Analysis
-
max time kernel
128s -
max time network
61s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
03-10-2022 00:47
Static task
static1
Behavioral task
behavioral1
Sample
b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe
Resource
win7-20220901-en
General
-
Target
b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe
-
Size
106KB
-
MD5
34edb846d0d38edd94dfc20caad8bdb6
-
SHA1
09d3e2adc6d084bccad6471e5f31d619f1b1f364
-
SHA256
b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e
-
SHA512
40f54840015434dde4a8e74294871de80f293b78dfcfff06bc821224f6f3a8fc76fc3934813890b6ce2fd8351f51e1efdd7892d46c0686a9a99ffe86adba52db
-
SSDEEP
1536:nHNyobUKPbS8tEMdZqC4L8zCSI97QUDq4ldsVpSzCzGwt57VJnb:nH0obUkS8tEMdZqCU+Cf97/zsjS+trnb
Malware Config
Extracted
pony
http://ledosadik.pw:719/way/open.php
http://virmataje.pw:719/way/open.php
Signatures
-
Drops file in Drivers directory 4 IoCs
Processes:
cmd.exeattrib.execmd.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts.sam cmd.exe File opened for modification C:\Windows\system32\drivers\etc\hosts attrib.exe File opened for modification C:\Windows\system32\drivers\etc\hosts cmd.exe File created C:\Windows\system32\drivers\etc\hosts.sam cmd.exe -
Processes:
resource yara_rule behavioral1/memory/976-56-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral1/memory/976-58-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral1/memory/976-59-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral1/memory/976-64-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral1/memory/976-65-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral1/memory/976-66-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral1/memory/976-67-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral1/memory/976-72-0x0000000000400000-0x000000000041D000-memory.dmp upx -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exedescription pid process target process PID 1600 set thread context of 976 1600 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe -
Drops file in Windows directory 2 IoCs
Processes:
b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exedescription ioc process File created C:\Windows\SelfNotepad.exe b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe File opened for modification C:\Windows\SelfNotepad.exe b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exepid process 1600 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe 1600 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exedescription pid process Token: SeImpersonatePrivilege 976 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeTcbPrivilege 976 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeChangeNotifyPrivilege 976 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeCreateTokenPrivilege 976 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeBackupPrivilege 976 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeRestorePrivilege 976 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeIncreaseQuotaPrivilege 976 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeAssignPrimaryTokenPrivilege 976 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeImpersonatePrivilege 976 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeTcbPrivilege 976 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeChangeNotifyPrivilege 976 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeCreateTokenPrivilege 976 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeBackupPrivilege 976 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeRestorePrivilege 976 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeIncreaseQuotaPrivilege 976 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeAssignPrimaryTokenPrivilege 976 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeImpersonatePrivilege 976 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeTcbPrivilege 976 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeChangeNotifyPrivilege 976 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeCreateTokenPrivilege 976 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeBackupPrivilege 976 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeRestorePrivilege 976 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeIncreaseQuotaPrivilege 976 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeAssignPrimaryTokenPrivilege 976 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeImpersonatePrivilege 976 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeTcbPrivilege 976 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeChangeNotifyPrivilege 976 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeCreateTokenPrivilege 976 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeBackupPrivilege 976 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeRestorePrivilege 976 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeIncreaseQuotaPrivilege 976 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeAssignPrimaryTokenPrivilege 976 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exepid process 1600 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exeb350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.execmd.execmd.exetaskeng.execmd.exedescription pid process target process PID 1600 wrote to memory of 976 1600 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe PID 1600 wrote to memory of 976 1600 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe PID 1600 wrote to memory of 976 1600 