Analysis
-
max time kernel
150s -
max time network
90s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
19/11/2022, 01:41
Static task
static1
Behavioral task
behavioral1
Sample
3bf8155bd051945bf2e017311392ce5a03f5deef4cd02ef1521907d3c1607444.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3bf8155bd051945bf2e017311392ce5a03f5deef4cd02ef1521907d3c1607444.exe
Resource
win10v2004-20221111-en
General
-
Target
3bf8155bd051945bf2e017311392ce5a03f5deef4cd02ef1521907d3c1607444.exe
-
Size
121KB
-
MD5
35798c129c35ad80e44e8b206ccf3250
-
SHA1
d27f5850cd5f497d9d67185c0b88c7ec28d40f39
-
SHA256
3bf8155bd051945bf2e017311392ce5a03f5deef4cd02ef1521907d3c1607444
-
SHA512
19dc093ed92d7e58c40e4c65c8437efbc013c912ce7fa79017f830f862372b48a10d710b9867101a089f03c1ee283f607e766a7e7fb461cf040e89f03c3391e0
-
SSDEEP
3072:53K1Pot8QcrD1W6c+5s7d2a+e874/MHiswK:53K1BXs7ca+e5UCsZ
Malware Config
Extracted
pony
http://cleasexig.pw:65/in/pay.php
http://medalixe.pw:65/in/buy.php
Signatures
-
resource yara_rule behavioral1/memory/2028-72-0x00000000003B0000-0x00000000003D0000-memory.dmp upx behavioral1/memory/2028-73-0x00000000003B0000-0x00000000003D0000-memory.dmp upx behavioral1/memory/2028-74-0x00000000003B0000-0x00000000003D0000-memory.dmp upx -
Deletes itself 1 IoCs
pid Process 2028 svchost.exe -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 37.10.116.208 -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts svchost.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook svchost.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsMonitorConfigs32 = "\"C:\\Users\\Admin\\AppData\\Roaming\\SystemDriversReserved\\vemypywa.exe\"" svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1604 set thread context of 688 1604 3bf8155bd051945bf2e017311392ce5a03f5deef4cd02ef1521907d3c1607444.exe 28 -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 688 3bf8155bd051945bf2e017311392ce5a03f5deef4cd02ef1521907d3c1607444.exe 688 3bf8155bd051945bf2e017311392ce5a03f5deef4cd02ef1521907d3c1607444.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1988 WMIC.exe Token: SeSecurityPrivilege 1988 WMIC.exe Token: SeTakeOwnershipPrivilege 1988 WMIC.exe Token: SeLoadDriverPrivilege 1988 WMIC.exe Token: SeSystemProfilePrivilege 1988 WMIC.exe Token: SeSystemtimePrivilege 1988 WMIC.exe Token: SeProfSingleProcessPrivilege 1988 WMIC.exe Token: SeIncBasePriorityPrivilege 1988 WMIC.exe Token: SeCreatePagefilePrivilege 1988 WMIC.exe Token: SeBackupPrivilege 1988 WMIC.exe Token: SeRestorePrivilege 1988 WMIC.exe Token: SeShutdownPrivilege 1988 WMIC.exe Token: SeDebugPrivilege 1988 WMIC.exe Token: SeSystemEnvironmentPrivilege 1988 WMIC.exe Token: SeRemoteShutdownPrivilege 1988 WMIC.exe Token: SeUndockPrivilege 1988 WMIC.exe Token: SeManageVolumePrivilege 1988 WMIC.exe Token: 33 1988 WMIC.exe Token: 34 1988 WMIC.exe Token: 35 1988 WMIC.exe Token: SeIncreaseQuotaPrivilege 1988 WMIC.exe Token: SeSecurityPrivilege 1988 WMIC.exe Token: SeTakeOwnershipPrivilege 1988 WMIC.exe Token: SeLoadDriverPrivilege 1988 WMIC.exe Token: SeSystemProfilePrivilege 1988 WMIC.exe Token: SeSystemtimePrivilege 1988 WMIC.exe Token: SeProfSingleProcessPrivilege 1988 WMIC.exe Token: SeIncBasePriorityPrivilege 1988 WMIC.exe Token: SeCreatePagefilePrivilege 1988 WMIC.exe Token: SeBackupPrivilege 1988 WMIC.exe Token: SeRestorePrivilege 1988 WMIC.exe Token: SeShutdownPrivilege 1988 WMIC.exe Token: SeDebugPrivilege 1988 WMIC.exe Token: SeSystemEnvironmentPrivilege 1988 WMIC.exe Token: SeRemoteShutdownPrivilege 1988 WMIC.exe Token: SeUndockPrivilege 1988 WMIC.exe Token: SeManageVolumePrivilege 1988 WMIC.exe Token: 33 1988 WMIC.exe Token: 34 1988 WMIC.exe Token: 35 1988 WMIC.exe Token: SeImpersonatePrivilege 2028 svchost.exe Token: SeTcbPrivilege 2028 svchost.exe Token: