Analysis
-
max time kernel
132s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
20/11/2022, 07:05
Static task
static1
Behavioral task
behavioral1
Sample
f33ca29027d6921293a118cab8eec15ba9bad918e568f7f1b01a256036472b02.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
f33ca29027d6921293a118cab8eec15ba9bad918e568f7f1b01a256036472b02.exe
Resource
win10v2004-20220901-en
General
-
Target
f33ca29027d6921293a118cab8eec15ba9bad918e568f7f1b01a256036472b02.exe
-
Size
43KB
-
MD5
463c1c8d7a6cb35dfc809528baab94a6
-
SHA1
428f4a7974215b2f3a1459789f18b6299e7fb5c5
-
SHA256
f33ca29027d6921293a118cab8eec15ba9bad918e568f7f1b01a256036472b02
-
SHA512
c6e883acb1094480b68296d4d8a5764519c1edf126d0a25fc4784275b965a92098c5ad2f73a41cb5847a7e15a71c518ef989bbdcf1e6ad597b7112c062e4a55d
-
SSDEEP
768:dX/hVXegqr9jqmDfTPbRdn1PgUrXSobAL8qPP0KOIITYvGwItYdgmDqTCyN:zVXegqr9jqgfTPbR/PgUbSUAZ3LvI0vC
Malware Config
Extracted
pony
http://149.255.99.32:8080/forum/viewtopic.php
http://69.163.40.128/forum/viewtopic.php
-
payload_url
http://atualizacoes.issqn.net/FhPD.exe
http://rampazzo.com.br/mbhyAkQ.exe
http://homeringer.com/tWEkgm.exe
Signatures
-
resource yara_rule behavioral1/memory/788-57-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/788-58-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/788-55-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/788-62-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/788-63-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/788-64-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/788-65-0x0000000000400000-0x000000000041C000-memory.dmp upx -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts f33ca29027d6921293a118cab8eec15ba9bad918e568f7f1b01a256036472b02.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook f33ca29027d6921293a118cab8eec15ba9bad918e568f7f1b01a256036472b02.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1612 set thread context of 788 1612 f33ca29027d6921293a118cab8eec15ba9bad918e568f7f1b01a256036472b02.exe 26 -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeImpersonatePrivilege 788 f33ca29027d6921293a118cab8eec15ba9bad918e568f7f1b01a256036472b02.exe Token: SeTcbPrivilege 788 f33ca29027d6921293a118cab8eec15ba9bad918e568f7f1b01a256036472b02.exe Token: SeChangeNotifyPrivilege 788 f33ca29027d6921293a118cab8eec15ba9bad918e568f7f1b01a256036472b02.exe Token: SeCreateTokenPrivilege 788 f33ca29027d6921293a118cab8eec15ba9bad918e568f7f1b01a256036472b02.exe Token: SeBackupPrivilege 788 f33ca29027d6921293a118cab8eec15ba9bad918e568f7f1b01a256036472b02.exe Token: SeRestorePrivilege 788 f33ca29027d6921293a118cab8eec15ba9bad918e568f7f1b01a256036472b02.exe Token: SeIncreaseQuotaPrivilege 788 f33ca29027d6921293a118cab8eec15ba9bad918e568f7f1b01a256036472b02.exe Token: SeAssignPrimaryTokenPrivilege 788 f33ca29027d6921293a118cab8eec15ba9bad918e568f7f1b01a256036472b02.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1612 wrote to memory of 788 1612 f33ca29027d6921293a118cab8eec15ba9bad918e568f7f1b01a256036472b02.exe 26 PID 1612 wrote to memory of 788 1612 f33ca29027d6921293a118cab8eec15ba9bad918e568f7f1b01a256036472b02.exe 26 PID 1612 wrote to memory of 788 1612 f33ca29027d6921293a118cab8eec15ba9bad918e568f7f1b01a256036472b02.exe 26 PID 1612 wrote to memory of 788 1612 f33ca29027d6921293a118cab8eec15ba9bad918e568f7f1b01a256036472b02.exe 26 PID 1612 wrote to memory of 788 1612 f33ca29027d6921293a118cab8eec15ba9bad918e568f7f1b01a256036472b02.exe 26 PID 1612 wrote to memory of 788 1612 f33ca29027d6921293a118cab8eec15ba9bad918e568f7f1b01a256036472b02.exe 26 PID 1612 wrote to memory of 788 1612 f33ca29027d6921293a118cab8eec15ba9bad918e568f7f1b01a256036472b02.exe 26 PID 1612 wrote to memory of 788 1612 f33ca29027d6921293a118cab8eec15ba9bad918e568f7f1b01a256036472b02.exe 26 -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook f33ca29027d6921293a118cab8eec15ba9bad918e568f7f1b01a256036472b02.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f33ca29027d6921293a118cab8eec15ba9bad918e568f7f1b01a256036472b02.exe"C:\Users\Admin\AppData\Local\Temp\f33ca29027d6921293a118cab8eec15ba9bad918e568f7f1b01a256036472b02.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Users\Admin\AppData\Local\Temp\f33ca29027d6921293a118cab8eec15ba9bad918e568f7f1b01a256036472b02.exe"C:\Users\Admin\AppData\Local\Temp\f33ca29027d6921293a118cab8eec15ba9bad918e568f7f1b01a256036472b02.exe"2⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
PID:788
-