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe PID 1600 wrote to memory of 976 1600 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe PID 1600 wrote to memory of 976 1600 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe PID 1600 wrote to memory of 976 1600 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe PID 1600 wrote to memory of 976 1600 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe PID 1600 wrote to memory of 976 1600 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe PID 976 wrote to memory of 1508 976 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe cmd.exe PID 976 wrote to memory of 1508 976 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe cmd.exe PID 976 wrote to memory of 1508 976 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe cmd.exe PID 976 wrote to memory of 1508 976 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe cmd.exe PID 1508 wrote to memory of 1836 1508 cmd.exe at.exe PID 1508 wrote to memory of 1836 1508 cmd.exe at.exe PID 1508 wrote to memory of 1836 1508 cmd.exe at.exe PID 1508 wrote to memory of 1836 1508 cmd.exe at.exe PID 976 wrote to memory of 1784 976 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe cmd.exe PID 976 wrote to memory of 1784 976 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe cmd.exe PID 976 wrote to memory of 1784 976 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe cmd.exe PID 976 wrote to memory of 1784 976 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe cmd.exe PID 1784 wrote to memory of 1496 1784 cmd.exe PING.EXE PID 1784 wrote to memory of 1496 1784 cmd.exe PING.EXE PID 1784 wrote to memory of 1496 1784 cmd.exe PING.EXE PID 1784 wrote to memory of 1496 1784 cmd.exe PING.EXE PID 1380 wrote to memory of 1420 1380 taskeng.exe cmd.exe PID 1380 wrote to memory of 1420 1380 taskeng.exe cmd.exe PID 1380 wrote to memory of 1420 1380 taskeng.exe cmd.exe PID 1420 wrote to memory of 2004 1420 cmd.exe attrib.exe PID 1420 wrote to memory of 2004 1420 cmd.exe attrib.exe PID 1420 wrote to memory of 2004 1420 cmd.exe attrib.exe PID 1420 wrote to memory of 736 1420 cmd.exe attrib.exe PID 1420 wrote to memory of 736 1420 cmd.exe attrib.exe PID 1420 wrote to memory of 736 1420 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2004 attrib.exe 736 attrib.exe -
outlook_win_path 1 IoCs
Processes:
b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe"C:\Users\Admin\AppData\Local\Temp\b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exeC:\Users\Admin\AppData\Local\Temp\b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe2⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c at 05:39:00 /every:T,M,F,W,Th,S,Su cmd.exe "/c attrib -H C:\Windows\system32\drivers\etc\hosts && copy C:\Users\Admin\AppData\Local\Temp\7137622 C:\Windows\system32\drivers\etc\hosts /Y && attrib +H C:\Windows\system32\drivers\etc\hosts" && copy %WINDIR%\system32\drivers\etc\hosts %WINDIR%\system32\drivers\etc\hosts.sam /Y3⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\at.exeat 05:39:00 /every:T,M,F,W,Th,S,Su cmd.exe "/c attrib -H C:\Windows\system32\drivers\etc\hosts && copy C:\Users\Admin\AppData\Local\Temp\7137622 C:\Windows\system32\drivers\etc\hosts /Y && attrib +H C:\Windows\system32\drivers\etc\hosts"4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping -n 10 localhost && echo deleted>"C:\Users\Admin\AppData\Local\Temp\b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
-
C:\Windows\system32\taskeng.exetaskeng.exe {6EE280B9-10E3-4B9C-B556-D88EE5A6F380} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe "/c attrib -H C:\Windows\system32\drivers\etc\hosts && copy C:\Users\Admin\AppData\Local\Temp\7137622 C:\Windows\system32\drivers\etc\hosts /Y && attrib +H C:\Windows\system32\drivers\etc\hosts"2⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib -H C:\Windows\system32\drivers\etc\hosts3⤵
- Drops file in Drivers directory
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib +H C:\Windows\system32\drivers\etc\hosts"3⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7137622Filesize
1KB
MD5c2cf5fb29bf3694e8c28adf170cb9815
SHA15e22a6d76e7a5d3263a8cdbbd1f34e4942dd5571
SHA256e675d51100cbb2b628d354f0b9f3f8efa255533c80add07226415db49daf5731
SHA512e4331a2e89bc635be1eaff1a73c15fddd1b80bd4d7cdc2bbda959ef93bb2a74c23553891e4bbffcd9021706b16733c3ed62ee118beb1dd25c04a89c17277a81e
-
memory/736-77-0x0000000000000000-mapping.dmp
-
memory/976-67-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/976-72-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/976-60-0x000000000041B6D0-mapping.dmp
-
memory/976-59-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/976-55-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/976-64-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/976-65-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/976-66-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/976-56-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/976-58-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1420-74-0x0000000000000000-mapping.dmp
-
memory/1496-73-0x0000000000000000-mapping.dmp
-
memory/1508-68-0x0000000000000000-mapping.dmp
-
memory/1600-54-0x0000000076461000-0x0000000076463000-memory.dmpFilesize
8KB
-
memory/1600-61-0x00000000002B0000-0x00000000002B4000-memory.dmpFilesize
16KB
-
memory/1784-71-0x0000000000000000-mapping.dmp
-
memory/1836-69-0x0000000000000000-mapping.dmp
-
memory/2004-75-0x0000000000000000-mapping.dmp