Analysis
-
max time kernel
150s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 00:50
Static task
static1
Behavioral task
behavioral1
Sample
accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe
Resource
win7-20220812-en
General
-
Target
accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe
-
Size
98KB
-
MD5
6e45317a01df8ec402c4f7d7567d0882
-
SHA1
2a0128427684e525847c9a34722811382cddbb21
-
SHA256
accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad
-
SHA512
8e3eaa4b3645263a8610dec8e410f20cdcb01401f7b421976329237c117e6c9154bd85ac2cb8a2f02b4c6e8ac547215aa999c275617e190b410c289964aae821
-
SSDEEP
1536:U8DteyFl41q1dlor984L5028c/GYJ+n6pQjqMgliW92d9veKxjUWoy3JBX7:xDUyF5lor984Lv/XmdgoWsvX13L
Malware Config
Extracted
pony
http://laketys.pw:719/way/open.php
http://voleddak.pw:719/way/open.php
http://vopedala.pw:719/way/upd
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3604-133-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/3604-136-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/3604-137-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/3604-138-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/3604-142-0x0000000000400000-0x000000000041D000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exedescription pid process target process PID 4204 set thread context of 3604 4204 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe -
Drops file in Windows directory 2 IoCs
Processes:
accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exedescription ioc process File created C:\Windows\SelfNotepad.exe accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe File opened for modification C:\Windows\SelfNotepad.exe accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exepid process 4204 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe 4204 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe 4204 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe 4204 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exedescription pid process Token: SeImpersonatePrivilege 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe Token: SeTcbPrivilege 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe Token: SeChangeNotifyPrivilege 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe Token: SeCreateTokenPrivilege 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe Token: SeBackupPrivilege 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe Token: SeRestorePrivilege 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe Token: SeIncreaseQuotaPrivilege 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe Token: SeAssignPrimaryTokenPrivilege 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe Token: SeImpersonatePrivilege 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe Token: SeTcbPrivilege 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe Token: SeChangeNotifyPrivilege 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe Token: SeCreateTokenPrivilege 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe Token: SeBackupPrivilege 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe Token: SeRestorePrivilege 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe Token: SeIncreaseQuotaPrivilege 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe Token: SeAssignPrimaryTokenPrivilege 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe Token: SeImpersonatePrivilege 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe Token: SeTcbPrivilege 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe Token: SeChangeNotifyPrivilege 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe Token: SeCreateTokenPrivilege 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe Token: SeBackupPrivilege 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe Token: SeRestorePrivilege 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe Token: SeIncreaseQuotaPrivilege 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe Token: SeAssignPrimaryTokenPrivilege 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe Token: SeImpersonatePrivilege 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe Token: SeTcbPrivilege 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe Token: SeChangeNotifyPrivilege 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe Token: SeCreateTokenPrivilege 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe Token: SeBackupPrivilege 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe Token: SeRestorePrivilege 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe Token: SeIncreaseQuotaPrivilege 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe Token: SeAssignPrimaryTokenPrivilege 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe Token: SeImpersonatePrivilege 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe Token: SeTcbPrivilege 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe Token: SeChangeNotifyPrivilege 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe Token: SeCreateTokenPrivilege 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe Token: SeBackupPrivilege 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe Token: SeRestorePrivilege 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe Token: SeIncreaseQuotaPrivilege 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe Token: SeAssignPrimaryTokenPrivilege 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe Token: SeImpersonatePrivilege 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe Token: SeTcbPrivilege 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe Token: SeChangeNotifyPrivilege 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe Token: SeCreateTokenPrivilege 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe Token: SeBackupPrivilege 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe Token: SeRestorePrivilege 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe Token: SeIncreaseQuotaPrivilege 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe Token: SeAssignPrimaryTokenPrivilege 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exepid process 4204 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe 4204 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exeaccc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.execmd.execmd.exedescription pid process target process PID 4204 wrote to memory of 3604 4204 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe PID 4204 wrote to memory of 3604 4204 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe PID 4204 wrote to memory of 3604 4204 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe PID 4204 wrote to memory of 3604 4204 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe PID 4204 wrote to memory of 3604 4204 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe PID 4204 wrote to memory of 3604 4204 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe PID 4204 wrote to memory of 3604 4204 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe PID 4204 wrote to memory of 3604 4204 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe PID 3604 wrote to memory of 2840 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe cmd.exe PID 3604 wrote to memory of 2840 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe cmd.exe PID 3604 wrote to memory of 2840 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe cmd.exe PID 2840 wrote to memory of 1500 2840 cmd.exe at.exe PID 2840 wrote to memory of 1500 2840 cmd.exe at.exe PID 2840 wrote to memory of 1500 2840 cmd.exe at.exe PID 3604 wrote to memory of 3880 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe cmd.exe PID 3604 wrote to memory of 3880 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe cmd.exe PID 3604 wrote to memory of 3880 3604 accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe cmd.exe PID 3880 wrote to memory of 3228 3880 cmd.exe PING.EXE PID 3880 wrote to memory of 3228 3880 cmd.exe PING.EXE PID 3880 wrote to memory of 3228 3880 cmd.exe PING.EXE -
outlook_win_path 1 IoCs
Processes:
accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe"C:\Users\Admin\AppData\Local\Temp\accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exeC:\Users\Admin\AppData\Local\Temp\accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe2⤵
- Checks computer location settings
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c at 07:48:00 /every:T,M,F,W,Th,S,Su cmd.exe "/c attrib -H C:\Windows\system32\drivers\etc\hosts && copy C:\Users\Admin\AppData\Local\Temp\240590093 C:\Windows\system32\drivers\etc\hosts /Y && attrib +H C:\Windows\system32\drivers\etc\hosts" && copy %WINDIR%\system32\drivers\etc\hosts %WINDIR%\system32\drivers\etc\hosts.sam /Y3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\at.exeat 07:48:00 /every:T,M,F,W,Th,S,Su cmd.exe "/c attrib -H C:\Windows\system32\drivers\etc\hosts && copy C:\Users\Admin\AppData\Local\Temp\240590093 C:\Windows\system32\drivers\etc\hosts /Y && attrib +H C:\Windows\system32\drivers\etc\hosts"4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping -n 10 localhost && echo deleted>"C:\Users\Admin\AppData\Local\Temp\accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1500-140-0x0000000000000000-mapping.dmp
-
memory/2840-139-0x0000000000000000-mapping.dmp
-
memory/3228-143-0x0000000000000000-mapping.dmp
-
memory/3604-132-0x0000000000000000-mapping.dmp
-
memory/3604-133-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/3604-136-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/3604-137-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/3604-138-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/3604-142-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/3880-141-0x0000000000000000-mapping.dmp
-
memory/4204-135-0x0000000000A20000-0x0000000000A24000-memory.dmpFilesize
16KB