Analysis
-
max time kernel
63s -
max time network
83s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
19/11/2022, 03:38
Static task
static1
Behavioral task
behavioral1
Sample
5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea.exe
Resource
win7-20220812-en
General
-
Target
5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea.exe
-
Size
139KB
-
MD5
1af6c84bb171f0d91cacfc9882967d10
-
SHA1
7e42072c65d5fffdff4500f7aebc2916f33268d1
-
SHA256
5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea
-
SHA512
ea7ff9772cb948284855737f0a4daae8583b663d425016af37f9e1675b2384a72748360602a6f545d5406b19a4f15364487d5e8129ef1fef01f070e8c1e5aade
-
SSDEEP
3072:7TETqaBpCYfXOTTL08sAuuSsyvSZWk/7dPKgaa9+Inm6xmImvWwePWGAerHTnHWE:E9OTTL08sSSshWkxPTaqz
Malware Config
Extracted
pony
http://3z3muor0045.site11.com/Panel/gate.php
-
payload_url
http://3z3muor0045.site11.com/Panel/po.exe
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1052 Length Tell.exe 1724 Length Tell.exe -
resource yara_rule behavioral1/memory/1724-66-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1724-73-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1724-74-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1724-75-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1724-76-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1724-78-0x0000000000400000-0x000000000041C000-memory.dmp upx -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Who early.lnk 5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea.exe -
Loads dropped DLL 2 IoCs
pid Process 1188 5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea.exe 1188 5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Length Tell.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Length Tell.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1052 set thread context of 1724 1052 Length Tell.exe 28 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1052 Length Tell.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeDebugPrivilege 1052 Length Tell.exe Token: SeImpersonatePrivilege 1724 Length Tell.exe Token: SeTcbPrivilege 1724 Length Tell.exe Token: SeChangeNotifyPrivilege 1724 Length Tell.exe Token: SeCreateTokenPrivilege 1724 Length Tell.exe Token: SeBackupPrivilege 1724 Length Tell.exe Token: SeRestorePrivilege 1724 Length Tell.exe Token: SeIncreaseQuotaPrivilege 1724 Length Tell.exe Token: SeAssignPrimaryTokenPrivilege 1724 Length Tell.exe Token: SeImpersonatePrivilege 1724 Length Tell.exe Token: SeTcbPrivilege 1724 Length Tell.exe Token: SeChangeNotifyPrivilege 1724 Length Tell.exe Token: SeCreateTokenPrivilege 1724 Length Tell.exe Token: SeBackupPrivilege 1724 Length Tell.exe Token: SeRestorePrivilege 1724 Length Tell.exe Token: SeIncreaseQuotaPrivilege 1724 Length Tell.exe Token: SeAssignPrimaryTokenPrivilege 1724 Length Tell.exe Token: SeImpersonatePrivilege 1724 Length Tell.exe Token: SeTcbPrivilege 1724 Length Tell.exe Token: SeChangeNotifyPrivilege 1724 Length Tell.exe Token: SeCreateTokenPrivilege 1724 Length Tell.exe Token: SeBackupPrivilege 1724 Length Tell.exe Token: SeRestorePrivilege 1724 Length Tell.exe Token: SeIncreaseQuotaPrivilege 1724 Length Tell.exe Token: SeAssignPrimaryTokenPrivilege 1724 Length Tell.exe Token: SeImpersonatePrivilege 1724 Length Tell.exe Token: SeTcbPrivilege 1724 Length Tell.exe Token: SeChangeNotifyPrivilege 1724 Length Tell.exe Token: SeCreateTokenPrivilege 1724 Length Tell.exe Token: SeBackupPrivilege 1724 Length Tell.exe Token: SeRestorePrivilege 1724 Length Tell.exe Token: SeIncreaseQuotaPrivilege 1724 Length Tell.exe Token: SeAssignPrimaryTokenPrivilege 1724 Length Tell.