Analysis
-
max time kernel
74s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 23:59
Static task
static1
Behavioral task
behavioral1
Sample
63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe
Resource
win7-20220901-en
General
-
Target
63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe
-
Size
1.7MB
-
MD5
fd860b8c9003b60b1e1d4cf5a81171a2
-
SHA1
0d96bf07de613c46920d99282408421024472d11
-
SHA256
63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98
-
SHA512
cc4fda0f5fd20a07e101e179c10f2ba3bfef2574abc73784c918f5eb319f8a7d5a799f737e6de7b3128630b0b59b8cf0b4eb41500e910d7fab970b48ee1604c9
-
SSDEEP
24576:h1TGH/LFxCGGmZu5P9dZd+R30w43EsNHM2GpZNqfTY0TDjm0jRbm:hUH/nCG52PDZd+iw43Emz2ZNiYqiu1
Malware Config
Extracted
pony
http://www.estateboulv.com/html/nza/html/gate.php
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 3708 svhost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation wscript.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
svhost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts svhost.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
svhost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook svhost.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exedescription ioc process File created C:\Windows\assembly\Desktop.ini 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe File opened for modification C:\Windows\assembly\Desktop.ini 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exedescription pid process target process PID 3444 set thread context of 3708 3444 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe svhost.exe -
Drops file in Windows directory 3 IoCs
Processes:
63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exedescription ioc process File opened for modification C:\Windows\assembly 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe File created C:\Windows\assembly\Desktop.ini 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe File opened for modification C:\Windows\assembly\Desktop.ini 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exepid process 3444 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe 3444 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe 3444 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe 3444 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe 3444 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe 3444 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
Processes:
63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exesvhost.exedescription pid process Token: SeDebugPrivilege 3444 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe Token: SeImpersonatePrivilege 3708 svhost.exe Token: SeTcbPrivilege 3708 svhost.exe Token: SeChangeNotifyPrivilege 3708 svhost.exe Token: SeCreateTokenPrivilege 3708 svhost.exe Token: SeBackupPrivilege 3708 svhost.exe Token: SeRestorePrivilege 3708 svhost.exe Token: SeIncreaseQuotaPrivilege 3708 svhost.exe Token: SeAssignPrimaryTokenPrivilege 3708 svhost.exe Token: SeImpersonatePrivilege 3708 svhost.exe Token: SeTcbPrivilege 3708 svhost.exe Token: SeChangeNotifyPrivilege 3708 svhost.exe Token: SeCreateTokenPrivilege 3708 svhost.exe Token: SeBackupPrivilege 3708 svhost.exe Token: SeRestorePrivilege 3708 svhost.exe Token: SeIncreaseQuotaPrivilege 3708 svhost.exe Token: SeAssignPrimaryTokenPrivilege 3708 svhost.exe Token: SeImpersonatePrivilege 3708 svhost.exe Token: SeTcbPrivilege 3708 svhost.exe Token: SeChangeNotifyPrivilege 3708 svhost.exe Token: SeCreateTokenPrivilege 3708 svhost.exe Token: SeBackupPrivilege 3708 svhost.exe Token: SeRestorePrivilege 3708 svhost.exe Token: SeIncreaseQuotaPrivilege 3708 svhost.exe Token: SeAssignPrimaryTokenPrivilege 3708 svhost.exe Token: SeImpersonatePrivilege 3708 svhost.exe Token: SeTcbPrivilege 3708 svhost.exe Token: SeChangeNotifyPrivilege 3708 svhost.exe Token: SeCreateTokenPrivilege 3708 svhost.exe Token: SeBackupPrivilege 3708 svhost.exe Token: SeRestorePrivilege 3708 svhost.exe Token: SeIncreaseQuotaPrivilege 3708 svhost.exe Token: SeAssignPrimaryTokenPrivilege 3708 svhost.exe Token: SeImpersonatePrivilege 3708 svhost.exe Token: SeTcbPrivilege 3708 svhost.exe Token: SeChangeNotifyPrivilege 3708 svhost.exe Token: SeCreateTokenPrivilege 3708 svhost.exe Token: SeBackupPrivilege 3708 svhost.exe Token: SeRestorePrivilege 3708 svhost.exe Token: SeIncreaseQuotaPrivilege 3708 svhost.exe Token: SeAssignPrimaryTokenPrivilege 3708 svhost.exe Token: SeImpersonatePrivilege 3708 svhost.exe Token: SeTcbPrivilege 3708 svhost.exe Token: SeChangeNotifyPrivilege 3708 svhost.exe Token: SeCreateTokenPrivilege 3708 svhost.exe Token: SeBackupPrivilege 3708 svhost.exe Token: SeRestorePrivilege 3708 svhost.exe Token: SeIncreaseQuotaPrivilege 3708 svhost.exe Token: SeAssignPrimaryTokenPrivilege 3708 svhost.