Analysis
-
max time kernel
166s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 02:16
Static task
static1
Behavioral task
behavioral1
Sample
product.scr
Resource
win7-20221111-en
General
-
Target
product.scr
-
Size
624KB
-
MD5
fff4955ffce3b5e5260408e7fef6872d
-
SHA1
78b85c6cb35cb007882ecce9602b60cd6c5bae97
-
SHA256
a894c9771d9cf0a526dc628e2aaf508db00fac2cf5f3aa45688b6a10366dc19f
-
SHA512
e50b4668c8247b5c582d8818fdffaa9e4d7eb740197f7fc328b2defdd96b41bc472b04591b6ebfd87ec39e8faf7065b6304b0793270f7ffa7ab4db30d6ba0e75
-
SSDEEP
12288:mcER/WFqpOCIYqv2/eso4QDiWVpDiKiS9BYM1efta7iXS6GnEv0CNisXoNBW9x:mcER/WFqpOCIYqv2/eso4QDiW3DiKiSM
Malware Config
Extracted
pony
http://190.14.37.80/akpos/Panel/Panelz/gate.php
Signatures
-
Executes dropped EXE 5 IoCs
Processes:
mamade.exeScan002.scrmamade.exeScan002.scrmamade.exepid process 1736 mamade.exe 3636 Scan002.scr 3168 mamade.exe 4312 Scan002.scr 4908 mamade.exe -
Processes:
resource yara_rule behavioral2/memory/4312-152-0x0000000000400000-0x0000000001400000-memory.dmp upx behavioral2/memory/4908-159-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/4312-161-0x0000000000400000-0x0000000001400000-memory.dmp upx behavioral2/memory/4312-165-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/4312-163-0x0000000000400000-0x0000000001400000-memory.dmp upx behavioral2/memory/4908-166-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/4312-167-0x0000000000400000-0x000000000041C000-memory.dmp upx -
Drops startup file 3 IoCs
Processes:
product.scrmamade.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exe product.scr File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exe product.scr File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exe mamade.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs
Processes:
mamade.exeScan002.scrdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts mamade.exe Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Scan002.scr -
Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs
Processes:
mamade.exeScan002.scrdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook mamade.exe Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Scan002.scr -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
mamade.exeScan002.scrmamade.exedescription pid process target process PID 1736 set thread context of 3168 1736 mamade.exe mamade.exe PID 3636 set thread context of 4312 3636 Scan002.scr Scan002.scr PID 3168 set thread context of 4908 3168 mamade.exe mamade.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Scan002.scrmamade.exepid process 3636 Scan002.scr 3636 Scan002.scr 3168 mamade.exe 3168 mamade.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
mamade.exeScan002.scrdescription pid process Token: SeImpersonatePrivilege 4908 mamade.exe Token: SeTcbPrivilege 4908 mamade.exe Token: SeChangeNotifyPrivilege 4908 mamade.exe Token: SeCreateTokenPrivilege 4908 mamade.exe Token: SeBackupPrivilege 4908 mamade.exe Token: SeRestorePrivilege 4908 mamade.exe Token: SeIncreaseQuotaPrivilege 4908 mamade.exe Token: SeAssignPrimaryTokenPrivilege 4908 mamade.exe Token: SeImpersonatePrivilege 4312 Scan002.scr Token: SeTcbPrivilege 4312 Scan002.scr Token: SeChangeNotifyPrivilege 4312 Scan002.scr Token: SeCreateTokenPrivilege 4312 Scan002.scr Token: SeBackupPrivilege 4312 Scan002.scr Token: SeRestorePrivilege 4312 Scan002.scr Token: SeIncreaseQuotaPrivilege 4312 Scan002.scr Token: SeAssignPrimaryTokenPrivilege 4312 Scan002.scr -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
product.scrmamade.exeScan002.scrmamade.exepid process 3720 product.scr 1736 mamade.exe 3636 Scan002.scr 3168 mamade.exe 3636 Scan002.scr 3168 mamade.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
product.scrcmd.exemamade.exeScan002.scrmamade.exedescription pid process target process PID 3720 wrote to memory of 4636 3720 product.scr cmd.exe PID 3720 wrote to memory of 4636 3720 product.scr cmd.exe PID 3720 wrote to memory of 4636 3720 product.scr cmd.exe PID 3720 wrote to memory of 1736 3720 product.scr mamade.exe PID 3720 wrote to memory of 1736 3720 product.scr mamade.exe PID 3720 wrote to memory of 1736 3720 product.scr mamade.exe PID 4636 wrote to memory of 3636 4636 cmd.exe Scan002.scr PID 4636 wrote to memory of 3636 4636 cmd.exe Scan002.scr PID 4636 wrote to memory of 3636 4636 cmd.exe Scan002.scr PID 1736 wrote to memory of 3168 1736 mamade.exe mamade.exe PID 1736 wrote to memory of 3168 1736 mamade.exe mamade.exe PID 1736 