Analysis
-
max time kernel
134s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-10-2022 01:08
Static task
static1
Behavioral task
behavioral1
Sample
6cdcfd97a0955208e5dd00f328610aee1c2c7d3cc3353012de580cdb04d93a03.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
6cdcfd97a0955208e5dd00f328610aee1c2c7d3cc3353012de580cdb04d93a03.exe
Resource
win10v2004-20220812-en
General
-
Target
6cdcfd97a0955208e5dd00f328610aee1c2c7d3cc3353012de580cdb04d93a03.exe
-
Size
108KB
-
MD5
6e65a62804f1bf9ab7ee3a74412639d0
-
SHA1
d8286779b0eff4bf88525a0d74fe2e46a5a739e8
-
SHA256
6cdcfd97a0955208e5dd00f328610aee1c2c7d3cc3353012de580cdb04d93a03
-
SHA512
944f52e7ecd92f36139b34a7269b9d7e4b6412305127dcbe1e508fc95584a7772de9b5054ae6b0d7016f6823d933ba940ee6068368e4bfe2ceed7c3f76628b12
-
SSDEEP
1536:ZhhqTEincoMNbZSpSYi6gLeXxliJKwQJm7tpp7PYBSGV2L5E2fMHxKgwC:LKEincoYSpSY1MeBlMBppsBBIV1Uw
Malware Config
Extracted
pony
http://admin.vojtekracing.hu:8080/forum/viewtopic.php
http://media.vojtekracing.hu:8080/forum/viewtopic.php
http://vojtekracing.hu:8080/forum/viewtopic.php
http://195.5.208.204:8080/forum/viewtopic.php
-
payload_url
http://www.depostduif.com/CgSe7PMo/Wq9YM.exe
http://02b123c.netsolhost.com/2pNzchs3/RtH.exe
http://etaphavacilik.com/D3ppyZsm/BYQ.exe
http://hc121012.smartconfig.net/UqzyfYAz/KXsRz4.exe
http://matrimonialz.com/teT5MwkC/zv9B.exe
http://www.eicher-fenster.de/tWUmLKoB/SPijrE.exe
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
6cdcfd97a0955208e5dd00f328610aee1c2c7d3cc3353012de580cdb04d93a03.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts 6cdcfd97a0955208e5dd00f328610aee1c2c7d3cc3353012de580cdb04d93a03.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
6cdcfd97a0955208e5dd00f328610aee1c2c7d3cc3353012de580cdb04d93a03.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 6cdcfd97a0955208e5dd00f328610aee1c2c7d3cc3353012de580cdb04d93a03.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
6cdcfd97a0955208e5dd00f328610aee1c2c7d3cc3353012de580cdb04d93a03.exedescription pid process Token: SeImpersonatePrivilege 1760 6cdcfd97a0955208e5dd00f328610aee1c2c7d3cc3353012de580cdb04d93a03.exe Token: SeTcbPrivilege 1760 6cdcfd97a0955208e5dd00f328610aee1c2c7d3cc3353012de580cdb04d93a03.exe Token: SeChangeNotifyPrivilege 1760 6cdcfd97a0955208e5dd00f328610aee1c2c7d3cc3353012de580cdb04d93a03.exe Token: SeCreateTokenPrivilege 1760 6cdcfd97a0955208e5dd00f328610aee1c2c7d3cc3353012de580cdb04d93a03.exe Token: SeBackupPrivilege 1760 6cdcfd97a0955208e5dd00f328610aee1c2c7d3cc3353012de580cdb04d93a03.exe Token: SeRestorePrivilege 1760 6cdcfd97a0955208e5dd00f328610aee1c2c7d3cc3353012de580cdb04d93a03.exe Token: SeIncreaseQuotaPrivilege 1760 6cdcfd97a0955208e5dd00f328610aee1c2c7d3cc3353012de580cdb04d93a03.exe Token: SeAssignPrimaryTokenPrivilege 1760 6cdcfd97a0955208e5dd00f328610aee1c2c7d3cc3353012de580cdb04d93a03.exe -
outlook_win_path 1 IoCs
Processes:
6cdcfd97a0955208e5dd00f328610aee1c2c7d3cc3353012de580cdb04d93a03.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 6cdcfd97a0955208e5dd00f328610aee1c2c7d3cc3353012de580cdb04d93a03.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6cdcfd97a0955208e5dd00f328610aee1c2c7d3cc3353012de580cdb04d93a03.exe"C:\Users\Admin\AppData\Local\Temp\6cdcfd97a0955208e5dd00f328610aee1c2c7d3cc3353012de580cdb04d93a03.exe"1⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path