Analysis Overview
SHA256
0967c346478c030f1d86fc9e0df38138e4bde97f0cb20463b8a06528375b3d1a
Threat Level: Known bad
The file 0967c346478c030f1d86fc9e0df38138e4bde97f0cb20463b8a06528375b3d1a was found to be: Known bad.
Malicious Activity Summary
Pony,Fareit
UPX packed file
Checks computer location settings
Reads user/profile data of web browsers
Deletes itself
Reads data files stored by FTP clients
Checks installed software on the system
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_win_path
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-19 03:38
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-19 03:38
Reported
2022-11-19 03:41
Platform
win7-20221111-en
Max time kernel
18s
Max time network
40s
Command Line
Signatures
Pony,Fareit
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\0967c346478c030f1d86fc9e0df38138e4bde97f0cb20463b8a06528375b3d1a.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\0967c346478c030f1d86fc9e0df38138e4bde97f0cb20463b8a06528375b3d1a.exe | N/A |
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1388 set thread context of 1480 | N/A | C:\Users\Admin\AppData\Local\Temp\0967c346478c030f1d86fc9e0df38138e4bde97f0cb20463b8a06528375b3d1a.exe | C:\Users\Admin\AppData\Local\Temp\0967c346478c030f1d86fc9e0df38138e4bde97f0cb20463b8a06528375b3d1a.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0967c346478c030f1d86fc9e0df38138e4bde97f0cb20463b8a06528375b3d1a.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\0967c346478c030f1d86fc9e0df38138e4bde97f0cb20463b8a06528375b3d1a.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\0967c346478c030f1d86fc9e0df38138e4bde97f0cb20463b8a06528375b3d1a.exe
"C:\Users\Admin\AppData\Local\Temp\0967c346478c030f1d86fc9e0df38138e4bde97f0cb20463b8a06528375b3d1a.exe"
C:\Users\Admin\AppData\Local\Temp\0967c346478c030f1d86fc9e0df38138e4bde97f0cb20463b8a06528375b3d1a.exe
"C:\Users\Admin\AppData\Local\Temp\0967c346478c030f1d86fc9e0df38138e4bde97f0cb20463b8a06528375b3d1a.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Update\security" /XML "C:\Users\Admin\AppData\Roaming\pqktz.xml"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7119339.bat" "C:\Users\Admin\AppData\Local\Temp\0967c346478c030f1d86fc9e0df38138e4bde97f0cb20463b8a06528375b3d1a.exe" "
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | sandwichbes.site90.com | udp |
| N/A | 153.92.0.100:80 | sandwichbes.site90.com | tcp |
| N/A | 8.8.8.8:53 | www.000webhost.com | udp |
| N/A | 104.19.185.120:443 | www.000webhost.com | tcp |
Files
memory/1388-54-0x0000000075C31000-0x0000000075C33000-memory.dmp
memory/1388-55-0x0000000074870000-0x0000000074E1B000-memory.dmp
memory/1480-56-0x0000000000400000-0x000000000041C000-memory.dmp
memory/1480-57-0x0000000000400000-0x000000000041C000-memory.dmp
memory/1480-60-0x0000000000400000-0x000000000041C000-memory.dmp
memory/1480-59-0x0000000000400000-0x000000000041C000-memory.dmp
memory/1480-61-0x000000000041A200-mapping.dmp
memory/1480-64-0x0000000000400000-0x000000000041C000-memory.dmp
memory/1480-65-0x0000000000400000-0x000000000041C000-memory.dmp
memory/656-66-0x0000000000000000-mapping.dmp
memory/1480-67-0x0000000000400000-0x000000000041C000-memory.dmp
C:\Users\Admin\AppData\Roaming\pqktz.xml
| MD5 | 1c7ba1c7b9878685df5416a5a8bfc843 |
| SHA1 | aa7c6f97e4dee4b49452e40814475b1408648a7d |
| SHA256 | 682502d781fa22192b7340d6d274794d5c0e6fb90b2c190e61e9fd011a8e74bf |
| SHA512 | 42cf25bf963ab859c62101e5d3a73e585cbe9ae1ddcee0ec82c76cd9aa80c72fda3ab23bcbe8b5e550658cbf3e1fd7ae2fe367aa9640a56998e34c80bb5f0126 |
memory/1388-69-0x0000000074870000-0x0000000074E1B000-memory.dmp
memory/1964-70-0x0000000000000000-mapping.dmp
memory/1480-71-0x0000000000400000-0x000000000041C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7119339.bat
| MD5 | 3880eeb1c736d853eb13b44898b718ab |
| SHA1 | 4eec9d50360cd815211e3c4e6bdd08271b6ec8e6 |
| SHA256 | 936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7 |
| SHA512 | 3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b |
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-19 03:38
Reported
2022-11-19 03:42
Platform
win10v2004-20221111-en
Max time kernel
197s
Max time network
205s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0967c346478c030f1d86fc9e0df38138e4bde97f0cb20463b8a06528375b3d1a.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1068 set thread context of 4952 | N/A | C:\Users\Admin\AppData\Local\Temp\0967c346478c030f1d86fc9e0df38138e4bde97f0cb20463b8a06528375b3d1a.exe | C:\Users\Admin\AppData\Local\Temp\0967c346478c030f1d86fc9e0df38138e4bde97f0cb20463b8a06528375b3d1a.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0967c346478c030f1d86fc9e0df38138e4bde97f0cb20463b8a06528375b3d1a.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0967c346478c030f1d86fc9e0df38138e4bde97f0cb20463b8a06528375b3d1a.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0967c346478c030f1d86fc9e0df38138e4bde97f0cb20463b8a06528375b3d1a.exe
"C:\Users\Admin\AppData\Local\Temp\0967c346478c030f1d86fc9e0df38138e4bde97f0cb20463b8a06528375b3d1a.exe"
C:\Users\Admin\AppData\Local\Temp\0967c346478c030f1d86fc9e0df38138e4bde97f0cb20463b8a06528375b3d1a.exe
"C:\Users\Admin\AppData\Local\Temp\0967c346478c030f1d86fc9e0df38138e4bde97f0cb20463b8a06528375b3d1a.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Update\security" /XML "C:\Users\Admin\AppData\Roaming\qtwtd.xml"
Network
| Country | Destination | Domain | Proto |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 52.182.143.211:443 | tcp | |
| N/A | 87.248.202.1:80 | tcp | |
| N/A | 87.248.202.1:80 | tcp | |
| N/A | 8.8.8.8:53 | 151.122.125.40.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | 2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa | udp |
Files
memory/1068-133-0x0000000075420000-0x00000000759D1000-memory.dmp
memory/4952-134-0x0000000000000000-mapping.dmp
memory/1068-136-0x0000000075420000-0x00000000759D1000-memory.dmp
memory/1800-137-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\qtwtd.xml
| MD5 | e7b5f574994722fb172d5b85e9ac7343 |
| SHA1 | 0983299b0dfbb2bc475b393420af5f4a7ab73290 |
| SHA256 | f190aa1150503ba6f360970fe7c6448999ea1a412c036011c6b80f1d4c68bea0 |
| SHA512 | 1d1e6ed23a15fee2c2d81dfbadc967ee1a7ea16dda0743ff910c5147ba31c5c71f51f9afdf427aa77af68ffb14130469c086a97fa9908a0005f1291ea91e5da7 |
memory/1068-139-0x0000000075420000-0x00000000759D1000-memory.dmp