Analysis
-
max time kernel
168s -
max time network
205s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 02:04
Static task
static1
Behavioral task
behavioral1
Sample
83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe
Resource
win7-20220812-en
General
-
Target
83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe
-
Size
297KB
-
MD5
c446479bcfeeba0cf0b7df77dff5baef
-
SHA1
536fe412431ceac140dc2ac7a2a5d4107551d3fb
-
SHA256
83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558
-
SHA512
095f454845ddf29c876cf7d5524c15d7345672a6fe74aa09574accecca7e5ef6333e4366790aec10e5f832e0f6f3794ed1dce4189c46f987acb8719d60dea63d
-
SSDEEP
6144:NRs9OAwWCadFPSMzW5fJ6GuSjisgGDErz9jkf806MKjYR:NRGOAwWZofLjRgGW948VjY
Malware Config
Extracted
pony
http://coco-bomgo.ru/wp-content/themes/twentytwelve/admin1/php/gate.php
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
FB_C994.tmp.exeFB_CAED.tmp.exepid process 4108 FB_C994.tmp.exe 4116 FB_CAED.tmp.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\FB_CAED.tmp.exe upx C:\Users\Admin\AppData\Local\Temp\FB_CAED.tmp.exe upx behavioral2/memory/4116-147-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/4116-148-0x0000000000400000-0x000000000041C000-memory.dmp upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
FB_CAED.tmp.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts FB_CAED.tmp.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
FB_CAED.tmp.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook FB_CAED.tmp.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exedescription pid process target process PID 732 set thread context of 4304 732 83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe 83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
FB_CAED.tmp.exedescription pid process Token: SeImpersonatePrivilege 4116 FB_CAED.tmp.exe Token: SeTcbPrivilege 4116 FB_CAED.tmp.exe Token: SeChangeNotifyPrivilege 4116 FB_CAED.tmp.exe Token: SeCreateTokenPrivilege 4116 FB_CAED.tmp.exe Token: SeBackupPrivilege 4116 FB_CAED.tmp.exe Token: SeRestorePrivilege 4116 FB_CAED.tmp.exe Token: SeIncreaseQuotaPrivilege 4116 FB_CAED.tmp.exe Token: SeAssignPrimaryTokenPrivilege 4116 FB_CAED.tmp.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exepid process 732 83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exenet.exe83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exedescription pid process target process PID 732 wrote to memory of 2964 732 83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe net.exe PID 732 wrote to memory of 2964 732 83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe net.exe PID 732 wrote to memory of 2964 732 83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe net.exe PID 2964 wrote to memory of 4244 2964 net.exe net1.exe PID 2964 wrote to memory of 4244 2964 net.exe net1.exe PID 2964 wrote to memory of 4244 2964 net.exe net1.exe PID 732 wrote to memory of 4304 732 83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe 83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe PID 732 wrote to memory of 4304 732 83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe 83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe PID 732 wrote to memory of 4304 732 83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe 83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe PID 732 wrote to memory of 4304 732 83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe 83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe PID 732 wrote to memory of 4304 732 83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe 83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe PID 732 wrote to memory of 4304 732 83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe 83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe PID 732 wrote to memory of 4304 732 83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe 83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe PID 732 wrote to memory of 4304 732 83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe 83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe PID 732 wrote to memory of 4304 732 83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe 83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe PID 4304 wrote to memory of 4108 4304 83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe FB_C994.tmp.exe PID 4304 wrote to memory of 4108 4304 83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe FB_C994.tmp.exe PID 4304 wrote to memory of 4108 4304 83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe FB_C994.tmp.exe PID 4304 wrote to memory of 4116 4304 83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe FB_CAED.tmp.exe PID 4304 wrote to memory of 4116 4304 83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe FB_CAED.tmp.exe PID 4304 wrote to memory of 4116 4304 83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe FB_CAED.tmp.exe -
outlook_win_path 1 IoCs
Processes:
FB_CAED.tmp.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook FB_CAED.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe"C:\Users\Admin\AppData\Local\Temp\83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop sharedaccess2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sharedaccess3⤵
-
C:\Users\Admin\AppData\Local\Temp\83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe"C:\Users\Admin\AppData\Local\Temp\83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\FB_C994.tmp.exe"C:\Users\Admin\AppData\Local\Temp\FB_C994.tmp.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\FB_CAED.tmp.exe"C:\Users\Admin\AppData\Local\Temp\FB_CAED.tmp.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\FB_C994.tmp.exeFilesize
138KB
MD52370b6bb61ccd369f29f59b7d2ca14a4
SHA1cc93ff693771b16bc1b50363166d1338c6ec3ff5
SHA256e3faf2e2f4579e380cab0f2587fa40ded664a0e475183681668fc348cbd8f9f1
SHA512d7bd2edbfb785b2eaf6594c1bb9c4fc3b94f134d0466c2e817c83383be385eea9fa0f2413e72ec7158ab55c40e50d8879736b6b9365649f8036d5f475a70a676
-
C:\Users\Admin\AppData\Local\Temp\FB_C994.tmp.exeFilesize
138KB
MD52370b6bb61ccd369f29f59b7d2ca14a4
SHA1cc93ff693771b16bc1b50363166d1338c6ec3ff5
SHA256e3faf2e2f4579e380cab0f2587fa40ded664a0e475183681668fc348cbd8f9f1
SHA512d7bd2edbfb785b2eaf6594c1bb9c4fc3b94f134d0466c2e817c83383be385eea9fa0f2413e72ec7158ab55c40e50d8879736b6b9365649f8036d5f475a70a676
-
C:\Users\Admin\AppData\Local\Temp\FB_CAED.tmp.exeFilesize
34KB
MD5c35fde5a758e7a483c4f5324e06969b0
SHA1739845158e3d535e030153e0515fc6abe044d792
SHA256922fe72860eb43ad02f4255db52e7ac612314846c7839d1e8a830135b15f67e5
SHA5127efff311582fb09a1822e8e9f719730871801c7cc1a285ab47b2ff68f5592b41a42319f0a697dc1faedd9f99390a5c3f6537f857d9624b3a1110f94c6bedff7b
-
C:\Users\Admin\AppData\Local\Temp\FB_CAED.tmp.exeFilesize
34KB
MD5c35fde5a758e7a483c4f5324e06969b0
SHA1739845158e3d535e030153e0515fc6abe044d792
SHA256922fe72860eb43ad02f4255db52e7ac612314846c7839d1e8a830135b15f67e5
SHA5127efff311582fb09a1822e8e9f719730871801c7cc1a285ab47b2ff68f5592b41a42319f0a697dc1faedd9f99390a5c3f6537f857d9624b3a1110f94c6bedff7b
-
memory/2964-134-0x0000000000000000-mapping.dmp
-
memory/4108-140-0x0000000000000000-mapping.dmp
-
memory/4116-143-0x0000000000000000-mapping.dmp
-
memory/4116-147-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/4116-148-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/4244-135-0x0000000000000000-mapping.dmp
-
memory/4304-136-0x0000000000000000-mapping.dmp
-
memory/4304-139-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/4304-137-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/4304-146-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB