Analysis
-
max time kernel
193s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 15:33
Static task
static1
Behavioral task
behavioral1
Sample
cc3d7c241aadbb1abd102bd54e26dd8c487d0863e3fb752a7a44e946d20142ad.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
cc3d7c241aadbb1abd102bd54e26dd8c487d0863e3fb752a7a44e946d20142ad.exe
Resource
win10v2004-20221111-en
General
-
Target
cc3d7c241aadbb1abd102bd54e26dd8c487d0863e3fb752a7a44e946d20142ad.exe
-
Size
280KB
-
MD5
d78a2e8c8aeac70a63c65e07ad6ee368
-
SHA1
e434cc7204eade9dd86db22292eb4fa28a0542dd
-
SHA256
cc3d7c241aadbb1abd102bd54e26dd8c487d0863e3fb752a7a44e946d20142ad
-
SHA512
831866dbd686b57302bdec41305b6300f7fad52c94e7c03f0ec6c8e010bae318ee0a3f1e90a24f1253f976d0f890b1a46308239d23688be8a9f20219c66ba9bd
-
SSDEEP
6144:0kixjxFjYT8PWrg6P5yD1o4WNQqMe5R6zC:0pxjnjYhP5yD1qCqMMR6zC
Malware Config
Extracted
pony
http://77.221.144.119/p/gate.php
http://cityhotlove.com/p/gate.php
http://freefinder.me/p/gate.php
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
sysnfycav.exesysnfycav.exepid process 4836 sysnfycav.exe 3592 sysnfycav.exe -
Processes:
resource yara_rule behavioral2/memory/3520-134-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/3520-136-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/3520-137-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/3520-141-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/3592-146-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/3592-147-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/3592-148-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/3592-149-0x0000000000400000-0x000000000042B000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cc3d7c241aadbb1abd102bd54e26dd8c487d0863e3fb752a7a44e946d20142ad.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation cc3d7c241aadbb1abd102bd54e26dd8c487d0863e3fb752a7a44e946d20142ad.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
sysnfycav.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts sysnfycav.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
sysnfycav.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook sysnfycav.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
sysnfycav.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run sysnfycav.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SYS_UPDATE_FC3478697FDC0282A2C4D80 = "C:\\Users\\Admin\\AppData\\Roaming\\WinRAR\\sysnfycav.exe" sysnfycav.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
cc3d7c241aadbb1abd102bd54e26dd8c487d0863e3fb752a7a44e946d20142ad.exesysnfycav.exedescription pid process target process PID 4576 set thread context of 3520 4576 cc3d7c241aadbb1abd102bd54e26dd8c487d0863e3fb752a7a44e946d20142ad.exe cc3d7c241aadbb1abd102bd54e26dd8c487d0863e3fb752a7a44e946d20142ad.exe PID 4836 set thread context of 3592 4836 sysnfycav.exe sysnfycav.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
cc3d7c241aadbb1abd102bd54e26dd8c487d0863e3fb752a7a44e946d20142ad.exesysnfycav.exepid process 4576 cc3d7c241aadbb1abd102bd54e26dd8c487d0863e3fb752a7a44e946d20142ad.exe 4576 cc3d7c241aadbb1abd102bd54e26dd8c487d0863e3fb752a7a44e946d20142ad.exe 4576 cc3d7c241aadbb1abd102bd54e26dd8c487d0863e3fb752a7a44e946d20142ad.exe 4576 cc3d7c241aadbb1abd102bd54e26dd8c487d0863e3fb752a7a44e946d20142ad.exe 4836 sysnfycav.exe 4836 sysnfycav.exe 4836 sysnfycav.exe 4836 sysnfycav.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
