Analysis
-
max time kernel
206s -
max time network
208s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26/11/2022, 01:04
Static task
static1
Behavioral task
behavioral1
Sample
Dhl-Information.pdf.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Dhl-Information.pdf.exe
Resource
win10v2004-20221111-en
General
-
Target
Dhl-Information.pdf.exe
-
Size
146KB
-
MD5
0596c354d3bc4a70f76e86ac44e5179e
-
SHA1
de5db12f41c299116aeaf27d1d6b66c1649d3890
-
SHA256
b152f74631608d6c84e7b406121c19d0b4e75993e11ee8e2bddbacfa7942f639
-
SHA512
424ce957cb7631d632ce5f1cb806f9a67a78f8e43f856b321c1f08270148fc92edf921f59fd58e6c3ee999619fef46c2612e8768ace0dbd422abc804fd15626d
-
SSDEEP
3072:Ws7dFzS0qcFuKAfCw7ntjPGy/gud9T7Pxgvk4C21sr7c85GKdMkvtFx0iuFRQWHK:Ws7dFzS0I9Kej+r69GvXCei7qTTiuaW
Malware Config
Extracted
pony
http://185.7.35.9/~peakedca/home/gate.php
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation Dhl-Information.pdf.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4012 set thread context of 3552 4012 Dhl-Information.pdf.exe 85 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4012 Dhl-Information.pdf.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeDebugPrivilege 4012 Dhl-Information.pdf.exe Token: SeImpersonatePrivilege 3552 vbc.exe Token: SeTcbPrivilege 3552 vbc.exe Token: SeChangeNotifyPrivilege 3552 vbc.exe Token: SeCreateTokenPrivilege 3552 vbc.exe Token: SeBackupPrivilege 3552 vbc.exe Token: SeRestorePrivilege 3552 vbc.exe Token: SeIncreaseQuotaPrivilege 3552 vbc.exe Token: SeAssignPrimaryTokenPrivilege 3552 vbc.exe Token: SeImpersonatePrivilege 3552 vbc.exe Token: SeTcbPrivilege 3552 vbc.exe Token: SeChangeNotifyPrivilege 3552 vbc.exe Token: SeCreateTokenPrivilege 3552 vbc.exe Token: SeBackupPrivilege 3552 vbc.exe Token: SeRestorePrivilege 3552 vbc.exe Token: SeIncreaseQuotaPrivilege 3552 vbc.exe Token: SeAssignPrimaryTokenPrivilege 3552 vbc.exe Token: SeImpersonatePrivilege 3552 vbc.exe Token: SeTcbPrivilege 3552 vbc.exe Token: SeChangeNotifyPrivilege 3552 vbc.exe Token: SeCreateTokenPrivilege 3552 vbc.exe Token: SeBackupPrivilege 3552 vbc.exe Token: SeRestorePrivilege 3552 vbc.exe Token: SeIncreaseQuotaPrivilege 3552 vbc.exe Token: SeAssignPrimaryTokenPrivilege 3552 vbc.exe Token: SeImpersonatePrivilege 3552 vbc.exe Token: SeTcbPrivilege 3552 vbc.exe Token: SeChangeNotifyPrivilege 3552 vbc.exe Token: SeCreateTokenPrivilege 3552 vbc.exe Token: SeBackupPrivilege 3552 vbc.exe Token: SeRestorePrivilege 3552 vbc.exe Token: SeIncreaseQuotaPrivilege 3552 vbc.exe Token: SeAssignPrimaryTokenPrivilege 3552 vbc.exe Token: SeImpersonatePrivilege 3552 vbc.exe Token: SeTcbPrivilege 3552 vbc.exe Token: SeChangeNotifyPrivilege 3552 vbc.exe Token: SeCreateTokenPrivilege 3552 vbc.exe Token: SeBackupPrivilege 3552 vbc.exe Token: SeRestorePrivilege 3552 vbc.exe Token: SeIncreaseQuotaPrivilege 3552 vbc.exe Token: SeAssignPrimaryTokenPrivilege 3552 vbc.exe Token: SeImpersonatePrivilege 3552 vbc.exe Token: SeTcbPrivilege 3552 vbc.exe Token: SeChangeNotifyPrivilege 3552 vbc.exe Token: SeCreateTokenPrivilege 3552 vbc.exe Token: SeBackupPrivilege 3552 vbc.exe Token: SeRestorePrivilege 3552 vbc.exe Token: SeIncreaseQuotaPrivilege 3552 vbc.exe Token: SeAssignPrimaryTokenPrivilege 3552 vbc.exe Token: SeDebugPrivilege 2232 takshost.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4012 wrote to memory of 3552 4012 Dhl-Information.pdf.exe 85 PID 4012 wrote to memory of 3552 4012 Dhl-Information.pdf.exe 85 PID 4012 wrote to memory of 3552 4012 Dhl-Information.pdf.exe 85 PID 4012 wrote to memory of 3552 4012 Dhl-Information.pdf.exe 85 PID 4012 wrote to memory of 3552 4012 Dhl-Information.pdf.exe 85 PID 4012 wrote to memory of 3552 4012 Dhl-Information.pdf.exe 85 PID 4012 wrote to memory of 3552 4012 Dhl-Information.pdf.exe 85 PID 4012 wrote to memory of 3552 4012 Dhl-Information.pdf.exe 85 PID 4012 wrote to memory of 2232 4012 Dhl-Information.pdf.exe 86 PID 4012 wrote to memory of 2232 4012 Dhl-Information.pdf.exe 86 PID 4012 wrote to memory of 2232 4012 Dhl-Information.pdf.exe 86 PID 3552 wrote to memory of 1956 3552 vbc.exe 87 PID 3552 wrote to memory of 1956 3552 vbc.exe 87 PID 3552 wrote to memory of 1956 3552 vbc.exe 87 -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Dhl-Information.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Dhl-Information.pdf.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:3552 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240653328.bat" "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" "3⤵PID:1956
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2232
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b