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1188 wrote to memory of 1052 1188 5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea.exe 27 PID 1188 wrote to memory of 1052 1188 5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea.exe 27 PID 1188 wrote to memory of 1052 1188 5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea.exe 27 PID 1188 wrote to memory of 1052 1188 5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea.exe 27 PID 1052 wrote to memory of 1724 1052 Length Tell.exe 28 PID 1052 wrote to memory of 1724 1052 Length Tell.exe 28 PID 1052 wrote to memory of 1724 1052 Length Tell.exe 28 PID 1052 wrote to memory of 1724 1052 Length Tell.exe 28 PID 1052 wrote to memory of 1724 1052 Length Tell.exe 28 PID 1052 wrote to memory of 1724 1052 Length Tell.exe 28 PID 1724 wrote to memory of 1936 1724 Length Tell.exe 30 PID 1724 wrote to memory of 1936 1724 Length Tell.exe 30 PID 1724 wrote to memory of 1936 1724 Length Tell.exe 30 PID 1724 wrote to memory of 1936 1724 Length Tell.exe 30 -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Length Tell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea.exe"C:\Users\Admin\AppData\Local\Temp\5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\ProgramData\Sleep bottom\Length Tell.exe"C:\ProgramData\Sleep bottom\Length Tell.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\ProgramData\Sleep bottom\Length Tell.exe"C:\ProgramData\Sleep bottom\Length Tell.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:1724 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7162302.bat" "C:\ProgramData\Sleep bottom\Length Tell.exe" "4⤵PID:1936
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
139KB
MD51af6c84bb171f0d91cacfc9882967d10
SHA17e42072c65d5fffdff4500f7aebc2916f33268d1
SHA2565d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea
SHA512ea7ff9772cb948284855737f0a4daae8583b663d425016af37f9e1675b2384a72748360602a6f545d5406b19a4f15364487d5e8129ef1fef01f070e8c1e5aade
-
Filesize
139KB
MD51af6c84bb171f0d91cacfc9882967d10
SHA17e42072c65d5fffdff4500f7aebc2916f33268d1
SHA2565d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea
SHA512ea7ff9772cb948284855737f0a4daae8583b663d425016af37f9e1675b2384a72748360602a6f545d5406b19a4f15364487d5e8129ef1fef01f070e8c1e5aade
-
Filesize
139KB
MD51af6c84bb171f0d91cacfc9882967d10
SHA17e42072c65d5fffdff4500f7aebc2916f33268d1
SHA2565d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea
SHA512ea7ff9772cb948284855737f0a4daae8583b663d425016af37f9e1675b2384a72748360602a6f545d5406b19a4f15364487d5e8129ef1fef01f070e8c1e5aade
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize340B
MD5f7a842324131e27d7555de0184233ffe
SHA1392d4d55f15a39ff8e0fa903fedb74c90ea3e26a
SHA256da54e3efba02270b4ea988d0c1341255bd5feb14007d7055997e0f39cfb30895
SHA512a3b313ab212155cec747304e962ca96257c2c59ecffaf3b585456426eb331a969195edadb97477317b04beb3bbd73913d4621cd3b6c443fea69944c6c7917c98
-
Filesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
Filesize
929B
MD5042c92e278612a58d332157462b1e8ab
SHA163f6fd7595b635f3081de9cb23e82e4673acbfaa
SHA2564cda7f6015666598511ef97511caa5d57e723e5c40865553b18337d6f9e1d023
SHA5121efee632674dd4cc8de4cc06d8236a1b2cc30f63d7d0303a58aa32944ba70abc5a8a50fa4f486c707fc1910d4bd9b03f74a3bb496ebb889a95ef8af2d68e2079
-
Filesize
139KB
MD51af6c84bb171f0d91cacfc9882967d10
SHA17e42072c65d5fffdff4500f7aebc2916f33268d1
SHA2565d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea
SHA512ea7ff9772cb948284855737f0a4daae8583b663d425016af37f9e1675b2384a72748360602a6f545d5406b19a4f15364487d5e8129ef1fef01f070e8c1e5aade
-
Filesize
139KB
MD51af6c84bb171f0d91cacfc9882967d10
SHA17e42072c65d5fffdff4500f7aebc2916f33268d1
SHA2565d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea
SHA512ea7ff9772cb948284855737f0a4daae8583b663d425016af37f9e1675b2384a72748360602a6f545d5406b19a4f15364487d5e8129ef1fef01f070e8c1e5aade