Analysis
-
max time kernel
137s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02-10-2022 13:27
Static task
static1
Behavioral task
behavioral1
Sample
58850268bff9639579bec2bf0b3671a8abc41182706a6f1608fb3f7213db8072.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
58850268bff9639579bec2bf0b3671a8abc41182706a6f1608fb3f7213db8072.exe
Resource
win10v2004-20220901-en
General
-
Target
58850268bff9639579bec2bf0b3671a8abc41182706a6f1608fb3f7213db8072.exe
-
Size
123KB
-
MD5
66a00999048400d6cad08a727289c750
-
SHA1
2e97827e51f577d85d7faffc6267d1fceff18b39
-
SHA256
58850268bff9639579bec2bf0b3671a8abc41182706a6f1608fb3f7213db8072
-
SHA512
39ce77953de167355cb04f7cb43965cb465225e03dd7f7a3f664c25ad33318fae7c6483776980a5940649ba03ace23fbd697a713e7d513540647b0ed87fd235f
-
SSDEEP
3072:XhaVOOlL1N9NEBCnqw8BPpFD/bMQhdcR2eVTnvFbTr:RZ8BNLXtyJMQhoVh
Malware Config
Extracted
pony
http://94.32.66.114/forum/viewtopic.php
http://116.122.158.195:8080/forum/viewtopic.php
http://sunspf.com/forum/viewtopic.php
http://therapygels.com/forum/viewtopic.php
-
payload_url
http://marklawllc.com/1WJisq18/i9xnd1s.exe
http://roseoptik.de/8K7Tk3bV/ZBRgQ.exe
http://aletharadio.com/yD4r4Y1h/88hJ.exe
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
58850268bff9639579bec2bf0b3671a8abc41182706a6f1608fb3f7213db8072.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts 58850268bff9639579bec2bf0b3671a8abc41182706a6f1608fb3f7213db8072.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
58850268bff9639579bec2bf0b3671a8abc41182706a6f1608fb3f7213db8072.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 58850268bff9639579bec2bf0b3671a8abc41182706a6f1608fb3f7213db8072.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
58850268bff9639579bec2bf0b3671a8abc41182706a6f1608fb3f7213db8072.exedescription pid process Token: SeImpersonatePrivilege 1992 58850268bff9639579bec2bf0b3671a8abc41182706a6f1608fb3f7213db8072.exe Token: SeTcbPrivilege 1992 58850268bff9639579bec2bf0b3671a8abc41182706a6f1608fb3f7213db8072.exe Token: SeChangeNotifyPrivilege 1992 58850268bff9639579bec2bf0b3671a8abc41182706a6f1608fb3f7213db8072.exe Token: SeCreateTokenPrivilege 1992 58850268bff9639579bec2bf0b3671a8abc41182706a6f1608fb3f7213db8072.exe Token: SeBackupPrivilege 1992 58850268bff9639579bec2bf0b3671a8abc41182706a6f1608fb3f7213db8072.exe Token: SeRestorePrivilege 1992 58850268bff9639579bec2bf0b3671a8abc41182706a6f1608fb3f7213db8072.exe Token: SeIncreaseQuotaPrivilege 1992 58850268bff9639579bec2bf0b3671a8abc41182706a6f1608fb3f7213db8072.exe Token: SeAssignPrimaryTokenPrivilege 1992 58850268bff9639579bec2bf0b3671a8abc41182706a6f1608fb3f7213db8072.exe -
outlook_win_path 1 IoCs
Processes:
58850268bff9639579bec2bf0b3671a8abc41182706a6f1608fb3f7213db8072.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 58850268bff9639579bec2bf0b3671a8abc41182706a6f1608fb3f7213db8072.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\58850268bff9639579bec2bf0b3671a8abc41182706a6f1608fb3f7213db8072.exe"C:\Users\Admin\AppData\Local\Temp\58850268bff9639579bec2bf0b3671a8abc41182706a6f1608fb3f7213db8072.exe"1⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path