cc3d7c241aadbb1abd102bd54e26dd8c487d0863e3fb752a7a44e946d20142ad.exesysnfycav.exedescription pid process Token: SeImpersonatePrivilege 3520 cc3d7c241aadbb1abd102bd54e26dd8c487d0863e3fb752a7a44e946d20142ad.exe Token: SeTcbPrivilege 3520 cc3d7c241aadbb1abd102bd54e26dd8c487d0863e3fb752a7a44e946d20142ad.exe Token: SeChangeNotifyPrivilege 3520 cc3d7c241aadbb1abd102bd54e26dd8c487d0863e3fb752a7a44e946d20142ad.exe Token: SeCreateTokenPrivilege 3520 cc3d7c241aadbb1abd102bd54e26dd8c487d0863e3fb752a7a44e946d20142ad.exe Token: SeBackupPrivilege 3520 cc3d7c241aadbb1abd102bd54e26dd8c487d0863e3fb752a7a44e946d20142ad.exe Token: SeRestorePrivilege 3520 cc3d7c241aadbb1abd102bd54e26dd8c487d0863e3fb752a7a44e946d20142ad.exe Token: SeIncreaseQuotaPrivilege 3520 cc3d7c241aadbb1abd102bd54e26dd8c487d0863e3fb752a7a44e946d20142ad.exe Token: SeAssignPrimaryTokenPrivilege 3520 cc3d7c241aadbb1abd102bd54e26dd8c487d0863e3fb752a7a44e946d20142ad.exe Token: SeImpersonatePrivilege 3592 sysnfycav.exe Token: SeTcbPrivilege 3592 sysnfycav.exe Token: SeChangeNotifyPrivilege 3592 sysnfycav.exe Token: SeCreateTokenPrivilege 3592 sysnfycav.exe Token: SeBackupPrivilege 3592 sysnfycav.exe Token: SeRestorePrivilege 3592 sysnfycav.exe Token: SeIncreaseQuotaPrivilege 3592 sysnfycav.exe Token: SeAssignPrimaryTokenPrivilege 3592 sysnfycav.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
cc3d7c241aadbb1abd102bd54e26dd8c487d0863e3fb752a7a44e946d20142ad.execc3d7c241aadbb1abd102bd54e26dd8c487d0863e3fb752a7a44e946d20142ad.exesysnfycav.exedescription pid process target process PID 4576 wrote to memory of 3520 4576 cc3d7c241aadbb1abd102bd54e26dd8c487d0863e3fb752a7a44e946d20142ad.exe cc3d7c241aadbb1abd102bd54e26dd8c487d0863e3fb752a7a44e946d20142ad.exe PID 4576 wrote to memory of 3520 4576 cc3d7c241aadbb1abd102bd54e26dd8c487d0863e3fb752a7a44e946d20142ad.exe cc3d7c241aadbb1abd102bd54e26dd8c487d0863e3fb752a7a44e946d20142ad.exe PID 4576 wrote to memory of 3520 4576 cc3d7c241aadbb1abd102bd54e26dd8c487d0863e3fb752a7a44e946d20142ad.exe cc3d7c241aadbb1abd102bd54e26dd8c487d0863e3fb752a7a44e946d20142ad.exe PID 4576 wrote to memory of 3520 4576 cc3d7c241aadbb1abd102bd54e26dd8c487d0863e3fb752a7a44e946d20142ad.exe cc3d7c241aadbb1abd102bd54e26dd8c487d0863e3fb752a7a44e946d20142ad.exe PID 4576 wrote to memory of 3520 4576 cc3d7c241aadbb1abd102bd54e26dd8c487d0863e3fb752a7a44e946d20142ad.exe cc3d7c241aadbb1abd102bd54e26dd8c487d0863e3fb752a7a44e946d20142ad.exe PID 4576 wrote to memory of 3520 4576 cc3d7c241aadbb1abd102bd54e26dd8c487d0863e3fb752a7a44e946d20142ad.exe cc3d7c241aadbb1abd102bd54e26dd8c487d0863e3fb752a7a44e946d20142ad.exe PID 4576 wrote to memory of 3520 4576 cc3d7c241aadbb1abd102bd54e26dd8c487d0863e3fb752a7a44e946d20142ad.exe cc3d7c241aadbb1abd102bd54e26dd8c487d0863e3fb752a7a44e946d20142ad.exe PID 4576 wrote to memory of 3520 4576 cc3d7c241aadbb1abd102bd54e26dd8c487d0863e3fb752a7a44e946d20142ad.exe cc3d7c241aadbb1abd102bd54e26dd8c487d0863e3fb752a7a44e946d20142ad.exe PID 3520 wrote to memory of 4836 3520 cc3d7c241aadbb1abd102bd54e26dd8c487d0863e3fb752a7a44e946d20142ad.exe sysnfycav.exe PID 3520 wrote to memory of 4836 3520 cc3d7c241aadbb1abd102bd54e26dd8c487d0863e3fb752a7a44e946d20142ad.exe