Analysis Overview
SHA256
5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea
Threat Level: Known bad
The file 5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea was found to be: Known bad.
Malicious Activity Summary
Pony,Fareit
UPX packed file
Executes dropped EXE
Drops startup file
Loads dropped DLL
Checks computer location settings
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Accesses Microsoft Outlook profiles
Checks installed software on the system
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
Enumerates physical storage devices
outlook_win_path
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-19 03:38
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-19 03:38
Reported
2022-11-19 03:41
Platform
win7-20220812-en
Max time kernel
63s
Max time network
83s
Command Line
Signatures
Pony,Fareit
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Sleep bottom\Length Tell.exe | N/A |
| N/A | N/A | C:\ProgramData\Sleep bottom\Length Tell.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Who early.lnk | C:\Users\Admin\AppData\Local\Temp\5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\ProgramData\Sleep bottom\Length Tell.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\ProgramData\Sleep bottom\Length Tell.exe | N/A |
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1052 set thread context of 1724 | N/A | C:\ProgramData\Sleep bottom\Length Tell.exe | C:\ProgramData\Sleep bottom\Length Tell.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Sleep bottom\Length Tell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\ProgramData\Sleep bottom\Length Tell.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea.exe
"C:\Users\Admin\AppData\Local\Temp\5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea.exe"
C:\ProgramData\Sleep bottom\Length Tell.exe
"C:\ProgramData\Sleep bottom\Length Tell.exe"
C:\ProgramData\Sleep bottom\Length Tell.exe
"C:\ProgramData\Sleep bottom\Length Tell.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7162302.bat" "C:\ProgramData\Sleep bottom\Length Tell.exe" "
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | 3z3muor0045.site11.com | udp |
| N/A | 153.92.0.100:80 | 3z3muor0045.site11.com | tcp |
| N/A | 153.92.0.100:80 | 3z3muor0045.site11.com | tcp |
| N/A | 153.92.0.100:80 | 3z3muor0045.site11.com | tcp |
| N/A | 153.92.0.100:80 | 3z3muor0045.site11.com | tcp |
| N/A | 8.8.8.8:53 | www.000webhost.com | udp |
| N/A | 104.19.184.120:443 | www.000webhost.com | tcp |
Files
memory/1188-54-0x0000000075091000-0x0000000075093000-memory.dmp
memory/1188-55-0x0000000074110000-0x00000000746BB000-memory.dmp
\ProgramData\Sleep bottom\Length Tell.exe
| MD5 | 1af6c84bb171f0d91cacfc9882967d10 |
| SHA1 | 7e42072c65d5fffdff4500f7aebc2916f33268d1 |
| SHA256 | 5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea |
| SHA512 | ea7ff9772cb948284855737f0a4daae8583b663d425016af37f9e1675b2384a72748360602a6f545d5406b19a4f15364487d5e8129ef1fef01f070e8c1e5aade |
\ProgramData\Sleep bottom\Length Tell.exe
| MD5 | 1af6c84bb171f0d91cacfc9882967d10 |
| SHA1 | 7e42072c65d5fffdff4500f7aebc2916f33268d1 |
| SHA256 | 5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea |
| SHA512 | ea7ff9772cb948284855737f0a4daae8583b663d425016af37f9e1675b2384a72748360602a6f545d5406b19a4f15364487d5e8129ef1fef01f070e8c1e5aade |
memory/1052-58-0x0000000000000000-mapping.dmp
C:\ProgramData\Sleep bottom\Length Tell.exe
| MD5 | 1af6c84bb171f0d91cacfc9882967d10 |
| SHA1 | 7e42072c65d5fffdff4500f7aebc2916f33268d1 |
| SHA256 | 5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea |