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.execmd.exedescription pid process target process PID 3444 wrote to memory of 1876 3444 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe cmd.exe PID 3444 wrote to memory of 1876 3444 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe cmd.exe PID 3444 wrote to memory of 1876 3444 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe cmd.exe PID 1876 wrote to memory of 3104 1876 cmd.exe wscript.exe PID 1876 wrote to memory of 3104 1876 cmd.exe wscript.exe PID 1876 wrote to memory of 3104 1876 cmd.exe wscript.exe PID 3444 wrote to memory of 3708 3444 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe svhost.exe PID 3444 wrote to memory of 3708 3444 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe svhost.exe PID 3444 wrote to memory of 3708 3444 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe svhost.exe PID 3444 wrote to memory of 3708 3444 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe svhost.exe PID 3444 wrote to memory of 3708 3444 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe svhost.exe PID 3444 wrote to memory of 3708 3444 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe svhost.exe PID 3444 wrote to memory of 3708 3444 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe svhost.exe PID 3444 wrote to memory of 3708 3444 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe svhost.exe -
outlook_win_path 1 IoCs
Processes:
svhost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook svhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe"C:\Users\Admin\AppData\Local\Temp\63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\FolderName\mata.bat2⤵
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\FolderName\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat"3⤵
- Checks computer location settings
PID:3104 -
C:\Users\Admin\AppData\Local\Temp\svhost.exeC:\Users\Admin\AppData\Local\Temp\svhost.exe2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
PID:3708
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\FolderName\invs.vbsFilesize
78B
MD5c578d9653b22800c3eb6b6a51219bbb8
SHA1a97aa251901bbe179a48dbc7a0c1872e163b1f2d
SHA25620a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2
SHA5123ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d
-
C:\Users\Admin\AppData\Local\Temp\FolderName\mata.batFilesize
70B
MD523f72401196919748c14cb64c1d55c3b
SHA1869e3809cb4391e6f5aee5349a871e40a1e1fb22
SHA256d09c4054568f89c5de2bd9bae9cbcbcb3ef2dda9a9ded0153e29da26dc405d11
SHA5122ab844717c31c4819d8773d7604dfc831e950ae9e38fe311acf8178d46f39fafb54b448ebb6b9cf5d1edd47ed36eae11d649c1be346b0a35d380dd07101c79f1
-
C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.batFilesize
264B
MD545d23b4fd5b312f783e0b79d66cf50dd
SHA16bd9a94566f15c90efd11beb9f059a608c5548cf
SHA256dff86170a2e18d684397ee1b7153a9872bbe3ca1f1b4631bdffd46e2f6e62497
SHA5127bd3c9ead90fbc14448b700b4449030ae252e904cbbb10062d02a8238231f0bee62a5018dada89f483a0c50c47549616389272e900486e7c57dcd5171f6c1d7c
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
52KB
MD5a64daca3cfbcd039df3ec29d3eddd001
SHA1eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3
SHA256403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36
SHA512b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
52KB
MD5a64daca3cfbcd039df3ec29d3eddd001
SHA1eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3
SHA256403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36
SHA512b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479
-
memory/1876-134-0x0000000000000000-mapping.dmp
-
memory/3104-136-0x0000000000000000-mapping.dmp
-
memory/3444-132-0x00000000753A0000-0x0000000075951000-memory.dmpFilesize
5.7MB
-
memory/3444-133-0x00000000753A0000-0x0000000075951000-memory.dmpFilesize
5.7MB
-
memory/3444-145-0x00000000753A0000-0x0000000075951000-memory.dmpFilesize
5.7MB
-
memory/3708-137-0x0000000000000000-mapping.dmp
-
memory/3708-138-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/3708-142-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB