Analysis
-
max time kernel
113s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 00:47
Static task
static1
Behavioral task
behavioral1
Sample
b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe
Resource
win7-20220901-en
General
-
Target
b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe
-
Size
106KB
-
MD5
34edb846d0d38edd94dfc20caad8bdb6
-
SHA1
09d3e2adc6d084bccad6471e5f31d619f1b1f364
-
SHA256
b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e
-
SHA512
40f54840015434dde4a8e74294871de80f293b78dfcfff06bc821224f6f3a8fc76fc3934813890b6ce2fd8351f51e1efdd7892d46c0686a9a99ffe86adba52db
-
SSDEEP
1536:nHNyobUKPbS8tEMdZqC4L8zCSI97QUDq4ldsVpSzCzGwt57VJnb:nH0obUkS8tEMdZqCU+Cf97/zsjS+trnb
Malware Config
Extracted
pony
http://ledosadik.pw:719/way/open.php
http://virmataje.pw:719/way/open.php
Signatures
-
Processes:
resource yara_rule behavioral2/memory/2240-134-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/2240-136-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/2240-137-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/2240-138-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/2240-139-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/2240-144-0x0000000000400000-0x000000000041D000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exedescription pid process target process PID 3888 set thread context of 2240 3888 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe -
Drops file in Windows directory 2 IoCs
Processes:
b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exedescription ioc process File created C:\Windows\SelfNotepad.exe b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe File opened for modification C:\Windows\SelfNotepad.exe b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3396 3888 WerFault.exe b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exepid process 3888 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe 3888 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe 3888 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe 3888 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exedescription pid process Token: SeImpersonatePrivilege 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeTcbPrivilege 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeChangeNotifyPrivilege 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeCreateTokenPrivilege 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeBackupPrivilege 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeRestorePrivilege 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeIncreaseQuotaPrivilege 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeAssignPrimaryTokenPrivilege 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeImpersonatePrivilege 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeTcbPrivilege 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeChangeNotifyPrivilege 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeCreateTokenPrivilege 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeBackupPrivilege 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeRestorePrivilege 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeIncreaseQuotaPrivilege 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeAssignPrimaryTokenPrivilege 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeImpersonatePrivilege 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeTcbPrivilege 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeChangeNotifyPrivilege 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeCreateTokenPrivilege 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeBackupPrivilege 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeRestorePrivilege 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeIncreaseQuotaPrivilege 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeAssignPrimaryTokenPrivilege 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeImpersonatePrivilege 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeTcbPrivilege 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeChangeNotifyPrivilege 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeCreateTokenPrivilege 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeBackupPrivilege 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeRestorePrivilege 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeIncreaseQuotaPrivilege 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeAssignPrimaryTokenPrivilege 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeImpersonatePrivilege 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeTcbPrivilege 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeChangeNotifyPrivilege 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeCreateTokenPrivilege 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeBackupPrivilege 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeRestorePrivilege 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeIncreaseQuotaPrivilege 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeAssignPrimaryTokenPrivilege 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeImpersonatePrivilege 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeTcbPrivilege 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeChangeNotifyPrivilege 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeCreateTokenPrivilege 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeBackupPrivilege 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeRestorePrivilege 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeIncreaseQuotaPrivilege 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe Token: SeAssignPrimaryTokenPrivilege 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exepid process 3888 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exeb350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.execmd.execmd.exedescription pid process target process PID 3888 wrote to memory of 2240 3888 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe PID 3888 wrote to memory of 2240 3888 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe PID 3888 wrote to memory of 2240 3888 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe PID 3888 wrote to memory of 2240 3888 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe PID 3888 wrote to memory of 2240 3888 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe PID 3888 wrote to memory of 2240 3888 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe PID 3888 wrote to memory of 2240 3888 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe PID 3888 wrote to memory of 2240 3888 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe PID 2240 wrote to memory of 3640 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe cmd.exe PID 2240 wrote to memory of 3640 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe cmd.exe PID 2240 wrote to memory of 3640 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe cmd.exe PID 3640 wrote to memory of 3796 3640 cmd.exe at.exe PID 3640 wrote to memory of 3796 3640 cmd.exe at.exe PID 3640 wrote to memory of 3796 3640 cmd.exe at.exe PID 2240 wrote to memory of 4348 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe cmd.exe PID 2240 wrote to memory of 4348 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe cmd.exe PID 2240 wrote to memory of 4348 2240 b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe cmd.exe PID 4348 wrote to memory of 3320 4348 cmd.exe PING.EXE PID 4348 wrote to memory of 3320 4348 cmd.exe PING.EXE PID 4348 wrote to memory of 3320 4348 cmd.exe PING.EXE -
outlook_win_path 1 IoCs
Processes:
b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe"C:\Users\Admin\AppData\Local\Temp\b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exeC:\Users\Admin\AppData\Local\Temp\b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe2⤵
- Checks computer location settings
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c at 07:39:00 /every:T,M,F,W,Th,S,Su cmd.exe "/c attrib -H C:\Windows\system32\drivers\etc\hosts && copy C:\Users\Admin\AppData\Local\Temp\240583046 C:\Windows\system32\drivers\etc\hosts /Y && attrib +H C:\Windows\system32\drivers\etc\hosts" && copy %WINDIR%\system32\drivers\etc\hosts %WINDIR%\system32\drivers\etc\hosts.sam /Y3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\at.exeat 07:39:00 /every:T,M,F,W,Th,S,Su cmd.exe "/c attrib -H C:\Windows\system32\drivers\etc\hosts && copy C:\Users\Admin\AppData\Local\Temp\240583046 C:\Windows\system32\drivers\etc\hosts /Y && attrib +H C:\Windows\system32\drivers\etc\hosts"4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping -n 10 localhost && echo deleted>"C:\Users\Admin\AppData\Local\Temp\b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 2482⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3888 -ip 38881⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2240-133-0x0000000000000000-mapping.dmp
-
memory/2240-134-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/2240-136-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/2240-137-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/2240-138-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/2240-139-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/2240-144-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/3320-143-0x0000000000000000-mapping.dmp
-
memory/3640-140-0x0000000000000000-mapping.dmp
-
memory/3796-141-0x0000000000000000-mapping.dmp
-
memory/3888-132-0x0000000000A70000-0x0000000000A74000-memory.dmpFilesize
16KB
-
memory/4348-142-0x0000000000000000-mapping.dmp