sysnfycav.exe PID 3520 wrote to memory of 4836 3520 cc3d7c241aadbb1abd102bd54e26dd8c487d0863e3fb752a7a44e946d20142ad.exe sysnfycav.exe PID 4836 wrote to memory of 3592 4836 sysnfycav.exe sysnfycav.exe PID 4836 wrote to memory of 3592 4836 sysnfycav.exe sysnfycav.exe PID 4836 wrote to memory of 3592 4836 sysnfycav.exe sysnfycav.exe PID 4836 wrote to memory of 3592 4836 sysnfycav.exe sysnfycav.exe PID 4836 wrote to memory of 3592 4836 sysnfycav.exe sysnfycav.exe PID 4836 wrote to memory of 3592 4836 sysnfycav.exe sysnfycav.exe PID 4836 wrote to memory of 3592 4836 sysnfycav.exe sysnfycav.exe PID 4836 wrote to memory of 3592 4836 sysnfycav.exe sysnfycav.exe -
outlook_win_path 1 IoCs
Processes:
sysnfycav.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook sysnfycav.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc3d7c241aadbb1abd102bd54e26dd8c487d0863e3fb752a7a44e946d20142ad.exe"C:\Users\Admin\AppData\Local\Temp\cc3d7c241aadbb1abd102bd54e26dd8c487d0863e3fb752a7a44e946d20142ad.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cc3d7c241aadbb1abd102bd54e26dd8c487d0863e3fb752a7a44e946d20142ad.exe"C:\Users\Admin\AppData\Local\Temp\cc3d7c241aadbb1abd102bd54e26dd8c487d0863e3fb752a7a44e946d20142ad.exe"2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WinRAR\sysnfycav.exe"C:\Users\Admin\AppData\Roaming\WinRAR\sysnfycav.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WinRAR\sysnfycav.exe"C:\Users\Admin\AppData\Roaming\WinRAR\sysnfycav.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\WinRAR\sysnfycav.exeFilesize
280KB
MD5d78a2e8c8aeac70a63c65e07ad6ee368
SHA1e434cc7204eade9dd86db22292eb4fa28a0542dd
SHA256cc3d7c241aadbb1abd102bd54e26dd8c487d0863e3fb752a7a44e946d20142ad
SHA512831866dbd686b57302bdec41305b6300f7fad52c94e7c03f0ec6c8e010bae318ee0a3f1e90a24f1253f976d0f890b1a46308239d23688be8a9f20219c66ba9bd
-
C:\Users\Admin\AppData\Roaming\WinRAR\sysnfycav.exeFilesize
280KB
MD5d78a2e8c8aeac70a63c65e07ad6ee368
SHA1e434cc7204eade9dd86db22292eb4fa28a0542dd
SHA256cc3d7c241aadbb1abd102bd54e26dd8c487d0863e3fb752a7a44e946d20142ad
SHA512831866dbd686b57302bdec41305b6300f7fad52c94e7c03f0ec6c8e010bae318ee0a3f1e90a24f1253f976d0f890b1a46308239d23688be8a9f20219c66ba9bd
-
C:\Users\Admin\AppData\Roaming\WinRAR\sysnfycav.exeFilesize
280KB
MD5d78a2e8c8aeac70a63c65e07ad6ee368
SHA1e434cc7204eade9dd86db22292eb4fa28a0542dd
SHA256cc3d7c241aadbb1abd102bd54e26dd8c487d0863e3fb752a7a44e946d20142ad
SHA512831866dbd686b57302bdec41305b6300f7fad52c94e7c03f0ec6c8e010bae318ee0a3f1e90a24f1253f976d0f890b1a46308239d23688be8a9f20219c66ba9bd
-
memory/3520-136-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3520-137-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3520-134-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3520-141-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3520-133-0x0000000000000000-mapping.dmp
-
memory/3592-142-0x0000000000000000-mapping.dmp
-
memory/3592-146-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3592-147-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3592-148-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3592-149-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/4576-132-0x00000000004C0000-0x00000000004CD000-memory.dmpFilesize
52KB
-
memory/4836-138-0x0000000000000000-mapping.dmp