Analysis Overview
SHA256
cc6c4807522f03e6125df957a6e9f30ff757ac83f991bae215f619bc7b4b1ec5
Threat Level: Known bad
The file cc6c4807522f03e6125df957a6e9f30ff757ac83f991bae215f619bc7b4b1ec5 was found to be: Known bad.
Malicious Activity Summary
Pony,Fareit
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Checks installed software on the system
Drops file in System32 directory
outlook_win_path
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-20 05:51
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-20 05:51
Reported
2022-11-20 05:53
Platform
win7-20221111-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Pony,Fareit
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\cc6c4807522f03e6125df957a6e9f30ff757ac83f991bae215f619bc7b4b1ec5.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\cc6c4807522f03e6125df957a6e9f30ff757ac83f991bae215f619bc7b4b1ec5.exe | N/A |
Checks installed software on the system
Suspicious use of AdjustPrivilegeToken
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\cc6c4807522f03e6125df957a6e9f30ff757ac83f991bae215f619bc7b4b1ec5.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\cc6c4807522f03e6125df957a6e9f30ff757ac83f991bae215f619bc7b4b1ec5.exe
"C:\Users\Admin\AppData\Local\Temp\cc6c4807522f03e6125df957a6e9f30ff757ac83f991bae215f619bc7b4b1ec5.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | customkids.com | udp |
| N/A | 34.102.136.180:80 | customkids.com | tcp |
| N/A | 34.102.136.180:80 | customkids.com | tcp |
| N/A | 34.102.136.180:80 | customkids.com | tcp |
| N/A | 34.102.136.180:80 | customkids.com | tcp |
| N/A | 34.102.136.180:80 | customkids.com | tcp |
| N/A | 34.102.136.180:80 | customkids.com | tcp |
| N/A | 34.102.136.180:80 | customkids.com | tcp |
| N/A | 34.102.136.180:80 | customkids.com | tcp |
| N/A | 34.102.136.180:80 | customkids.com | tcp |
| N/A | 34.102.136.180:80 | customkids.com | tcp |
| N/A | 34.102.136.180:80 | customkids.com | tcp |
| N/A | 8.8.8.8:53 | dharmaking.info | udp |
| N/A | 15.197.142.173:80 | dharmaking.info | tcp |
| N/A | 15.197.142.173:80 | dharmaking.info | tcp |
| N/A | 15.197.142.173:80 | dharmaking.info | tcp |
| N/A | 15.197.142.173:80 | dharmaking.info | tcp |
| N/A | 15.197.142.173:80 | dharmaking.info | tcp |
| N/A | 15.197.142.173:80 | dharmaking.info | tcp |
| N/A | 15.197.142.173:80 | dharmaking.info | tcp |
| N/A | 15.197.142.173:80 | dharmaking.info | tcp |
| N/A | 15.197.142.173:80 | dharmaking.info | tcp |
| N/A | 15.197.142.173:80 | dharmaking.info | tcp |
| N/A | 15.197.142.173:80 | dharmaking.info | tcp |
| N/A | 8.8.8.8:53 | dharmaking.net | udp |
| N/A | 15.197.142.173:80 | dharmaking.net | tcp |
| N/A | 15.197.142.173:80 | dharmaking.net | tcp |
| N/A | 15.197.142.173:80 | dharmaking.net | tcp |
Files
memory/936-55-0x0000000000400000-0x000000000041D000-memory.dmp
memory/936-54-0x0000000000400000-0x000000000041D000-memory.dmp
memory/936-56-0x0000000075DF1000-0x0000000075DF3000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-20 05:51
Reported
2022-11-20 05:53
Platform
win10v2004-20220812-en
Max time kernel
151s
Max time network
155s
Command Line
Signatures
Pony,Fareit
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\cc6c4807522f03e6125df957a6e9f30ff757ac83f991bae215f619bc7b4b1ec5.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\cc6c4807522f03e6125df957a6e9f30ff757ac83f991bae215f619bc7b4b1ec5.exe | N/A |
Checks installed software on the system
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{2DD3F04E-B83C-4E4F-952D-FCE02E43C891}.catalogItem | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{09DA512E-78C8-4413-9D16-F82D96C1AC52}.catalogItem | C:\Windows\System32\svchost.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\System32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\System32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\System32\svchost.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\System32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\cc6c4807522f03e6125df957a6e9f30ff757ac83f991bae215f619bc7b4b1ec5.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\cc6c4807522f03e6125df957a6e9f30ff757ac83f991bae215f619bc7b4b1ec5.exe
"C:\Users\Admin\AppData\Local\Temp\cc6c4807522f03e6125df957a6e9f30ff757ac83f991bae215f619bc7b4b1ec5.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | customkids.com | udp |
| N/A | 34.102.136.180:80 | customkids.com | tcp |
| N/A | 34.102.136.180:80 | customkids.com | tcp |
| N/A | 34.102.136.180:80 | customkids.com | tcp |
| N/A | 34.102.136.180:80 | customkids.com | tcp |
| N/A | 34.102.136.180:80 | customkids.com | tcp |
| N/A | 34.102.136.180:80 | customkids.com | tcp |
| N/A | 34.102.136.180:80 | customkids.com | tcp |
| N/A | 34.102.136.180:80 | customkids.com | tcp |
| N/A | 34.102.136.180:80 | customkids.com | tcp |
| N/A | 34.102.136.180:80 | customkids.com | tcp |
| N/A | 34.102.136.180:80 | customkids.com | tcp |
| N/A | 8.8.8.8:53 | dharmaking.info | udp |
| N/A | 15.197.142.173:80 | dharmaking.info | tcp |
| N/A | 15.197.142.173:80 | dharmaking.info | tcp |
| N/A | 15.197.142.173:80 | dharmaking.info | tcp |
| N/A | 15.197.142.173:80 | dharmaking.info | tcp |
| N/A | 15.197.142.173:80 | dharmaking.info | tcp |
| N/A | 15.197.142.173:80 | dharmaking.info | tcp |
| N/A | 15.197.142.173:80 | dharmaking.info | tcp |
| N/A | 15.197.142.173:80 | dharmaking.info | tcp |
| N/A | 15.197.142.173:80 | dharmaking.info | tcp |
| N/A | 15.197.142.173:80 | dharmaking.info | tcp |
| N/A | 15.197.142.173:80 | dharmaking.info | tcp |
| N/A | 8.8.8.8:53 | dharmaking.net | udp |
| N/A | 15.197.142.173:80 | dharmaking.net | tcp |
| N/A | 15.197.142.173:80 | dharmaking.net | tcp |
| N/A | 15.197.142.173:80 | dharmaking.net | tcp |
| N/A | 15.197.142.173:80 | dharmaking.net | tcp |
| N/A | 15.197.142.173:80 | dharmaking.net | tcp |
| N/A | 15.197.142.173:80 | dharmaking.net | tcp |
| N/A | 15.197.142.173:80 | dharmaking.net | tcp |
| N/A | 15.197.142.173:80 | dharmaking.net | tcp |
Files
memory/1152-133-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1152-132-0x0000000000400000-0x000000000041D000-memory.dmp