbc.exe Token: SeChangeNotifyPrivilege 3984 vbc.exe Token: SeCreateTokenPrivilege 3984 vbc.exe Token: SeBackupPrivilege 3984 vbc.exe Token: SeRestorePrivilege 3984 vbc.exe Token: SeIncreaseQuotaPrivilege 3984 vbc.exe Token: SeAssignPrimaryTokenPrivilege 3984 vbc.exe Token: SeImpersonatePrivilege 3984 vbc.exe Token: SeTcbPrivilege 3984 vbc.exe Token: SeChangeNotifyPrivilege 3984 vbc.exe Token: SeCreateTokenPrivilege 3984 vbc.exe Token: SeBackupPrivilege 3984 vbc.exe Token: SeRestorePrivilege 3984 vbc.exe Token: SeIncreaseQuotaPrivilege 3984 vbc.exe Token: SeAssignPrimaryTokenPrivilege 3984 vbc.exe Token: SeImpersonatePrivilege 3984 vbc.exe Token: SeTcbPrivilege 3984 vbc.exe Token: SeChangeNotifyPrivilege 3984 vbc.exe Token: SeCreateTokenPrivilege 3984 vbc.exe Token: SeBackupPrivilege 3984 vbc.exe Token: SeRestorePrivilege 3984 vbc.exe Token: SeIncreaseQuotaPrivilege 3984 vbc.exe Token: SeAssignPrimaryTokenPrivilege 3984 vbc.exe Token: SeImpersonatePrivilege 3984 vbc.exe Token: SeTcbPrivilege 3984 vbc.exe Token: SeChangeNotifyPrivilege 3984 vbc.exe Token: SeCreateTokenPrivilege 3984 vbc.exe Token: SeBackupPrivilege 3984 vbc.exe Token: SeRestorePrivilege 3984 vbc.exe Token: SeIncreaseQuotaPrivilege 3984 vbc.exe Token: SeAssignPrimaryTokenPrivilege 3984 vbc.exe Token: SeImpersonatePrivilege 3984 vbc.exe Token: SeTcbPrivilege 3984 vbc.exe Token: SeChangeNotifyPrivilege 3984 vbc.exe Token: SeCreateTokenPrivilege 3984 vbc.exe Token: SeBackupPrivilege 3984 vbc.exe Token: SeRestorePrivilege 3984 vbc.exe Token: SeIncreaseQuotaPrivilege 3984 vbc.exe Token: SeAssignPrimaryTokenPrivilege 3984 vbc.exe Token: SeImpersonatePrivilege 3984 vbc.exe Token: SeTcbPrivilege 3984 vbc.exe Token: SeChangeNotifyPrivilege 3984 vbc.exe Token: SeCreateTokenPrivilege 3984 vbc.exe Token: SeBackupPrivilege 3984 vbc.exe Token: SeRestorePrivilege 3984 vbc.exe Token: SeIncreaseQuotaPrivilege 3984 vbc.exe Token: SeAssignPrimaryTokenPrivilege 3984 vbc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exevbc.exedescription pid process target process PID 4204 wrote to memory of 2552 4204 2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe WScript.exe PID 4204 wrote to memory of 2552 4204 2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe WScript.exe PID 4204 wrote to memory of 2552 4204 2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe WScript.exe PID 4204 wrote to memory of 3984 4204 2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe vbc.exe PID 4204 wrote to memory of 3984 4204 2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe vbc.exe PID 4204 wrote to memory of 3984 4204 2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe vbc.exe PID 4204 wrote to memory of 3984 4204 2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe vbc.exe PID 4204 wrote to memory of 3984 4204 2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe vbc.exe PID 4204 wrote to memory of 3984 4204 2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe vbc.exe PID 4204 wrote to memory of 3984 4204 2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe vbc.exe PID 4204 wrote to memory of 3984 4204 2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe vbc.exe PID 3984 wrote to memory of 4912 3984 vbc.exe cmd.exe PID 3984 wrote to memory of 4912 3984 vbc.exe cmd.exe PID 3984 wrote to memory of 4912 3984 vbc.exe cmd.exe -
outlook_win_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe"C:\Users\Admin\AppData\Local\Temp\2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\FUCKING_USG_ME.vbs"2⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240567921.bat" "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" "3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\240567921.batFilesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
C:\Users\Admin\AppData\Roaming\FUCKING_USG_ME.vbsFilesize
515B
MD5543de9b9f119a1a93dc1ce0cce74b78a
SHA176cadc4d3b8235b67df5d9ef4157605a4c1f8854
SHA256dcd90f682d770f6e03ff468a31391bca12891759284be7f791697933207b7b48
SHA5122ee6de9c7a81c9947e75ba414afaaf1171a4dccaf66b9299b3e8338ffa33ea6cdae1e58131e6565030a2b9ccd03a8259cc5fe928f3452095658512de73f81869
-
memory/2552-136-0x0000000000000000-mapping.dmp
-
memory/3984-137-0x0000000000000000-mapping.dmp
-
memory/3984-138-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3984-141-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3984-142-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3984-144-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3984-146-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4204-135-0x0000000074E50000-0x0000000075401000-memory.dmpFilesize
5.7MB
-
memory/4204-143-0x0000000074E50000-0x0000000075401000-memory.dmpFilesize
5.7MB
-
memory/4912-145-0x0000000000000000-mapping.dmp