| SHA512 | ea7ff9772cb948284855737f0a4daae8583b663d425016af37f9e1675b2384a72748360602a6f545d5406b19a4f15364487d5e8129ef1fef01f070e8c1e5aade |
C:\ProgramData\Sleep bottom\Length Tell.exe
| MD5 | 1af6c84bb171f0d91cacfc9882967d10 |
| SHA1 | 7e42072c65d5fffdff4500f7aebc2916f33268d1 |
| SHA256 | 5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea |
| SHA512 | ea7ff9772cb948284855737f0a4daae8583b663d425016af37f9e1675b2384a72748360602a6f545d5406b19a4f15364487d5e8129ef1fef01f070e8c1e5aade |
memory/1188-62-0x0000000074110000-0x00000000746BB000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f7a842324131e27d7555de0184233ffe |
| SHA1 | 392d4d55f15a39ff8e0fa903fedb74c90ea3e26a |
| SHA256 | da54e3efba02270b4ea988d0c1341255bd5feb14007d7055997e0f39cfb30895 |
| SHA512 | a3b313ab212155cec747304e962ca96257c2c59ecffaf3b585456426eb331a969195edadb97477317b04beb3bbd73913d4621cd3b6c443fea69944c6c7917c98 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Who early.lnk
| MD5 | 042c92e278612a58d332157462b1e8ab |
| SHA1 | 63f6fd7595b635f3081de9cb23e82e4673acbfaa |
| SHA256 | 4cda7f6015666598511ef97511caa5d57e723e5c40865553b18337d6f9e1d023 |
| SHA512 | 1efee632674dd4cc8de4cc06d8236a1b2cc30f63d7d0303a58aa32944ba70abc5a8a50fa4f486c707fc1910d4bd9b03f74a3bb496ebb889a95ef8af2d68e2079 |
memory/1052-64-0x0000000074110000-0x00000000746BB000-memory.dmp
memory/1724-66-0x0000000000400000-0x000000000041C000-memory.dmp
C:\ProgramData\Sleep bottom\Length Tell.exe
| MD5 | 1af6c84bb171f0d91cacfc9882967d10 |
| SHA1 | 7e42072c65d5fffdff4500f7aebc2916f33268d1 |
| SHA256 | 5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea |
| SHA512 | ea7ff9772cb948284855737f0a4daae8583b663d425016af37f9e1675b2384a72748360602a6f545d5406b19a4f15364487d5e8129ef1fef01f070e8c1e5aade |
memory/1052-71-0x0000000074110000-0x00000000746BB000-memory.dmp
memory/1724-73-0x0000000000400000-0x000000000041C000-memory.dmp
memory/1724-74-0x0000000000400000-0x000000000041C000-memory.dmp
memory/1724-75-0x0000000000400000-0x000000000041C000-memory.dmp
memory/1724-76-0x0000000000400000-0x000000000041C000-memory.dmp
memory/1724-78-0x0000000000400000-0x000000000041C000-memory.dmp
memory/1936-77-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7162302.bat
| MD5 | 3880eeb1c736d853eb13b44898b718ab |
| SHA1 | 4eec9d50360cd815211e3c4e6bdd08271b6ec8e6 |
| SHA256 | 936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7 |
| SHA512 | 3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b |
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-19 03:38
Reported
2022-11-19 03:41
Platform
win10v2004-20220812-en
Max time kernel
116s
Max time network
144s
Command Line
Signatures
Pony,Fareit
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Sleep bottom\Length Tell.exe | N/A |
| N/A | N/A | C:\ProgramData\Sleep bottom\Length Tell.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Sleep bottom\Length Tell.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Who early.lnk | C:\Users\Admin\AppData\Local\Temp\5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\ProgramData\Sleep bottom\Length Tell.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\ProgramData\Sleep bottom\Length Tell.exe | N/A |
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4824 set thread context of 3064 | N/A | C:\ProgramData\Sleep bottom\Length Tell.exe | C:\ProgramData\Sleep bottom\Length Tell.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Sleep bottom\Length Tell.exe | N/A |
| N/A | N/A | C:\ProgramData\Sleep bottom\Length Tell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\ProgramData\Sleep bottom\Length Tell.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea.exe
