Analysis
-
max time kernel
180s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
19/11/2022, 01:48
Static task
static1
Behavioral task
behavioral1
Sample
09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe
Resource
win7-20221111-en
General
-
Target
09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe
-
Size
252KB
-
MD5
1730848cbc6b8b2c6b0316cfea0f8ec0
-
SHA1
b6c7cba640fc566e217b4dda9d8e02ed23e9bfe8
-
SHA256
09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b
-
SHA512
93d83077b849959b260d362ccf61d2bbb83078c5f84b61c8a4f923c0b66cdd8163d03fc735834cedbf33341e79bdda839a57a3a70398d0364be314ecadd5245f
-
SSDEEP
3072:nGvgFhJM4uIo7Lox3DeeNK4VJauRGT7/gNc/TMS/CroSSW5j2Cr0QJovLpuIo1Pw:nIgFDM4u0xaeNhceiPoJkDCjxXsLU
Malware Config
Extracted
pony
http://www.khalilmotors.com/cvme/gate.php
http://khalilmotors.com/cv/cv1/gate.php
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 3600 mypony.exe 3632 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe 3516 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe 1768 csrss.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts mypony.exe Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe -
Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook mypony.exe Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3280 set thread context of 3516 3280 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe 84 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe 1768 csrss.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeImpersonatePrivilege 3516 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeTcbPrivilege 3516 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeChangeNotifyPrivilege 3516 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeCreateTokenPrivilege 3516 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeBackupPrivilege 3516 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeRestorePrivilege 3516 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeIncreaseQuotaPrivilege 3516 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeAssignPrimaryTokenPrivilege 3516 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeImpersonatePrivilege 3600 mypony.exe Token: SeTcbPrivilege 3600 mypony.exe Token: SeChangeNotifyPrivilege 3600 mypony.exe Token: SeCreateTokenPrivilege 3600 mypony.exe Token: SeBackupPrivilege 3600 mypony.exe Token: SeRestorePrivilege 3600 mypony.exe Token: SeIncreaseQuotaPrivilege 3600 mypony.exe Token: SeAssignPrimaryTokenPrivilege 3600 mypony.exe Token: SeDebugPrivilege 1768 csrss.exe Token: SeImpersonatePrivilege 3600 mypony.exe Token: SeTcbPrivilege 3600 mypony.exe Token: SeChangeNotifyPrivilege 3600 mypony.exe Token: SeCreateTokenPrivilege 3600 mypony.exe Token: SeBackupPrivilege 3600 mypony.exe Token: SeRestorePrivilege 3600 mypony.exe Token: SeIncreaseQuotaPrivilege 3600 mypony.exe Token: SeAssignPrimaryTokenPrivilege 3600 mypony.exe Token: SeImpersonatePrivilege 3516 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeTcbPrivilege 3516 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeChangeNotifyPrivilege 3516 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeCreateTokenPrivilege 3516 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeBackupPrivilege 3516 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeRestorePrivilege 3516 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeIncreaseQuotaPrivilege 3516 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeAssignPrimaryTokenPrivilege 3516 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeImpersonatePrivilege 3516 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeTcbPrivilege 3516 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeChangeNotifyPrivilege 3516 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeImpersonatePrivilege 3600 mypony.exe Token: SeCreateTokenPrivilege 3516 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeTcbPrivilege 3600 mypony.exe Token: SeBackupPrivilege 3516 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeChangeNotifyPrivilege 3600 mypony.exe Token: SeRestorePrivilege 3516 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeCreateTokenPrivilege 3600 mypony.exe Token: SeIncreaseQuotaPrivilege 3516 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeBackupPrivilege 3600 mypony.exe Token: SeAssignPrimaryTokenPrivilege 3516 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeRestorePrivilege 3600 mypony.exe Token: SeIncreaseQuotaPrivilege 3600 mypony.exe Token: SeAssignPrimaryTokenPrivilege 3600 mypony.exe Token: SeImpersonatePrivilege 3600 mypony.exe Token: SeTcbPrivilege 3600 mypony.exe Token: SeChangeNotifyPrivilege 3600 mypony.exe Token: SeCreateTokenPrivilege 3600 mypony.exe Token: SeBackupPrivilege 3600 mypony.exe Token: SeRestorePrivilege 3600 mypony.exe Token: SeIncreaseQuotaPrivilege 3600 mypony.exe Token: SeAssignPrimaryTokenPrivilege 3600 mypony.exe Token: SeImpersonatePrivilege 3516 