Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 21:28
Static task
static1
Behavioral task
behavioral1
Sample
8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exe
Resource
win10v2004-20220812-en
General
-
Target
8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exe
-
Size
2.1MB
-
MD5
3aee1d3b499fdcbb350151761e99bad3
-
SHA1
b8835a0230b87317d795301712bd9fba049f4928
-
SHA256
8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa
-
SHA512
872911943165a5b059008e5b83e74aed5f17274e67dab086a7f86ad7c517b84e56d062daccc29316a78e2875dff05907a51a74d19b0d66b431a92a66d16128a9
-
SSDEEP
49152:A0l4lo5JJ41mCsXBbKu6pYfSaiLphjORS85V0wKt4dZC6hAAAAXt:A0qqB41tZbqGjYS2KhWC6O
Malware Config
Extracted
pony
http://rebeccasun.webatu.com/pony/gate.php
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts 8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exe -
Executes dropped EXE 1 IoCs
Processes:
cdOGqEc0RiM5L3b5.exepid process 1352 cdOGqEc0RiM5L3b5.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exedescription pid process target process PID 4328 set thread context of 1260 4328 8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.execdOGqEc0RiM5L3b5.exepid process 4328 8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exe 4328 8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe 1352 cdOGqEc0RiM5L3b5.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
Processes:
8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exevbc.exedescription pid process Token: SeDebugPrivilege 4328 8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exe Token: SeImpersonatePrivilege 1260 vbc.exe Token: SeTcbPrivilege 1260 vbc.exe Token: SeChangeNotifyPrivilege 1260 vbc.exe Token: SeCreateTokenPrivilege 1260 vbc.exe Token: SeBackupPrivilege 1260 vbc.exe Token: SeRestorePrivilege 1260 vbc.exe Token: SeIncreaseQuotaPrivilege 1260 vbc.exe Token: SeAssignPrimaryTokenPrivilege 1260 vbc.exe Token: SeImpersonatePrivilege 1260 vbc.exe Token: SeTcbPrivilege 1260 vbc.exe Token: SeChangeNotifyPrivilege 1260 vbc.exe Token: SeCreateTokenPrivilege 1260 vbc.exe Token: SeBackupPrivilege 1260 vbc.exe Token: SeRestorePrivilege 1260 vbc.exe Token: SeIncreaseQuotaPrivilege 1260 vbc.exe Token: SeAssignPrimaryTokenPrivilege 1260 vbc.exe Token: SeImpersonatePrivilege 1260 vbc.exe Token: SeTcbPrivilege 1260 vbc.exe Token: SeChangeNotifyPrivilege 1260 vbc.exe Token: SeCreateTokenPrivilege 1260 vbc.exe Token: SeBackupPrivilege 1260 vbc.exe Token: SeRestorePrivilege 1260 vbc.exe Token: SeIncreaseQuotaPrivilege 1260 vbc.exe Token: SeAssignPrimaryTokenPrivilege 1260 vbc.exe Token: SeImpersonatePrivilege 1260 vbc.exe Token: SeTcbPrivilege 1260 vbc.exe Token: SeChangeNotifyPrivilege 1260 vbc.exe Token: SeCreateTokenPrivilege 1260 vbc.exe Token: SeBackupPrivilege 1260 vbc.exe Token: SeRestorePrivilege 1260 vbc.exe Token: SeIncreaseQuotaPrivilege 1260 vbc.exe Token: SeAssignPrimaryTokenPrivilege 1260 vbc.exe Token: SeImpersonatePrivilege 1260 vbc.exe Token: SeTcbPrivilege 1260 vbc.exe Token: SeChangeNotifyPrivilege 1260 vbc.exe Token: SeCreateTokenPrivilege 1260 vbc.exe Token: SeBackupPrivilege 1260 vbc.exe Token: SeRestorePrivilege 1260 vbc.exe Token: SeIncreaseQuotaPrivilege 1260 vbc.exe Token: SeAssignPrimaryTokenPrivilege 1260 vbc.exe Token: SeImpersonatePrivilege 1260 vbc.exe Token: SeTcbPrivilege 1260 vbc.exe Token: SeChangeNotifyPrivilege 1260 vbc.exe Token: SeCreateTokenPrivilege 1260 vbc.exe Token: SeBackupPrivilege 1260 vbc.exe Token: SeRestorePrivilege 1260 vbc.exe Token: SeIncreaseQuotaPrivilege 1260 vbc.exe Token: SeAssignPrimaryTokenPrivilege 1260 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
cdOGqEc0RiM5L3b5.exepid process 1352 cdOGqEc0RiM5L3b5.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exedescription pid process target process PID 4328 wrote to memory of 1352 4328 8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exe cdOGqEc0RiM5L3b5.exe PID 4328 wrote to memory of 1352 4328 8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exe cdOGqEc0RiM5L3b5.exe PID 4328 wrote to memory of 1352 4328 8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exe cdOGqEc0RiM5L3b5.exe PID 4328 wrote to memory of 1260 4328 8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exe vbc.exe PID 4328 wrote to memory of 1260 4328 8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exe vbc.exe PID 4328 wrote to memory of 1260 4328 8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exe vbc.exe PID 4328 wrote to memory of 1260 4328 8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exe vbc.exe PID 4328 wrote to memory of 1260 4328 8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exe vbc.exe PID 4328 wrote to memory of 1260 4328 8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exe vbc.exe PID 4328 wrote to memory of 1260 4328 8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exe vbc.exe PID 4328 wrote to memory of 1260 4328 8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exe vbc.exe -
outlook_win_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exe"C:\Users\Admin\AppData\Local\Temp\8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exe"1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cdOGqEc0RiM5L3b5.exe"C:\Users\Admin\AppData\Local\Temp\cdOGqEc0RiM5L3b5.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\cdOGqEc0RiM5L3b5.exeFilesize
1.8MB
MD5a73f1d9524938ea432e69d6d20796f93
SHA151d1480f868742a13da3c4692d9245c74bfd53da
SHA25608f92f133bb20adbb8bfb2b3c2c0a4e91cd74abfea8c69c107174d0e3b243bfa
SHA51217af0f18a2de71d42f5cbc3014304af5afc3489136ec8a24a48f6298f0a3f81cb80e2a1c6e4cf85b50740e1a5c71a1901dc5d1a28737bbacef0f1790404b5b59
-
C:\Users\Admin\AppData\Local\Temp\cdOGqEc0RiM5L3b5.exeFilesize
1.8MB
MD5a73f1d9524938ea432e69d6d20796f93
SHA151d1480f868742a13da3c4692d9245c74bfd53da
SHA25608f92f133bb20adbb8bfb2b3c2c0a4e91cd74abfea8c69c107174d0e3b243bfa
SHA51217af0f18a2de71d42f5cbc3014304af5afc3489136ec8a24a48f6298f0a3f81cb80e2a1c6e4cf85b50740e1a5c71a1901dc5d1a28737bbacef0f1790404b5b59
-
memory/1260-137-0x0000000000000000-mapping.dmp
-
memory/1260-138-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1260-140-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1260-142-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1260-143-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1260-144-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1352-134-0x0000000000000000-mapping.dmp
-
memory/4328-132-0x0000000075510000-0x0000000075AC1000-memory.dmpFilesize
5.7MB
-
memory/4328-133-0x0000000075510000-0x0000000075AC1000-memory.dmpFilesize
5.7MB
-
memory/4328-141-0x0000000075510000-0x0000000075AC1000-memory.dmpFilesize
5.7MB