Analysis
-
max time kernel
150s -
max time network
32s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
19/11/2022, 01:48
Static task
static1
Behavioral task
behavioral1
Sample
09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe
Resource
win7-20221111-en
General
-
Target
09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe
-
Size
252KB
-
MD5
1730848cbc6b8b2c6b0316cfea0f8ec0
-
SHA1
b6c7cba640fc566e217b4dda9d8e02ed23e9bfe8
-
SHA256
09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b
-
SHA512
93d83077b849959b260d362ccf61d2bbb83078c5f84b61c8a4f923c0b66cdd8163d03fc735834cedbf33341e79bdda839a57a3a70398d0364be314ecadd5245f
-
SSDEEP
3072:nGvgFhJM4uIo7Lox3DeeNK4VJauRGT7/gNc/TMS/CroSSW5j2Cr0QJovLpuIo1Pw:nIgFDM4u0xaeNhceiPoJkDCjxXsLU
Malware Config
Extracted
pony
http://www.khalilmotors.com/cvme/gate.php
http://khalilmotors.com/cv/cv1/gate.php
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 1988 mypony.exe 480 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe 1332 csrss.exe -
Loads dropped DLL 5 IoCs
pid Process 2032 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe 2032 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe 2032 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe 2032 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe 2032 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts mypony.exe -
Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook mypony.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2032 set thread context of 480 2032 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe 1332 csrss.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeImpersonatePrivilege 1988 mypony.exe Token: SeTcbPrivilege 1988 mypony.exe Token: SeChangeNotifyPrivilege 1988 mypony.exe Token: SeCreateTokenPrivilege 1988 mypony.exe Token: SeBackupPrivilege 1988 mypony.exe Token: SeRestorePrivilege 1988 mypony.exe Token: SeIncreaseQuotaPrivilege 1988 mypony.exe Token: SeAssignPrimaryTokenPrivilege 1988 mypony.exe Token: SeImpersonatePrivilege 480 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeTcbPrivilege 480 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeChangeNotifyPrivilege 480 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeCreateTokenPrivilege 480 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeBackupPrivilege 480 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeRestorePrivilege 480 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeIncreaseQuotaPrivilege 480 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeAssignPrimaryTokenPrivilege 480 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeDebugPrivilege 1332 csrss.exe Token: SeImpersonatePrivilege 1988 mypony.exe Token: SeImpersonatePrivilege 480 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeTcbPrivilege 480 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeTcbPrivilege 1988 mypony.exe Token: SeChangeNotifyPrivilege 480 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeCreateTokenPrivilege 480 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeChangeNotifyPrivilege 1988 mypony.exe Token: SeBackupPrivilege 480 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeCreateTokenPrivilege 1988 mypony.exe Token: SeBackupPrivilege 1988 mypony.exe Token: SeRestorePrivilege 480 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeIncreaseQuotaPrivilege 480 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeRestorePrivilege 1988 mypony.exe Token: SeIncreaseQuotaPrivilege 1988 mypony.exe Token: SeAssignPrimaryTokenPrivilege 480 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeAssignPrimaryTokenPrivilege 1988 mypony.exe Token: SeImpersonatePrivilege 480 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeTcbPrivilege 480 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeImpersonatePrivilege 1988 mypony.exe Token: SeChangeNotifyPrivilege 480 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeTcbPrivilege 1988 mypony.exe Token: SeCreateTokenPrivilege 480 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeBackupPrivilege 480 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeChangeNotifyPrivilege 1988 mypony.exe Token: SeRestorePrivilege 480 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeCreateTokenPrivilege 1988 mypony.exe Token: SeIncreaseQuotaPrivilege 480 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeBackupPrivilege 1988 mypony.exe Token: SeAssignPrimaryTokenPrivilege 480 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeRestorePrivilege 1988 mypony.exe Token: SeIncreaseQuotaPrivilege 1988 mypony.exe Token: SeAssignPrimaryTokenPrivilege 1988 mypony.exe Token: SeImpersonatePrivilege 480 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeTcbPrivilege 480 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeChangeNotifyPrivilege 480 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeCreateTokenPrivilege 480 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeBackupPrivilege 480 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeRestorePrivilege 480 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeIncreaseQuotaPrivilege 480 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeAssignPrimaryTokenPrivilege 480 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeImpersonatePrivilege 1988 mypony.exe Token: SeTcbPrivilege 1988 mypony.exe Token: SeChangeNotifyPrivilege 1988 mypony.exe Token: SeCreateTokenPrivilege 1988 mypony.exe Token: SeBackupPrivilege 1988 mypony.exe Token: SeRestorePrivilege 1988 mypony.exe Token: SeIncreaseQuotaPrivilege 1988 mypony.