Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
20/11/2022, 08:17
Static task
static1
Behavioral task
behavioral1
Sample
82de558b4b23bb435649e7e337d9aa2730b1030d7cb5db57bbcfaf720c1d6b9b.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
82de558b4b23bb435649e7e337d9aa2730b1030d7cb5db57bbcfaf720c1d6b9b.exe
Resource
win10v2004-20220812-en
General
-
Target
82de558b4b23bb435649e7e337d9aa2730b1030d7cb5db57bbcfaf720c1d6b9b.exe
-
Size
112KB
-
MD5
46df6704acfbd42904279f0e51bfe919
-
SHA1
8bbca04bd6c98f27e5a43372f79f41661efdd0b8
-
SHA256
82de558b4b23bb435649e7e337d9aa2730b1030d7cb5db57bbcfaf720c1d6b9b
-
SHA512
e489422cea7135e686b9653b8c973500ab912a88ff1e09eae0d49f328049dbd41673f40f950e4c77b8508c143f313b8cd94ed6c9961e59791824bbf03438a3a2
-
SSDEEP
3072:iY1A8cxh/pmkEEBvWG06sZLxeV8/iAYIkiy9glhia:mRmKBvueCPYIkn9C
Malware Config
Extracted
pony
http://londonleatherusa.com/forum/viewtopic.php
http://luggage-tv.com/forum/viewtopic.php
http://luggagecast.com/forum/viewtopic.php
http://luggagejc.com/forum/viewtopic.php
-
payload_url
http://www.chs76ers.org/f9bszz5.exe
http://diver-station.com.tw/DpBSrKJ.exe
http://mulberry.com.hk/ZB1h.exe
http://pdisb.net/s6Z2PSa.exe
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts 82de558b4b23bb435649e7e337d9aa2730b1030d7cb5db57bbcfaf720c1d6b9b.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 82de558b4b23bb435649e7e337d9aa2730b1030d7cb5db57bbcfaf720c1d6b9b.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeImpersonatePrivilege 1500 82de558b4b23bb435649e7e337d9aa2730b1030d7cb5db57bbcfaf720c1d6b9b.exe Token: SeTcbPrivilege 1500 82de558b4b23bb435649e7e337d9aa2730b1030d7cb5db57bbcfaf720c1d6b9b.exe Token: SeChangeNotifyPrivilege 1500 82de558b4b23bb435649e7e337d9aa2730b1030d7cb5db57bbcfaf720c1d6b9b.exe Token: SeCreateTokenPrivilege 1500 82de558b4b23bb435649e7e337d9aa2730b1030d7cb5db57bbcfaf720c1d6b9b.exe Token: SeBackupPrivilege 1500 82de558b4b23bb435649e7e337d9aa2730b1030d7cb5db57bbcfaf720c1d6b9b.exe Token: SeRestorePrivilege 1500 82de558b4b23bb435649e7e337d9aa2730b1030d7cb5db57bbcfaf720c1d6b9b.exe Token: SeIncreaseQuotaPrivilege 1500 82de558b4b23bb435649e7e337d9aa2730b1030d7cb5db57bbcfaf720c1d6b9b.exe Token: SeAssignPrimaryTokenPrivilege 1500 82de558b4b23bb435649e7e337d9aa2730b1030d7cb5db57bbcfaf720c1d6b9b.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 82de558b4b23bb435649e7e337d9aa2730b1030d7cb5db57bbcfaf720c1d6b9b.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\82de558b4b23bb435649e7e337d9aa2730b1030d7cb5db57bbcfaf720c1d6b9b.exe"C:\Users\Admin\AppData\Local\Temp\82de558b4b23bb435649e7e337d9aa2730b1030d7cb5db57bbcfaf720c1d6b9b.exe"1⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
PID:1500