Analysis
-
max time kernel
116s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19/11/2022, 03:38
Static task
static1
Behavioral task
behavioral1
Sample
5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea.exe
Resource
win7-20220812-en
General
-
Target
5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea.exe
-
Size
139KB
-
MD5
1af6c84bb171f0d91cacfc9882967d10
-
SHA1
7e42072c65d5fffdff4500f7aebc2916f33268d1
-
SHA256
5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea
-
SHA512
ea7ff9772cb948284855737f0a4daae8583b663d425016af37f9e1675b2384a72748360602a6f545d5406b19a4f15364487d5e8129ef1fef01f070e8c1e5aade
-
SSDEEP
3072:7TETqaBpCYfXOTTL08sAuuSsyvSZWk/7dPKgaa9+Inm6xmImvWwePWGAerHTnHWE:E9OTTL08sSSshWkxPTaqz
Malware Config
Extracted
pony
http://3z3muor0045.site11.com/Panel/gate.php
-
payload_url
http://3z3muor0045.site11.com/Panel/po.exe
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4824 Length Tell.exe 3064 Length Tell.exe -
resource yara_rule behavioral2/memory/3064-140-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/3064-146-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/3064-148-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/3064-149-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/3064-150-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/3064-152-0x0000000000400000-0x000000000041C000-memory.dmp upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation Length Tell.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Who early.lnk 5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Length Tell.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Length Tell.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4824 set thread context of 3064 4824 Length Tell.exe 84 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4824 Length Tell.exe 4824 Length Tell.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
description pid Process Token: SeDebugPrivilege 4824 Length Tell.exe Token: SeImpersonatePrivilege 3064 Length Tell.exe Token: SeTcbPrivilege 3064 Length Tell.exe Token: SeChangeNotifyPrivilege 3064 Length Tell.exe Token: SeCreateTokenPrivilege 3064 Length Tell.exe Token: SeBackupPrivilege 3064 Length Tell.exe Token: SeRestorePrivilege 3064 Length Tell.exe Token: SeIncreaseQuotaPrivilege 3064 Length Tell.exe Token: SeAssignPrimaryTokenPrivilege 3064 Length Tell.exe Token: SeImpersonatePrivilege 3064 Length Tell.exe Token: SeTcbPrivilege 3064 Length Tell.exe Token: SeChangeNotifyPrivilege 3064 Length Tell.exe Token: SeCreateTokenPrivilege 3064 Length Tell.exe Token: SeBackupPrivilege 3064 Length Tell.exe Token: SeRestorePrivilege 3064 Length Tell.exe Token: SeIncreaseQuotaPrivilege 3064 Length Tell.exe Token: SeAssignPrimaryTokenPrivilege 3064 Length Tell.exe Token: SeImpersonatePrivilege 3064 Length Tell.exe Token: SeTcbPrivilege 3064 Length Tell.exe Token: SeChangeNotifyPrivilege 3064 Length Tell.exe Token: SeCreateTokenPrivilege 3064 Length Tell.exe Token: SeBackupPrivilege 3064 Length Tell.exe Token: SeRestorePrivilege 3064 Length Tell.exe Token: SeIncreaseQuotaPrivilege 3064 Length Tell.exe Token: SeAssignPrimaryTokenPrivilege 3064 Length Tell.exe Token: SeImpersonatePrivilege 3064 Length Tell.exe Token: SeTcbPrivilege 3064 Length Tell.exe Token: SeChangeNotifyPrivilege 3064 Length Tell.exe Token: SeCreateTokenPrivilege 3064 Length Tell.exe Token: SeBackupPrivilege 3064 Length Tell.exe Token: SeRestorePrivilege 3064 Length Tell.exe Token: SeIncreaseQuotaPrivilege 3064 Length Tell.exe Token: SeAssignPrimaryTokenPrivilege 3064 Length Tell.exe Token: