Analysis Overview
SHA256
3bf8155bd051945bf2e017311392ce5a03f5deef4cd02ef1521907d3c1607444
Threat Level: Known bad
The file 3bf8155bd051945bf2e017311392ce5a03f5deef4cd02ef1521907d3c1607444 was found to be: Known bad.
Malicious Activity Summary
Pony,Fareit
UPX packed file
Deletes itself
Unexpected DNS network traffic destination
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
outlook_win_path
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-19 01:41
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-19 01:41
Reported
2022-11-19 01:44
Platform
win7-20220812-en
Max time kernel
150s
Max time network
90s
Command Line
Signatures
Pony,Fareit
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 37.10.116.208 | N/A | N/A |
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\SysWOW64\svchost.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\SysWOW64\svchost.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsMonitorConfigs32 = "\"C:\\Users\\Admin\\AppData\\Roaming\\SystemDriversReserved\\vemypywa.exe\"" | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1604 set thread context of 688 | N/A | C:\Users\Admin\AppData\Local\Temp\3bf8155bd051945bf2e017311392ce5a03f5deef4cd02ef1521907d3c1607444.exe | C:\Users\Admin\AppData\Local\Temp\3bf8155bd051945bf2e017311392ce5a03f5deef4cd02ef1521907d3c1607444.exe |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3bf8155bd051945bf2e017311392ce5a03f5deef4cd02ef1521907d3c1607444.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3bf8155bd051945bf2e017311392ce5a03f5deef4cd02ef1521907d3c1607444.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\SysWOW64\svchost.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\3bf8155bd051945bf2e017311392ce5a03f5deef4cd02ef1521907d3c1607444.exe
"C:\Users\Admin\AppData\Local\Temp\3bf8155bd051945bf2e017311392ce5a03f5deef4cd02ef1521907d3c1607444.exe"
C:\Users\Admin\AppData\Local\Temp\3bf8155bd051945bf2e017311392ce5a03f5deef4cd02ef1521907d3c1607444.exe
"C:\Users\Admin\AppData\Local\Temp\3bf8155bd051945bf2e017311392ce5a03f5deef4cd02ef1521907d3c1607444.exe"
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Windows\SysWOW64\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" nicconfig where IPEnabled=true call SetDNSServerSearchOrder (37.10.116.208,8.8.4.4)
Network
| Country | Destination | Domain | Proto |
| N/A | 37.10.116.208:53 | cleasexig.pw | udp |
| N/A | 8.8.4.4:53 | cleasexig.pw | udp |
| N/A | 8.8.4.4:53 | medalixe.pw | udp |
Files
memory/1604-54-0x0000000076DC1000-0x0000000076DC3000-memory.dmp
memory/688-55-0x0000000000400000-0x000000000040F000-memory.dmp
memory/688-58-0x0000000000400000-0x000000000040F000-memory.dmp
memory/688-59-0x0000000000400000-0x000000000040F000-memory.dmp
memory/688-60-0x0000000000400000-0x000000000040F000-memory.dmp
memory/688-61-0x0000000000400000-0x000000000040F000-memory.dmp
memory/688-63-0x0000000000400000-0x000000000040F000-memory.dmp
memory/688-64-0x00000000004014B9-mapping.dmp
memory/2028-66-0x0000000000000000-mapping.dmp
memory/688-67-0x0000000000400000-0x000000000040F000-memory.dmp
memory/2028-69-0x0000000000C60000-0x0000000000C68000-memory.dmp
memory/2028-70-0x00000000000C0000-0x00000000000CF000-memory.dmp
memory/1988-71-0x0000000000000000-mapping.dmp
memory/2028-72-0x00000000003B0000-0x00000000003D0000-memory.dmp
memory/2028-73-0x00000000003B0000-0x00000000003D0000-memory.dmp
memory/2028-74-0x00000000003B0000-0x00000000003D0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-19 01:41
Reported
2022-11-19 01:44
Platform
win10v2004-20221111-en
Max time kernel
174s
Max time network
183s
Command Line
Signatures
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3044 set thread context of 4124 | N/A | C:\Users\Admin\AppData\Local\Temp\3bf8155bd051945bf2e017311392ce5a03f5deef4cd02ef1521907d3c1607444.exe | C:\Users\Admin\AppData\Local\Temp\3bf8155bd051945bf2e017311392ce5a03f5deef4cd02ef1521907d3c1607444.exe |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3bf8155bd051945bf2e017311392ce5a03f5deef4cd02ef1521907d3c1607444.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3bf8155bd051945bf2e017311392ce5a03f5deef4cd02ef1521907d3c1607444.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3bf8155bd051945bf2e017311392ce5a03f5deef4cd02ef1521907d3c1607444.exe
"C:\Users\Admin\AppData\Local\Temp\3bf8155bd051945bf2e017311392ce5a03f5deef4cd02ef1521907d3c1607444.exe"
C:\Users\Admin\AppData\Local\Temp\3bf8155bd051945bf2e017311392ce5a03f5deef4cd02ef1521907d3c1607444.exe
"C:\Users\Admin\AppData\Local\Temp\3bf8155bd051945bf2e017311392ce5a03f5deef4cd02ef1521907d3c1607444.exe"
C:\Windows\SysWOW64\svchost.exe
svchost.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 20.82.228.9:443 | tcp | |
| N/A | 52.109.8.86:443 | tcp | |
| N/A | 8.238.24.126:80 | tcp | |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 104.46.162.224:443 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 8.238.24.126:80 | tcp | |
| N/A | 8.238.24.126:80 | tcp | |
| N/A | 8.238.24.126:80 | tcp | |
| N/A | 8.238.24.126:80 | tcp |
Files
memory/4124-132-0x0000000000000000-mapping.dmp
memory/4124-133-0x0000000000400000-0x000000000040F000-memory.dmp
memory/1580-134-0x0000000000000000-mapping.dmp
memory/4124-135-0x0000000000400000-0x000000000040F000-memory.dmp