Analysis
-
max time kernel
45s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 23:59
Static task
static1
Behavioral task
behavioral1
Sample
63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe
Resource
win7-20220901-en
General
-
Target
63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe
-
Size
1.7MB
-
MD5
fd860b8c9003b60b1e1d4cf5a81171a2
-
SHA1
0d96bf07de613c46920d99282408421024472d11
-
SHA256
63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98
-
SHA512
cc4fda0f5fd20a07e101e179c10f2ba3bfef2574abc73784c918f5eb319f8a7d5a799f737e6de7b3128630b0b59b8cf0b4eb41500e910d7fab970b48ee1604c9
-
SSDEEP
24576:h1TGH/LFxCGGmZu5P9dZd+R30w43EsNHM2GpZNqfTY0TDjm0jRbm:hUH/nCG52PDZd+iw43Emz2ZNiYqiu1
Malware Config
Extracted
pony
http://www.estateboulv.com/html/nza/html/gate.php
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FolderName\\file.exe" reg.exe -
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 1552 svhost.exe -
Loads dropped DLL 1 IoCs
Processes:
63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exepid process 2032 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
svhost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts svhost.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
svhost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook svhost.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exedescription pid process target process PID 2032 set thread context of 1552 2032 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1152 timeout.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exepid process 2032 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe 2032 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe 2032 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe 2032 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe 2032 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe 2032 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exesvhost.exedescription pid process Token: SeDebugPrivilege 2032 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe Token: SeImpersonatePrivilege 1552 svhost.exe Token: SeTcbPrivilege 1552 svhost.exe Token: SeChangeNotifyPrivilege 1552 svhost.exe Token: SeCreateTokenPrivilege 1552 svhost.exe Token: SeBackupPrivilege 1552 svhost.exe Token: SeRestorePrivilege 1552 svhost.exe Token: SeIncreaseQuotaPrivilege 1552 svhost.exe Token: SeAssignPrimaryTokenPrivilege 1552 svhost.exe Token: SeImpersonatePrivilege 1552 svhost.exe Token: SeTcbPrivilege 1552 svhost.exe Token: SeChangeNotifyPrivilege 1552 svhost.exe Token: SeCreateTokenPrivilege 1552 svhost.exe Token: SeBackupPrivilege 1552 svhost.exe Token: SeRestorePrivilege 1552 svhost.exe Token: SeIncreaseQuotaPrivilege 1552 svhost.exe Token: SeAssignPrimaryTokenPrivilege 1552 svhost.exe Token: SeImpersonatePrivilege 1552 svhost.exe Token: SeTcbPrivilege 1552 svhost.exe Token: SeChangeNotifyPrivilege 1552 svhost.exe Token: SeCreateTokenPrivilege 1552 svhost.exe Token: SeBackupPrivilege 1552 svhost.exe Token: SeRestorePrivilege 1552 svhost.exe Token: SeIncreaseQuotaPrivilege 1552 svhost.exe Token: SeAssignPrimaryTokenPrivilege 1552 svhost.exe Token: SeImpersonatePrivilege 1552 svhost.exe Token: SeTcbPrivilege 1552 svhost.exe Token: SeChangeNotifyPrivilege 1552 svhost.exe Token: SeCreateTokenPrivilege 1552 svhost.exe Token: SeBackupPrivilege 1552 svhost.exe Token: SeRestorePrivilege 1552 svhost.exe Token: SeIncreaseQuotaPrivilege 1552 svhost.exe Token: SeAssignPrimaryTokenPrivilege 1552 svhost.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.execmd.exewscript.execmd.execmd.exedescription pid process target process PID 2032 wrote to memory of 1688 2032 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe cmd.exe PID 2032 wrote to memory of 1688 2032 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe cmd.exe PID 2032 wrote to memory of 1688 2032 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe cmd.exe PID 2032 wrote to memory of 1688 2032 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe cmd.exe PID 2032 wrote to memory of 1552 2032 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe svhost.exe PID 2032 wrote to memory of 1552 2032 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe svhost.exe PID 2032 wrote to memory of 1552 2032 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe svhost.exe PID 2032 wrote to memory of 1552 2032 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe svhost.exe PID 2032 wrote to memory of 1552 2032 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe svhost.exe PID 2032 wrote to memory of 1552 2032 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe svhost.exe PID 2032 wrote to memory of 1552 2032 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe svhost.exe PID 2032 wrote to memory of 1552 2032 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe svhost.exe PID 2032 wrote to memory of 1552 2032 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe svhost.exe PID 1688 wrote to memory of 976 1688 cmd.exe wscript.exe PID 1688 wrote to memory of 976 1688 cmd.exe wscript.exe PID 1688 wrote to memory of 976 1688 cmd.exe wscript.exe PID 1688 wrote to memory of 976 1688 cmd.exe wscript.exe PID 976 wrote