SeImpersonatePrivilege 3064 Length Tell.exe Token: SeTcbPrivilege 3064 Length Tell.exe Token: SeChangeNotifyPrivilege 3064 Length Tell.exe Token: SeCreateTokenPrivilege 3064 Length Tell.exe Token: SeBackupPrivilege 3064 Length Tell.exe Token: SeRestorePrivilege 3064 Length Tell.exe Token: SeIncreaseQuotaPrivilege 3064 Length Tell.exe Token: SeAssignPrimaryTokenPrivilege 3064 Length Tell.exe Token: SeImpersonatePrivilege 3064 Length Tell.exe Token: SeTcbPrivilege 3064 Length Tell.exe Token: SeChangeNotifyPrivilege 3064 Length Tell.exe Token: SeCreateTokenPrivilege 3064 Length Tell.exe Token: SeBackupPrivilege 3064 Length Tell.exe Token: SeRestorePrivilege 3064 Length Tell.exe Token: SeIncreaseQuotaPrivilege 3064 Length Tell.exe Token: SeAssignPrimaryTokenPrivilege 3064 Length Tell.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2252 wrote to memory of 4824 2252 5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea.exe 83 PID 2252 wrote to memory of 4824 2252 5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea.exe 83 PID 2252 wrote to memory of 4824 2252 5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea.exe 83 PID 4824 wrote to memory of 3064 4824 Length Tell.exe 84 PID 4824 wrote to memory of 3064 4824 Length Tell.exe 84 PID 4824 wrote to memory of 3064 4824 Length Tell.exe 84 PID 4824 wrote to memory of 3064 4824 Length Tell.exe 84 PID 4824 wrote to memory of 3064 4824 Length Tell.exe 84 PID 3064 wrote to memory of 852 3064 Length Tell.exe 89 PID 3064 wrote to memory of 852 3064 Length Tell.exe 89 PID 3064 wrote to memory of 852 3064 Length Tell.exe 89 -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Length Tell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea.exe"C:\Users\Admin\AppData\Local\Temp\5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea.exe"1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\ProgramData\Sleep bottom\Length Tell.exe"C:\ProgramData\Sleep bottom\Length Tell.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\ProgramData\Sleep bottom\Length Tell.exe"C:\ProgramData\Sleep bottom\Length Tell.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:3064 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240648031.bat" "C:\ProgramData\Sleep bottom\Length Tell.exe" "4⤵PID:852
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
139KB
MD51af6c84bb171f0d91cacfc9882967d10
SHA17e42072c65d5fffdff4500f7aebc2916f33268d1
SHA2565d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea
SHA512ea7ff9772cb948284855737f0a4daae8583b663d425016af37f9e1675b2384a72748360602a6f545d5406b19a4f15364487d5e8129ef1fef01f070e8c1e5aade
-
Filesize
139KB
MD51af6c84bb171f0d91cacfc9882967d10
SHA17e42072c65d5fffdff4500f7aebc2916f33268d1
SHA2565d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea
SHA512ea7ff9772cb948284855737f0a4daae8583b663d425016af37f9e1675b2384a72748360602a6f545d5406b19a4f15364487d5e8129ef1fef01f070e8c1e5aade
-
Filesize
139KB
MD51af6c84bb171f0d91cacfc9882967d10
SHA17e42072c65d5fffdff4500f7aebc2916f33268d1
SHA2565d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea
SHA512ea7ff9772cb948284855737f0a4daae8583b663d425016af37f9e1675b2384a72748360602a6f545d5406b19a4f15364487d5e8129ef1fef01f070e8c1e5aade
-
Filesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
Filesize
905B
MD5fba1c6dcea2573ca97df19aabb41d754
SHA179e4def8c6e4ee035d7537d0ae4295d07199a8c1
SHA256768b11b71d788ab52276c0996593004a1234865f7724cc814868dc4f4d88c746
SHA512243b1fbb85434a0e5aeab2976b159b9ab57ca7c605a26a56e12fe260010f7d6a560cfbb9483e20f14bd618b2e63c050e5d7626fa8a6c8bcddadec7e6ffac8203