Analysis
-
max time kernel
91s -
max time network
107s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02-10-2022 13:48
Static task
static1
Behavioral task
behavioral1
Sample
38994ecc32b9ed7ea6e3356a14249321f3d8d1d919eaa880d7303b5bb15433e2.exe
Resource
win7-20220812-en
General
-
Target
38994ecc32b9ed7ea6e3356a14249321f3d8d1d919eaa880d7303b5bb15433e2.exe
-
Size
95KB
-
MD5
668b7123b479230533fc39c947d3e940
-
SHA1
40dd96f1c9060ab3a40ffcb836fabeaec8efd6b2
-
SHA256
38994ecc32b9ed7ea6e3356a14249321f3d8d1d919eaa880d7303b5bb15433e2
-
SHA512
2f35c817252370889770a2e6a48bd88fa98ac40203163577ec0f8a1780d68a93ad016f44c9cbf91c6d213613a9d2ab430265ce2ebc2c146b86c236552392468b
-
SSDEEP
1536:mbx0UXVZOXROVG5KW1mcjtNyyLJTMrh811ya4ErxAznQg3UhHV99ZtauyG+:kNOXR4G5H3NjTMC1NBgEjfxyG
Malware Config
Extracted
pony
http://kdsogeu.pw:4915/way/like.php
http://mgfdkfy.pw:4915/way/like.php
Signatures
-
Drops file in Drivers directory 3 IoCs
Processes:
38994ecc32b9ed7ea6e3356a14249321f3d8d1d919eaa880d7303b5bb15433e2.execmd.exedescription ioc process File created C:\Windows\system32\drivers\etc\tmp.tmp 38994ecc32b9ed7ea6e3356a14249321f3d8d1d919eaa880d7303b5bb15433e2.exe File created C:\Windows\system32\drivers\etc\hosts.sam cmd.exe File opened for modification C:\Windows\system32\drivers\etc\hosts.sam cmd.exe -
Processes:
resource yara_rule behavioral1/memory/876-55-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral1/memory/876-57-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral1/memory/876-59-0x0000000000400000-0x0000000000424000-memory.dmp upx -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
38994ecc32b9ed7ea6e3356a14249321f3d8d1d919eaa880d7303b5bb15433e2.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts 38994ecc32b9ed7ea6e3356a14249321f3d8d1d919eaa880d7303b5bb15433e2.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
38994ecc32b9ed7ea6e3356a14249321f3d8d1d919eaa880d7303b5bb15433e2.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 38994ecc32b9ed7ea6e3356a14249321f3d8d1d919eaa880d7303b5bb15433e2.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
38994ecc32b9ed7ea6e3356a14249321f3d8d1d919eaa880d7303b5bb15433e2.exedescription pid process Token: SeImpersonatePrivilege 876 38994ecc32b9ed7ea6e3356a14249321f3d8d1d919eaa880d7303b5bb15433e2.exe Token: SeTcbPrivilege 876 38994ecc32b9ed7ea6e3356a14249321f3d8d1d919eaa880d7303b5bb15433e2.exe Token: SeChangeNotifyPrivilege 876 38994ecc32b9ed7ea6e3356a14249321f3d8d1d919eaa880d7303b5bb15433e2.exe Token: SeCreateTokenPrivilege 876 38994ecc32b9ed7ea6e3356a14249321f3d8d1d919eaa880d7303b5bb15433e2.exe Token: SeBackupPrivilege 876 38994ecc32b9ed7ea6e3356a14249321f3d8d1d919eaa880d7303b5bb15433e2.exe Token: SeRestorePrivilege 876 38994ecc32b9ed7ea6e3356a14249321f3d8d1d919eaa880d7303b5bb15433e2.exe Token: SeIncreaseQuotaPrivilege 876 38994ecc32b9ed7ea6e3356a14249321f3d8d1d919eaa880d7303b5bb15433e2.exe Token: SeAssignPrimaryTokenPrivilege 876 38994ecc32b9ed7ea6e3356a14249321f3d8d1d919eaa880d7303b5bb15433e2.exe Token: SeImpersonatePrivilege 876 38994ecc32b9ed7ea6e3356a14249321f3d8d1d919eaa880d7303b5bb15433e2.exe Token: SeTcbPrivilege 876 38994ecc32b9ed7ea6e3356a14249321f3d8d1d919eaa880d7303b5bb15433e2.exe Token: SeChangeNotifyPrivilege 876 38994ecc32b9ed7ea6e3356a14249321f3d8d1d919eaa880d7303b5bb15433e2.exe Token: SeCreateTokenPrivilege 876 38994ecc32b9ed7ea6e3356a14249321f3d8d1d919eaa880d7303b5bb15433e2.exe Token: SeBackupPrivilege 876 38994ecc32b9ed7ea6e3356a14249321f3d8d1d919eaa880d7303b5bb15433e2.exe Token: SeRestorePrivilege 876 38994ecc32b9ed7ea6e3356a14249321f3d8d1d919eaa880d7303b5bb15433e2.exe Token: SeIncreaseQuotaPrivilege 876 38994ecc32b9ed7ea6e3356a14249321f3d8d1d919eaa880d7303b5bb15433e2.exe Token: SeAssignPrimaryTokenPrivilege 876 38994ecc32b9ed7ea6e3356a14249321f3d8d1d919eaa880d7303b5bb15433e2.exe Token: SeImpersonatePrivilege 876 38994ecc32b9ed7ea6e3356a14249321f3d8d1d919eaa880d7303b5bb15433e2.exe Token: SeTcbPrivilege 876 