"C:\Users\Admin\AppData\Local\Temp\5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea.exe"
C:\ProgramData\Sleep bottom\Length Tell.exe
"C:\ProgramData\Sleep bottom\Length Tell.exe"
C:\ProgramData\Sleep bottom\Length Tell.exe
"C:\ProgramData\Sleep bottom\Length Tell.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240648031.bat" "C:\ProgramData\Sleep bottom\Length Tell.exe" "
Network
| Country | Destination | Domain | Proto |
| N/A | 8.238.23.254:80 | tcp | |
| N/A | 8.238.23.254:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 51.116.253.170:443 | tcp | |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 8.8.8.8:53 | 3z3muor0045.site11.com | udp |
| N/A | 153.92.0.100:80 | 3z3muor0045.site11.com | tcp |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 153.92.0.100:80 | 3z3muor0045.site11.com | tcp |
| N/A | 153.92.0.100:80 | 3z3muor0045.site11.com | tcp |
| N/A | 153.92.0.100:80 | 3z3muor0045.site11.com | tcp |
| N/A | 8.8.8.8:53 | www.000webhost.com | udp |
| N/A | 104.19.184.120:443 | www.000webhost.com | tcp |
Files
memory/2252-132-0x0000000074ED0000-0x0000000075481000-memory.dmp
memory/2252-133-0x0000000074ED0000-0x0000000075481000-memory.dmp
memory/4824-134-0x0000000000000000-mapping.dmp
C:\ProgramData\Sleep bottom\Length Tell.exe
| MD5 | 1af6c84bb171f0d91cacfc9882967d10 |
| SHA1 | 7e42072c65d5fffdff4500f7aebc2916f33268d1 |
| SHA256 | 5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea |
| SHA512 | ea7ff9772cb948284855737f0a4daae8583b663d425016af37f9e1675b2384a72748360602a6f545d5406b19a4f15364487d5e8129ef1fef01f070e8c1e5aade |
C:\ProgramData\Sleep bottom\Length Tell.exe
| MD5 | 1af6c84bb171f0d91cacfc9882967d10 |
| SHA1 | 7e42072c65d5fffdff4500f7aebc2916f33268d1 |
| SHA256 | 5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea |
| SHA512 | ea7ff9772cb948284855737f0a4daae8583b663d425016af37f9e1675b2384a72748360602a6f545d5406b19a4f15364487d5e8129ef1fef01f070e8c1e5aade |
memory/2252-137-0x0000000074ED0000-0x0000000075481000-memory.dmp
memory/4824-138-0x0000000074ED0000-0x0000000075481000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Who early.lnk
| MD5 | fba1c6dcea2573ca97df19aabb41d754 |
| SHA1 | 79e4def8c6e4ee035d7537d0ae4295d07199a8c1 |
| SHA256 | 768b11b71d788ab52276c0996593004a1234865f7724cc814868dc4f4d88c746 |
| SHA512 | 243b1fbb85434a0e5aeab2976b159b9ab57ca7c605a26a56e12fe260010f7d6a560cfbb9483e20f14bd618b2e63c050e5d7626fa8a6c8bcddadec7e6ffac8203 |
memory/3064-140-0x0000000000400000-0x000000000041C000-memory.dmp
memory/3064-142-0x0000000000000000-mapping.dmp
C:\ProgramData\Sleep bottom\Length Tell.exe
| MD5 | 1af6c84bb171f0d91cacfc9882967d10 |
| SHA1 | 7e42072c65d5fffdff4500f7aebc2916f33268d1 |
| SHA256 | 5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea |
| SHA512 | ea7ff9772cb948284855737f0a4daae8583b663d425016af37f9e1675b2384a72748360602a6f545d5406b19a4f15364487d5e8129ef1fef01f070e8c1e5aade |
memory/3064-146-0x0000000000400000-0x000000000041C000-memory.dmp
memory/4824-147-0x0000000074ED0000-0x0000000075481000-memory.dmp
memory/3064-148-0x0000000000400000-0x000000000041C000-memory.dmp
memory/3064-149-0x0000000000400000-0x000000000041C000-memory.dmp
memory/3064-150-0x0000000000400000-0x000000000041C000-memory.dmp
memory/852-151-0x0000000000000000-mapping.dmp
memory/3064-152-0x0000000000400000-0x000000000041C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\240648031.bat
| MD5 | 3880eeb1c736d853eb13b44898b718ab |
| SHA1 | 4eec9d50360cd815211e3c4e6bdd08271b6ec8e6 |
| SHA256 | 936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7 |
| SHA512 | 3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b |