SeChangeNotifyPrivilege 2028 svchost.exe Token: SeCreateTokenPrivilege 2028 svchost.exe Token: SeBackupPrivilege 2028 svchost.exe Token: SeRestorePrivilege 2028 svchost.exe Token: SeIncreaseQuotaPrivilege 2028 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2028 svchost.exe Token: SeImpersonatePrivilege 2028 svchost.exe Token: SeTcbPrivilege 2028 svchost.exe Token: SeChangeNotifyPrivilege 2028 svchost.exe Token: SeCreateTokenPrivilege 2028 svchost.exe Token: SeBackupPrivilege 2028 svchost.exe Token: SeRestorePrivilege 2028 svchost.exe Token: SeIncreaseQuotaPrivilege 2028 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2028 svchost.exe Token: SeImpersonatePrivilege 2028 svchost.exe Token: SeTcbPrivilege 2028 svchost.exe Token: SeChangeNotifyPrivilege 2028 svchost.exe Token: SeCreateTokenPrivilege 2028 svchost.exe Token: SeBackupPrivilege 2028 svchost.exe Token: SeRestorePrivilege 2028 svchost.exe Token: SeIncreaseQuotaPrivilege 2028 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2028 svchost.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 1604 wrote to memory of 688 1604 3bf8155bd051945bf2e017311392ce5a03f5deef4cd02ef1521907d3c1607444.exe 28 PID 1604 wrote to memory of 688 1604 3bf8155bd051945bf2e017311392ce5a03f5deef4cd02ef1521907d3c1607444.exe 28 PID 1604 wrote to memory of 688 1604 3bf8155bd051945bf2e017311392ce5a03f5deef4cd02ef1521907d3c1607444.exe 28 PID 1604 wrote to memory of 688 1604 3bf8155bd051945bf2e017311392ce5a03f5deef4cd02ef1521907d3c1607444.exe 28 PID 1604 wrote to memory of 688 1604 3bf8155bd051945bf2e017311392ce5a03f5deef4cd02ef1521907d3c1607444.exe 28 PID 1604 wrote to memory of 688 1604 3bf8155bd051945bf2e017311392ce5a03f5deef4cd02ef1521907d3c1607444.exe 28 PID 1604 wrote to memory of 688 1604 3bf8155bd051945bf2e017311392ce5a03f5deef4cd02ef1521907d3c1607444.exe 28 PID 1604 wrote to memory of 688 1604 3bf8155bd051945bf2e017311392ce5a03f5deef4cd02ef1521907d3c1607444.exe 28 PID 1604 wrote to memory of 688 1604 3bf8155bd051945bf2e017311392ce5a03f5deef4cd02ef1521907d3c1607444.exe 28 PID 1604 wrote to memory of 688 1604 3bf8155bd051945bf2e017311392ce5a03f5deef4cd02ef1521907d3c1607444.exe 28 PID 1604 wrote to memory of 688 1604 3bf8155bd051945bf2e017311392ce5a03f5deef4cd02ef1521907d3c1607444.exe 28 PID 688 wrote to memory of 2028 688 3bf8155bd051945bf2e017311392ce5a03f5deef4cd02ef1521907d3c1607444.exe 29 PID 688 wrote to memory of 2028 688 3bf8155bd051945bf2e017311392ce5a03f5deef4cd02ef1521907d3c1607444.exe 29 PID 688 wrote to memory of 2028 688 3bf8155bd051945bf2e017311392ce5a03f5deef4cd02ef1521907d3c1607444.exe 29 PID 688 wrote to memory of 2028 688 3bf8155bd051945bf2e017311392ce5a03f5deef4cd02ef1521907d3c1607444.exe 29 PID 2028 wrote to memory of 1988 2028 svchost.exe 30 PID 2028 wrote to memory of 1988 2028 svchost.exe 30 PID 2028 wrote to memory of 1988 2028 svchost.exe 30 PID 2028 wrote to memory of 1988 2028 svchost.exe 30 -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3bf8155bd051945bf2e017311392ce5a03f5deef4cd02ef1521907d3c1607444.exe"C:\Users\Admin\AppData\Local\Temp\3bf8155bd051945bf2e017311392ce5a03f5deef4cd02ef1521907d3c1607444.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Users\Admin\AppData\Local\Temp\3bf8155bd051945bf2e017311392ce5a03f5deef4cd02ef1521907d3c1607444.exe"C:\Users\Admin\AppData\Local\Temp\3bf8155bd051945bf2e017311392ce5a03f5deef4cd02ef1521907d3c1607444.exe"2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
- Deletes itself
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:2028 -
C:\Windows\SysWOW64\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" nicconfig where IPEnabled=true call SetDNSServerSearchOrder (37.10.116.208,8.8.4.4)4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1988
-
-
-