to memory of 1496 976 wscript.exe cmd.exe PID 976 wrote to memory of 1496 976 wscript.exe cmd.exe PID 976 wrote to memory of 1496 976 wscript.exe cmd.exe PID 976 wrote to memory of 1496 976 wscript.exe cmd.exe PID 1496 wrote to memory of 1800 1496 cmd.exe reg.exe PID 1496 wrote to memory of 1800 1496 cmd.exe reg.exe PID 1496 wrote to memory of 1800 1496 cmd.exe reg.exe PID 1496 wrote to memory of 1800 1496 cmd.exe reg.exe PID 2032 wrote to memory of 1592 2032 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe cmd.exe PID 2032 wrote to memory of 1592 2032 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe cmd.exe PID 2032 wrote to memory of 1592 2032 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe cmd.exe PID 2032 wrote to memory of 1592 2032 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe cmd.exe PID 1592 wrote to memory of 1152 1592 cmd.exe timeout.exe PID 1592 wrote to memory of 1152 1592 cmd.exe timeout.exe PID 1592 wrote to memory of 1152 1592 cmd.exe timeout.exe PID 1592 wrote to memory of 1152 1592 cmd.exe timeout.exe -
outlook_win_path 1 IoCs
Processes:
svhost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook svhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe"C:\Users\Admin\AppData\Local\Temp\63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\FolderName\mata.bat2⤵
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\FolderName\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat"3⤵
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderName\file.exe" /f5⤵
- Modifies WinLogon for persistence
PID:1800 -
C:\Users\Admin\AppData\Local\Temp\svhost.exeC:\Users\Admin\AppData\Local\Temp\svhost.exe2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
PID:1552 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FolderName\svhost.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\timeout.exetimeout /t 3003⤵
- Delays execution with timeout.exe
PID:1152
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\FolderName\file.exeFilesize
1.7MB
MD5fd860b8c9003b60b1e1d4cf5a81171a2
SHA10d96bf07de613c46920d99282408421024472d11
SHA25663f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98
SHA512cc4fda0f5fd20a07e101e179c10f2ba3bfef2574abc73784c918f5eb319f8a7d5a799f737e6de7b3128630b0b59b8cf0b4eb41500e910d7fab970b48ee1604c9
-
C:\Users\Admin\AppData\Local\Temp\FolderName\invs.vbsFilesize
78B
MD5c578d9653b22800c3eb6b6a51219bbb8
SHA1a97aa251901bbe179a48dbc7a0c1872e163b1f2d
SHA25620a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2
SHA5123ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d
-
C:\Users\Admin\AppData\Local\Temp\FolderName\mata.batFilesize
70B
MD523f72401196919748c14cb64c1d55c3b
SHA1869e3809cb4391e6f5aee5349a871e40a1e1fb22
SHA256d09c4054568f89c5de2bd9bae9cbcbcb3ef2dda9a9ded0153e29da26dc405d11
SHA5122ab844717c31c4819d8773d7604dfc831e950ae9e38fe311acf8178d46f39fafb54b448ebb6b9cf5d1edd47ed36eae11d649c1be346b0a35d380dd07101c79f1
-
C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.batFilesize
264B
MD545d23b4fd5b312f783e0b79d66cf50dd
SHA16bd9a94566f15c90efd11beb9f059a608c5548cf
SHA256dff86170a2e18d684397ee1b7153a9872bbe3ca1f1b4631bdffd46e2f6e62497
SHA5127bd3c9ead90fbc14448b700b4449030ae252e904cbbb10062d02a8238231f0bee62a5018dada89f483a0c50c47549616389272e900486e7c57dcd5171f6c1d7c
-
C:\Users\Admin\AppData\Local\Temp\FolderName\svhost.batFilesize
209B
MD53ba713a30330c94bc3f0d92fb337db0c
SHA11aa5bf3f8c05f0ab2d4ee1fd0e896613b090eaf3
SHA256f4ad6712f6c8cf58b6f7ca9fae11864498000306f8afd05b6ac447b2c82768eb
SHA5124c8c18a92b932512bb559f45eac73c779be47c9c3c3ca2f8f644ee098bcfe776c82bb337e5f14eb0cf834a6476065c52c64327cd585205fb3c6d18d12460b1c6
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
52KB
MD5278edbd499374bf73621f8c1f969d894
SHA1a81170af14747781c5f5f51bb1215893136f0bc0
SHA256c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391
SHA51293b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9
-
\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
52KB
MD5278edbd499374bf73621f8c1f969d894
SHA1a81170af14747781c5f5f51bb1215893136f0bc0
SHA256c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391
SHA51293b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9
-
memory/976-70-0x0000000000000000-mapping.dmp
-
memory/1152-81-0x0000000000000000-mapping.dmp
-
memory/1496-75-0x0000000000000000-mapping.dmp
-
memory/1552-69-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1552-59-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1552-66-0x000000000040FF04-mapping.dmp
-
memory/1552-65-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1552-63-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1552-62-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1552-60-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1552-77-0x0000000000401000-0x0000000000413000-memory.dmpFilesize
72KB
-
memory/1592-78-0x0000000000000000-mapping.dmp
-
memory/1688-56-0x0000000000000000-mapping.dmp
-
memory/1800-76-0x0000000000000000-mapping.dmp
-
memory/2032-54-0x00000000766D1000-0x00000000766D3000-memory.dmpFilesize
8KB
-
memory/2032-82-0x0000000074E10000-0x00000000753BB000-memory.dmpFilesize
5.7MB
-
memory/2032-55-0x0000000074E10000-0x00000000753BB000-memory.dmpFilesize
5.7MB