Analysis Overview
SHA256
82992542f37a4d188c69e394631b2c4aa634f7102bb371391e92ef2b26ec6383
Threat Level: Known bad
The file 82992542f37a4d188c69e394631b2c4aa634f7102bb371391e92ef2b26ec6383 was found to be: Known bad.
Malicious Activity Summary
Pony,Fareit
Drops file in Drivers directory
Checks computer location settings
Reads data files stored by FTP clients
Deletes itself
Reads user/profile data of web browsers
Checks installed software on the system
Accesses Microsoft Outlook profiles
Accesses Microsoft Outlook accounts
Enumerates physical storage devices
Runs ping.exe
outlook_win_path
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-20 08:17
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-20 08:17
Reported
2022-11-20 08:20
Platform
win7-20221111-en
Max time kernel
69s
Max time network
68s
Command Line
Signatures
Pony,Fareit
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\etc\tmp.tmp | C:\Users\Admin\AppData\Local\Temp\82992542f37a4d188c69e394631b2c4aa634f7102bb371391e92ef2b26ec6383.exe | N/A |
| File created | C:\Windows\system32\drivers\etc\hosts.sam | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts.sam | C:\Windows\SysWOW64\cmd.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\82992542f37a4d188c69e394631b2c4aa634f7102bb371391e92ef2b26ec6383.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\82992542f37a4d188c69e394631b2c4aa634f7102bb371391e92ef2b26ec6383.exe | N/A |
Checks installed software on the system
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\82992542f37a4d188c69e394631b2c4aa634f7102bb371391e92ef2b26ec6383.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\82992542f37a4d188c69e394631b2c4aa634f7102bb371391e92ef2b26ec6383.exe
"C:\Users\Admin\AppData\Local\Temp\82992542f37a4d188c69e394631b2c4aa634f7102bb371391e92ef2b26ec6383.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy C:\Windows\system32\drivers\etc\hosts C:\Windows\system32\drivers\etc\hosts.sam /Y && at 09:22:00 /every:M,T,W,Th,F,S,Su cmd.exe "/c attrib -H C:\Windows\system32\drivers\etc\hosts && copy C:\Users\Admin\AppData\Local\Temp\7146577aq C:\Windows\system32\drivers\etc\hosts /Y && attrib +H C:\Windows\system32\drivers\etc\hosts"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping -n 6 localhost && erase "C:\Users\Admin\AppData\Local\Temp\82992542f37a4d188c69e394631b2c4aa634f7102bb371391e92ef2b26ec6383.exe"
C:\Windows\SysWOW64\PING.EXE
ping -n 6 localhost
C:\Windows\SysWOW64\at.exe
at 09:22:00 /every:M,T,W,Th,F,S,Su cmd.exe "/c attrib -H C:\Windows\system32\drivers\etc\hosts && copy C:\Users\Admin\AppData\Local\Temp\7146577aq C:\Windows\system32\drivers\etc\hosts /Y && attrib +H C:\Windows\system32\drivers\etc\hosts"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | kurtst.pw | udp |
| N/A | 8.8.8.8:53 | kytrus.pw | udp |
Files
memory/1544-54-0x0000000075BE1000-0x0000000075BE3000-memory.dmp
memory/1544-55-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1544-56-0x00000000002B0000-0x00000000002D0000-memory.dmp
memory/1544-57-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1524-58-0x0000000000000000-mapping.dmp
memory/568-59-0x0000000000000000-mapping.dmp
memory/1544-60-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1164-62-0x0000000000000000-mapping.dmp
memory/1884-61-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-20 08:17
Reported
2022-11-20 08:20
Platform
win10v2004-20221111-en
Max time kernel
144s
Max time network
158s
Command Line
Signatures
Pony,Fareit
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts.sam | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\system32\drivers\etc\tmp.tmp | C:\Users\Admin\AppData\Local\Temp\82992542f37a4d188c69e394631b2c4aa634f7102bb371391e92ef2b26ec6383.exe | N/A |
| File created | C:\Windows\system32\drivers\etc\hosts.sam | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\82992542f37a4d188c69e394631b2c4aa634f7102bb371391e92ef2b26ec6383.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\82992542f37a4d188c69e394631b2c4aa634f7102bb371391e92ef2b26ec6383.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\82992542f37a4d188c69e394631b2c4aa634f7102bb371391e92ef2b26ec6383.exe | N/A |
Checks installed software on the system
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\82992542f37a4d188c69e394631b2c4aa634f7102bb371391e92ef2b26ec6383.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\82992542f37a4d188c69e394631b2c4aa634f7102bb371391e92ef2b26ec6383.exe
"C:\Users\Admin\AppData\Local\Temp\82992542f37a4d188c69e394631b2c4aa634f7102bb371391e92ef2b26ec6383.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy C:\Windows\system32\drivers\etc\hosts C:\Windows\system32\drivers\etc\hosts.sam /Y && at 09:21:00 /every:M,T,W,Th,F,S,Su cmd.exe "/c attrib -H C:\Windows\system32\drivers\etc\hosts && copy C:\Users\Admin\AppData\Local\Temp\240581843aq C:\Windows\system32\drivers\etc\hosts /Y && attrib +H C:\Windows\system32\drivers\etc\hosts"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping -n 6 localhost && erase "C:\Users\Admin\AppData\Local\Temp\82992542f37a4d188c69e394631b2c4aa634f7102bb371391e92ef2b26ec6383.exe"
C:\Windows\SysWOW64\at.exe
at 09:21:00 /every:M,T,W,Th,F,S,Su cmd.exe "/c attrib -H C:\Windows\system32\drivers\etc\hosts && copy C:\Users\Admin\AppData\Local\Temp\240581843aq C:\Windows\system32\drivers\etc\hosts /Y && attrib +H C:\Windows\system32\drivers\etc\hosts"
C:\Windows\SysWOW64\PING.EXE
ping -n 6 localhost
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | kurtst.pw | udp |
| N/A | 8.8.8.8:53 | kurtst.pw | udp |
| N/A | 8.8.8.8:53 | kurtst.pw | udp |
| N/A | 8.8.8.8:53 | kurtst.pw | udp |
| N/A | 8.8.8.8:53 | kurtst.pw | udp |
| N/A | 8.8.8.8:53 | kytrus.pw | udp |
| N/A | 52.168.117.169:443 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 178.79.208.1:80 | tcp | |
| N/A | 178.79.208.1:80 | tcp | |
| N/A | 178.79.208.1:80 | tcp | |
| N/A | 8.238.24.126:80 | tcp | |
| N/A | 8.238.24.126:80 | tcp | |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 8.238.24.126:80 | tcp |
Files
memory/4156-132-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4156-133-0x0000000000490000-0x00000000004B0000-memory.dmp
memory/4156-134-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4156-135-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3380-136-0x0000000000000000-mapping.dmp
memory/4156-138-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3540-137-0x0000000000000000-mapping.dmp
memory/4912-139-0x0000000000000000-mapping.dmp
memory/3348-140-0x0000000000000000-mapping.dmp