Analysis
-
max time kernel
130s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-10-2022 01:33
Static task
static1
Behavioral task
behavioral1
Sample
1aa37a184693a2c59561f2415ade1c10f679d38d7a56e5db3de9aba4fc0983e7.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
1aa37a184693a2c59561f2415ade1c10f679d38d7a56e5db3de9aba4fc0983e7.exe
Resource
win10v2004-20220901-en
General
-
Target
1aa37a184693a2c59561f2415ade1c10f679d38d7a56e5db3de9aba4fc0983e7.exe
-
Size
134KB
-
MD5
4dd9280fcb66e30c3a4c18f1d1b7f0ca
-
SHA1
33c5e9a4ff30fbc4b6ae7a09b59d83a6694b4960
-
SHA256
1aa37a184693a2c59561f2415ade1c10f679d38d7a56e5db3de9aba4fc0983e7
-
SHA512
32213a0b67110bfe265a0bc357cc16535a41bfcce20c885227e60cfd1c471e7a7b68d8b7ea3948ab9d6ce874b8c77494f7f4e5f7c313efcfaaefb835ae026086
-
SSDEEP
3072:MkblZSkc5IPC2K7ma7/4tKqD3boLUaUPfePgY:xbbSYPC2Xa7/4tbci3yg
Malware Config
Extracted
pony
http://116.122.158.195:8080/forum/viewtopic.php
http://talentos.clicken1.com:81/forum/viewtopic.php
http://panama.clicken1.com:81/forum/viewtopic.php
http://monteazul.clicken1.com:81/forum/viewtopic.php
-
payload_url
http://ftp.abssolute.net/G1MeG8Rc.exe
http://bhairavijaikishan.com/Ns89C.exe
http://unarazonmasparasonreir.com.mx/vJh.exe
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
1aa37a184693a2c59561f2415ade1c10f679d38d7a56e5db3de9aba4fc0983e7.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts 1aa37a184693a2c59561f2415ade1c10f679d38d7a56e5db3de9aba4fc0983e7.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
1aa37a184693a2c59561f2415ade1c10f679d38d7a56e5db3de9aba4fc0983e7.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 1aa37a184693a2c59561f2415ade1c10f679d38d7a56e5db3de9aba4fc0983e7.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
1aa37a184693a2c59561f2415ade1c10f679d38d7a56e5db3de9aba4fc0983e7.exedescription pid process Token: SeImpersonatePrivilege 1884 1aa37a184693a2c59561f2415ade1c10f679d38d7a56e5db3de9aba4fc0983e7.exe Token: SeTcbPrivilege 1884 1aa37a184693a2c59561f2415ade1c10f679d38d7a56e5db3de9aba4fc0983e7.exe Token: SeChangeNotifyPrivilege 1884 1aa37a184693a2c59561f2415ade1c10f679d38d7a56e5db3de9aba4fc0983e7.exe Token: SeCreateTokenPrivilege 1884 1aa37a184693a2c59561f2415ade1c10f679d38d7a56e5db3de9aba4fc0983e7.exe Token: SeBackupPrivilege 1884 1aa37a184693a2c59561f2415ade1c10f679d38d7a56e5db3de9aba4fc0983e7.exe Token: SeRestorePrivilege 1884 1aa37a184693a2c59561f2415ade1c10f679d38d7a56e5db3de9aba4fc0983e7.exe Token: SeIncreaseQuotaPrivilege 1884 1aa37a184693a2c59561f2415ade1c10f679d38d7a56e5db3de9aba4fc0983e7.exe Token: SeAssignPrimaryTokenPrivilege 1884 1aa37a184693a2c59561f2415ade1c10f679d38d7a56e5db3de9aba4fc0983e7.exe -
outlook_win_path 1 IoCs
Processes:
1aa37a184693a2c59561f2415ade1c10f679d38d7a56e5db3de9aba4fc0983e7.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 1aa37a184693a2c59561f2415ade1c10f679d38d7a56e5db3de9aba4fc0983e7.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1aa37a184693a2c59561f2415ade1c10f679d38d7a56e5db3de9aba4fc0983e7.exe"C:\Users\Admin\AppData\Local\Temp\1aa37a184693a2c59561f2415ade1c10f679d38d7a56e5db3de9aba4fc0983e7.exe"1⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path