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeTcbPrivilege 3516 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeChangeNotifyPrivilege 3516 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeCreateTokenPrivilege 3516 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeBackupPrivilege 3516 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeRestorePrivilege 3516 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe Token: SeIncreaseQuotaPrivilege 3516 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3280 wrote to memory of 3600 3280 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe 82 PID 3280 wrote to memory of 3600 3280 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe 82 PID 3280 wrote to memory of 3600 3280 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe 82 PID 3280 wrote to memory of 3632 3280 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe 83 PID 3280 wrote to memory of 3632 3280 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe 83 PID 3280 wrote to memory of 3632 3280 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe 83 PID 3280 wrote to memory of 3516 3280 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe 84 PID 3280 wrote to memory of 3516 3280 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe 84 PID 3280 wrote to memory of 3516 3280 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe 84 PID 3280 wrote to memory of 3516 3280 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe 84 PID 3280 wrote to memory of 3516 3280 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe 84 PID 3280 wrote to memory of 3516 3280 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe 84 PID 3280 wrote to memory of 3516 3280 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe 84 PID 3280 wrote to memory of 3516 3280 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe 84 PID 3280 wrote to memory of 1768 3280 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe 85 PID 3280 wrote to memory of 1768 3280 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe 85 PID 3280 wrote to memory of 1768 3280 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe 85 -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe"C:\Users\Admin\AppData\Local\Temp\09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Users\Admin\AppData\Roaming\mypony.exe"C:\Users\Admin\AppData\Roaming\mypony.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:3600
-
-
C:\Users\Admin\AppData\Local\Temp\09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe"C:\Users\Admin\AppData\Local\Temp\09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe"2⤵
- Executes dropped EXE
PID:3632
-
-
C:\Users\Admin\AppData\Local\Temp\09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe"C:\Users\Admin\AppData\Local\Temp\09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
PID:3516
-
-
C:\Users\Admin\AppData\Local\Temp\csrss.exe"C:\Users\Admin\AppData\Local\Temp\csrss.exe" -keyhide -prochide 35162⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe
Filesize252KB
MD51730848cbc6b8b2c6b0316cfea0f8ec0
SHA1b6c7cba640fc566e217b4dda9d8e02ed23e9bfe8
SHA25609b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b
SHA51293d83077b849959b260d362ccf61d2bbb83078c5f84b61c8a4f923c0b66cdd8163d03fc735834cedbf33341e79bdda839a57a3a70398d0364be314ecadd5245f
-
C:\Users\Admin\AppData\Local\Temp\09b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b.exe
Filesize252KB
MD51730848cbc6b8b2c6b0316cfea0f8ec0
SHA1b6c7cba640fc566e217b4dda9d8e02ed23e9bfe8
SHA25609b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b
SHA51293d83077b849959b260d362ccf61d2bbb83078c5f84b61c8a4f923c0b66cdd8163d03fc735834cedbf33341e79bdda839a57a3a70398d0364be314ecadd5245f
-
Filesize
252KB
MD51730848cbc6b8b2c6b0316cfea0f8ec0
SHA1b6c7cba640fc566e217b4dda9d8e02ed23e9bfe8
SHA25609b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b
SHA51293d83077b849959b260d362ccf61d2bbb83078c5f84b61c8a4f923c0b66cdd8163d03fc735834cedbf33341e79bdda839a57a3a70398d0364be314ecadd5245f
-
Filesize
252KB
MD51730848cbc6b8b2c6b0316cfea0f8ec0
SHA1b6c7cba640fc566e217b4dda9d8e02ed23e9bfe8
SHA25609b3f6ca7f1d00d42d1c3020cbfebc9170e33a171215180393e5a473452f373b
SHA51293d83077b849959b260d362ccf61d2bbb83078c5f84b61c8a4f923c0b66cdd8163d03fc735834cedbf33341e79bdda839a57a3a70398d0364be314ecadd5245f
-
Filesize
88KB
MD5005a5a5c1d197452682062dcd52c2a65
SHA16779cc31ddbc33e91df04b2b52642aa030785008
SHA256a34d64e799ba45df27156ec97e9437e9d67341af02d0169bac15a966383195fc
SHA5126af29eaceea0c1ff1a2d75c75888e874d0663cf11959de4dec2fbd6832790a63465f9b5838fcd7687907633596b9b0f1dece75d99066e49377a2daa20a652876
-
Filesize
88KB
MD5005a5a5c1d197452682062dcd52c2a65
SHA16779cc31ddbc33e91df04b2b52642aa030785008
SHA256a34d64e799ba45df27156ec97e9437e9d67341af02d0169bac15a966383195fc
SHA5126af29eaceea0c1ff1a2d75c75888e874d0663cf11959de4dec2fbd6832790a63465f9b5838fcd7687907633596b9b0f1dece75d99066e49377a2daa20a652876