Analysis
-
max time kernel
71s -
max time network
59s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
19/11/2022, 03:28
Static task
static1
Behavioral task
behavioral1
Sample
63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe
Resource
win10v2004-20221111-en
General
-
Target
63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe
-
Size
83KB
-
MD5
0226201961c2c41ffd9190b1c4831a70
-
SHA1
8c6fa2d662c2a26c3b50b46913d52eae1fa4ca7a
-
SHA256
63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a
-
SHA512
6f32944602f740fb0fca1cdcfd6c97ad4c46ee7ef22cc889c47dc95e46b932a8ea63a6eb103267d645cd0db5907f41377b3d436d752b66bc06eb76c79ce4b10b
-
SSDEEP
1536:s2Vw8puOGyDWS+N0QTDgFil5qBmId5sPNe9vMtupnaH:sEwbFyDWKQs+qBmId5sFe9EtupnG
Malware Config
Extracted
pony
http://selaqty.pw:681/fix/update.php
http://kdotojk.pw:681/fix/update.php
-
payload_url
http://vodiklas.pw:681/fix/update.exe
Signatures
-
resource yara_rule behavioral1/memory/1284-54-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1284-55-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1284-56-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1284-61-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1284-62-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1284-63-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1284-68-0x0000000000400000-0x000000000041C000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe -
Deletes itself 1 IoCs
pid Process 520 cmd.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1768 set thread context of 1284 1768 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe 27 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\calc2.exe 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1512 PING.EXE -
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeImpersonatePrivilege 1284 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe Token: SeTcbPrivilege 1284 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe Token: SeChangeNotifyPrivilege 1284 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe Token: SeCreateTokenPrivilege 1284 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe Token: SeBackupPrivilege 1284 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe Token: SeRestorePrivilege 1284 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe Token: SeIncreaseQuotaPrivilege 1284 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe Token: SeAssignPrimaryTokenPrivilege 1284 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe Token: SeImpersonatePrivilege 1284 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe Token: SeTcbPrivilege 1284 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe Token: SeChangeNotifyPrivilege 1284 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe Token: SeCreateTokenPrivilege 1284 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe Token: SeBackupPrivilege 1284 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe Token: SeRestorePrivilege 1284 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe Token: SeIncreaseQuotaPrivilege 1284 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe Token: SeAssignPrimaryTokenPrivilege 1284 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe Token: SeImpersonatePrivilege 1284 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe Token: SeTcbPrivilege 1284 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe Token: SeChangeNotifyPrivilege 1284 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe Token: SeCreateTokenPrivilege 1284 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe Token: SeBackupPrivilege 1284 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe Token: SeRestorePrivilege 1284 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe Token: SeIncreaseQuotaPrivilege 1284 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe Token: SeAssignPrimaryTokenPrivilege 1284 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe Token: SeImpersonatePrivilege 1284 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe Token: SeTcbPrivilege 1284 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe Token: SeChangeNotifyPrivilege 1284 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe Token: SeCreateTokenPrivilege 1284 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe Token: SeBackupPrivilege 1284 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe Token: SeRestorePrivilege 1284 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe Token: SeIncreaseQuotaPrivilege 1284 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe Token: SeAssignPrimaryTokenPrivilege 1284 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 1768 wrote to memory of 1284 1768 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe 27 PID 1768 wrote to memory of 1284 1768 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe 27 PID 1768 wrote to memory of 1284 1768 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe 27 PID 1768 wrote to memory of 1284 1768 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe 27 PID 1768 wrote to memory of 1284 1768 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe 27 PID 1768 wrote to memory of 1284 1768 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe 27 PID 1768 wrote to memory of 1284 1768 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe 27 PID 1768 wrote to memory of 1284 1768 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe 27 PID 1768 wrote to memory of 1284 1768 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe 27 PID 1284 wrote to memory of 584 1284 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe 28 PID 1284 wrote to memory of 584 1284 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe 28 PID 1284 wrote to memory of 584 1284 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe 28 PID 1284 wrote to memory of 584 1284 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe 28 PID 584 wrote to memory of 1428 584 cmd.exe 30 PID 584 wrote to memory of 1428 584 cmd.exe 30 PID 584 wrote to memory of 1428 584 cmd.exe 30 PID 584 wrote to memory of 1428 584 cmd.exe 30 PID 1284 wrote to memory of 520 1284 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe 31 PID 1284 wrote to memory of 520 1284 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe 31 PID 1284 wrote to memory of 520 1284 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe 31 PID 1284 wrote to memory of 520 1284 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe 31 PID 520 wrote to memory of 1512 520 cmd.exe 33 PID 520 wrote to memory of 1512 520 cmd.exe 33 PID 520 wrote to memory of 1512 520 cmd.exe 33 PID 520 wrote to memory of 1512 520 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe"C:\Users\Admin\AppData\Local\Temp\63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Users\Admin\AppData\Local\Temp\63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe"C:\Users\Admin\AppData\Local\Temp\63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe"2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c at 03:32:00 /every:T,M,Th,F,W,S,Su wmic.exe nicconfig where "IPEnabled=true" call SetDNSServerSearchOrder ("37.10.116.201", "8.8.8.8")3⤵
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\at.exeat 03:32:00 /every:T,M,Th,F,W,S,Su wmic.exe nicconfig where "IPEnabled=true" call SetDNSServerSearchOrder ("37.10.116.201", "8.8.8.8")4⤵PID:1428
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping -n 10 localhost && erase "C:\Users\Admin\AppData\Local\Temp\63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe"3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
PID:1512
-
-
-