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2032 wrote to memory of 1988 2032 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe 28 PID 2032 wrote to memory of 1988 2032 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe 28 PID 2032 wrote to memory of 1988 2032 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe 28 PID 2032 wrote to memory of 1988 2032 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe 28 PID 2032 wrote to memory of 480 2032 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe 29 PID 2032 wrote to memory of 480 2032 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe 29 PID 2032 wrote to memory of 480 2032 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe 29 PID 2032 wrote to memory of 480 2032 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe 29 PID 2032 wrote to memory of 480 2032 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe 29 PID 2032 wrote to memory of 480 2032 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe 29 PID 2032 wrote to memory of 480 2032 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe 29 PID 2032 wrote to memory of 480 2032 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe 29 PID 2032 wrote to memory of 480 2032 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe 29 PID 2032 wrote to memory of 1332 2032 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe 30 PID 2032 wrote to memory of 1332 2032 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe 30 PID 2032 wrote to memory of 1332 2032 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe 30 PID 2032 wrote to memory of 1332 2032 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe 30 -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook mypony.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe"C:\Users\Admin\AppData\Local\Temp\09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Users\Admin\AppData\Roaming\mypony.exe"C:\Users\Admin\AppData\Roaming\mypony.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
PID:1988
-
-
C:\Users\Admin\AppData\Local\Temp\09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe"C:\Users\Admin\AppData\Local\Temp\09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:480
-
-
C:\Users\Admin\AppData\Local\Temp\csrss.exe"C:\Users\Admin\AppData\Local\Temp\csrss.exe" -keyhide -prochide 4802⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1332
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe
Filesize252KB
MD51730848cbc6b8b2c6b0316cfea0f8ec0
SHA1b6c7cba640fc566e217b4dda9d8e02ed23e9bfe8
SHA25609b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b
SHA51293d83077b849959b260d362ccf61d2bbb83078c5f84b61c8a4f923c0b66cdd8163d03fc735834cedbf33341e79bdda839a57a3a70398d0364be314ecadd5245f
-
Filesize
252KB
MD51730848cbc6b8b2c6b0316cfea0f8ec0
SHA1b6c7cba640fc566e217b4dda9d8e02ed23e9bfe8
SHA25609b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b
SHA51293d83077b849959b260d362ccf61d2bbb83078c5f84b61c8a4f923c0b66cdd8163d03fc735834cedbf33341e79bdda839a57a3a70398d0364be314ecadd5245f
-
Filesize
252KB
MD51730848cbc6b8b2c6b0316cfea0f8ec0
SHA1b6c7cba640fc566e217b4dda9d8e02ed23e9bfe8
SHA25609b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b
SHA51293d83077b849959b260d362ccf61d2bbb83078c5f84b61c8a4f923c0b66cdd8163d03fc735834cedbf33341e79bdda839a57a3a70398d0364be314ecadd5245f
-
Filesize
88KB
MD5005a5a5c1d197452682062dcd52c2a65
SHA16779cc31ddbc33e91df04b2b52642aa030785008
SHA256a34d64e799ba45df27156ec97e9437e9d67341af02d0169bac15a966383195fc
SHA5126af29eaceea0c1ff1a2d75c75888e874d0663cf11959de4dec2fbd6832790a63465f9b5838fcd7687907633596b9b0f1dece75d99066e49377a2daa20a652876
-
\Users\Admin\AppData\Local\Temp\09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe
Filesize252KB
MD51730848cbc6b8b2c6b0316cfea0f8ec0
SHA1b6c7cba640fc566e217b4dda9d8e02ed23e9bfe8
SHA25609b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b
SHA51293d83077b849959b260d362ccf61d2bbb83078c5f84b61c8a4f923c0b66cdd8163d03fc735834cedbf33341e79bdda839a57a3a70398d0364be314ecadd5245f
-
Filesize
252KB
MD51730848cbc6b8b2c6b0316cfea0f8ec0
SHA1b6c7cba640fc566e217b4dda9d8e02ed23e9bfe8
SHA25609b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b
SHA51293d83077b849959b260d362ccf61d2bbb83078c5f84b61c8a4f923c0b66cdd8163d03fc735834cedbf33341e79bdda839a57a3a70398d0364be314ecadd5245f
-
Filesize
252KB
MD51730848cbc6b8b2c6b0316cfea0f8ec0
SHA1b6c7cba640fc566e217b4dda9d8e02ed23e9bfe8
SHA25609b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b
SHA51293d83077b849959b260d362ccf61d2bbb83078c5f84b61c8a4f923c0b66cdd8163d03fc735834cedbf33341e79bdda839a57a3a70398d0364be314ecadd5245f
-
Filesize
88KB
MD5005a5a5c1d197452682062dcd52c2a65
SHA16779cc31ddbc33e91df04b2b52642aa030785008
SHA256a34d64e799ba45df27156ec97e9437e9d67341af02d0169bac15a966383195fc
SHA5126af29eaceea0c1ff1a2d75c75888e874d0663cf11959de4dec2fbd6832790a63465f9b5838fcd7687907633596b9b0f1dece75d99066e49377a2daa20a652876
-
Filesize
88KB
MD5005a5a5c1d197452682062dcd52c2a65
SHA16779cc31ddbc33e91df04b2b52642aa030785008
SHA256a34d64e799ba45df27156ec97e9437e9d67341af02d0169bac15a966383195fc
SHA5126af29eaceea0c1ff1a2d75c75888e874d0663cf11959de4dec2fbd6832790a63465f9b5838fcd7687907633596b9b0f1dece75d99066e49377a2daa20a652876