38994ecc32b9ed7ea6e3356a14249321f3d8d1d919eaa880d7303b5bb15433e2.exe Token: SeChangeNotifyPrivilege 876 38994ecc32b9ed7ea6e3356a14249321f3d8d1d919eaa880d7303b5bb15433e2.exe Token: SeCreateTokenPrivilege 876 38994ecc32b9ed7ea6e3356a14249321f3d8d1d919eaa880d7303b5bb15433e2.exe Token: SeBackupPrivilege 876 38994ecc32b9ed7ea6e3356a14249321f3d8d1d919eaa880d7303b5bb15433e2.exe Token: SeRestorePrivilege 876 38994ecc32b9ed7ea6e3356a14249321f3d8d1d919eaa880d7303b5bb15433e2.exe Token: SeIncreaseQuotaPrivilege 876 38994ecc32b9ed7ea6e3356a14249321f3d8d1d919eaa880d7303b5bb15433e2.exe Token: SeAssignPrimaryTokenPrivilege 876 38994ecc32b9ed7ea6e3356a14249321f3d8d1d919eaa880d7303b5bb15433e2.exe Token: SeImpersonatePrivilege 876 38994ecc32b9ed7ea6e3356a14249321f3d8d1d919eaa880d7303b5bb15433e2.exe Token: SeTcbPrivilege 876 38994ecc32b9ed7ea6e3356a14249321f3d8d1d919eaa880d7303b5bb15433e2.exe Token: SeChangeNotifyPrivilege 876 38994ecc32b9ed7ea6e3356a14249321f3d8d1d919eaa880d7303b5bb15433e2.exe Token: SeCreateTokenPrivilege 876 38994ecc32b9ed7ea6e3356a14249321f3d8d1d919eaa880d7303b5bb15433e2.exe Token: SeBackupPrivilege 876 38994ecc32b9ed7ea6e3356a14249321f3d8d1d919eaa880d7303b5bb15433e2.exe Token: SeRestorePrivilege 876 38994ecc32b9ed7ea6e3356a14249321f3d8d1d919eaa880d7303b5bb15433e2.exe Token: SeIncreaseQuotaPrivilege 876 38994ecc32b9ed7ea6e3356a14249321f3d8d1d919eaa880d7303b5bb15433e2.exe Token: SeAssignPrimaryTokenPrivilege 876 38994ecc32b9ed7ea6e3356a14249321f3d8d1d919eaa880d7303b5bb15433e2.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
38994ecc32b9ed7ea6e3356a14249321f3d8d1d919eaa880d7303b5bb15433e2.execmd.exedescription pid process target process PID 876 wrote to memory of 1800 876 38994ecc32b9ed7ea6e3356a14249321f3d8d1d919eaa880d7303b5bb15433e2.exe cmd.exe PID 876 wrote to memory of 1800 876 38994ecc32b9ed7ea6e3356a14249321f3d8d1d919eaa880d7303b5bb15433e2.exe cmd.exe PID 876 wrote to memory of 1800 876 38994ecc32b9ed7ea6e3356a14249321f3d8d1d919eaa880d7303b5bb15433e2.exe cmd.exe PID 876 wrote to memory of 1800 876 38994ecc32b9ed7ea6e3356a14249321f3d8d1d919eaa880d7303b5bb15433e2.exe cmd.exe PID 1800 wrote to memory of 1428 1800 cmd.exe at.exe PID 1800 wrote to memory of 1428 1800 cmd.exe at.exe PID 1800 wrote to memory of 1428 1800 cmd.exe at.exe PID 1800 wrote to memory of 1428 1800 cmd.exe at.exe -
outlook_win_path 1 IoCs
Processes:
38994ecc32b9ed7ea6e3356a14249321f3d8d1d919eaa880d7303b5bb15433e2.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 38994ecc32b9ed7ea6e3356a14249321f3d8d1d919eaa880d7303b5bb15433e2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\38994ecc32b9ed7ea6e3356a14249321f3d8d1d919eaa880d7303b5bb15433e2.exe"C:\Users\Admin\AppData\Local\Temp\38994ecc32b9ed7ea6e3356a14249321f3d8d1d919eaa880d7303b5bb15433e2.exe"1⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy C:\Windows\system32\drivers\etc\hosts C:\Windows\system32\drivers\etc\hosts.sam /Y && at 20:13:00 /every:M,T,W,Th,F,S,Su cmd.exe "/c attrib -H C:\Windows\system32\drivers\etc\hosts && copy C:\Users\Admin\AppData\Local\Temp\7172769aq C:\Windows\system32\drivers\etc\hosts /Y && attrib +H C:\Windows\system32\drivers\etc\hosts"2⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\at.exeat 20:13:00 /every:M,T,W,Th,F,S,Su cmd.exe "/c attrib -H C:\Windows\system32\drivers\etc\hosts && copy C:\Users\Admin\AppData\Local\Temp\7172769aq C:\Windows\system32\drivers\etc\hosts /Y && attrib +H C:\Windows\system32\drivers\etc\hosts"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/876-54-0x0000000075B11000-0x0000000075B13000-memory.dmpFilesize
8KB
-
memory/876-55-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/876-56-0x0000000000430000-0x0000000000454000-memory.dmpFilesize
144KB
-
memory/876-57-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/876-59-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1428-60-0x0000000000000000-mapping.dmp
-
memory/1800-58-0x0000000000000000-mapping.dmp