wrote to memory of 3168 1736 mamade.exe mamade.exe PID 1736 wrote to memory of 3168 1736 mamade.exe mamade.exe PID 1736 wrote to memory of 3168 1736 mamade.exe mamade.exe PID 1736 wrote to memory of 3168 1736 mamade.exe mamade.exe PID 1736 wrote to memory of 3168 1736 mamade.exe mamade.exe PID 1736 wrote to memory of 3168 1736 mamade.exe mamade.exe PID 1736 wrote to memory of 3168 1736 mamade.exe mamade.exe PID 1736 wrote to memory of 3168 1736 mamade.exe mamade.exe PID 1736 wrote to memory of 3168 1736 mamade.exe mamade.exe PID 3636 wrote to memory of 4312 3636 Scan002.scr Scan002.scr PID 3636 wrote to memory of 4312 3636 Scan002.scr Scan002.scr PID 3636 wrote to memory of 4312 3636 Scan002.scr Scan002.scr PID 3168 wrote to memory of 4908 3168 mamade.exe mamade.exe PID 3168 wrote to memory of 4908 3168 mamade.exe mamade.exe PID 3168 wrote to memory of 4908 3168 mamade.exe mamade.exe PID 3636 wrote to memory of 4312 3636 Scan002.scr Scan002.scr PID 3636 wrote to memory of 4312 3636 Scan002.scr Scan002.scr PID 3636 wrote to memory of 4312 3636 Scan002.scr Scan002.scr PID 3636 wrote to memory of 4312 3636 Scan002.scr Scan002.scr PID 3636 wrote to memory of 4312 3636 Scan002.scr Scan002.scr PID 3168 wrote to memory of 4908 3168 mamade.exe mamade.exe PID 3168 wrote to memory of 4908 3168 mamade.exe mamade.exe PID 3168 wrote to memory of 4908 3168 mamade.exe mamade.exe PID 3168 wrote to memory of 4908 3168 mamade.exe mamade.exe PID 3168 wrote to memory of 4908 3168 mamade.exe mamade.exe -
outlook_win_path 1 IoCs
Processes:
Scan002.scrdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Scan002.scr
Processes
-
C:\Users\Admin\AppData\Local\Temp\product.scr"C:\Users\Admin\AppData\Local\Temp\product.scr" /S1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\Scan002.scr2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Scan002.scrC:\Users\Admin\AppData\Local\Temp\Scan002.scr3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Scan002.scrC:\Users\Admin\AppData\Local\Temp\Scan002.scr4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Scan002.scrFilesize
200KB
MD5261f3314b3cafb38d5b2611e3ae97bd5
SHA1de94aa12402a0a16fd36e3b2103f38fe549478b8
SHA25674ced44c66224194a486a2f095a07db4ebabf485927676da5ecc1a51e088c036
SHA5121c02bdce453d7e4d0663d17808d0c3494e8766c9d061dd851173af47bf497ab8f6a32b8556b906cb8ecb7e4c4d83bf0103fb79bdb2ad2bb874ac320163ec3026
-
C:\Users\Admin\AppData\Local\Temp\Scan002.scrFilesize
200KB
MD5261f3314b3cafb38d5b2611e3ae97bd5
SHA1de94aa12402a0a16fd36e3b2103f38fe549478b8
SHA25674ced44c66224194a486a2f095a07db4ebabf485927676da5ecc1a51e088c036
SHA5121c02bdce453d7e4d0663d17808d0c3494e8766c9d061dd851173af47bf497ab8f6a32b8556b906cb8ecb7e4c4d83bf0103fb79bdb2ad2bb874ac320163ec3026
-
C:\Users\Admin\AppData\Local\Temp\Scan002.scrFilesize
200KB
MD5261f3314b3cafb38d5b2611e3ae97bd5
SHA1de94aa12402a0a16fd36e3b2103f38fe549478b8
SHA25674ced44c66224194a486a2f095a07db4ebabf485927676da5ecc1a51e088c036
SHA5121c02bdce453d7e4d0663d17808d0c3494e8766c9d061dd851173af47bf497ab8f6a32b8556b906cb8ecb7e4c4d83bf0103fb79bdb2ad2bb874ac320163ec3026
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exeFilesize
624KB
MD5fff4955ffce3b5e5260408e7fef6872d
SHA178b85c6cb35cb007882ecce9602b60cd6c5bae97
SHA256a894c9771d9cf0a526dc628e2aaf508db00fac2cf5f3aa45688b6a10366dc19f
SHA512e50b4668c8247b5c582d8818fdffaa9e4d7eb740197f7fc328b2defdd96b41bc472b04591b6ebfd87ec39e8faf7065b6304b0793270f7ffa7ab4db30d6ba0e75
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exeFilesize
624KB
MD5fff4955ffce3b5e5260408e7fef6872d
SHA178b85c6cb35cb007882ecce9602b60cd6c5bae97
SHA256a894c9771d9cf0a526dc628e2aaf508db00fac2cf5f3aa45688b6a10366dc19f
SHA512e50b4668c8247b5c582d8818fdffaa9e4d7eb740197f7fc328b2defdd96b41bc472b04591b6ebfd87ec39e8faf7065b6304b0793270f7ffa7ab4db30d6ba0e75
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exeFilesize
624KB
MD5fff4955ffce3b5e5260408e7fef6872d
SHA178b85c6cb35cb007882ecce9602b60cd6c5bae97
SHA256a894c9771d9cf0a526dc628e2aaf508db00fac2cf5f3aa45688b6a10366dc19f
SHA512e50b4668c8247b5c582d8818fdffaa9e4d7eb740197f7fc328b2defdd96b41bc472b04591b6ebfd87ec39e8faf7065b6304b0793270f7ffa7ab4db30d6ba0e75
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exeFilesize
624KB
MD5fff4955ffce3b5e5260408e7fef6872d
SHA178b85c6cb35cb007882ecce9602b60cd6c5bae97
SHA256a894c9771d9cf0a526dc628e2aaf508db00fac2cf5f3aa45688b6a10366dc19f
SHA512e50b4668c8247b5c582d8818fdffaa9e4d7eb740197f7fc328b2defdd96b41bc472b04591b6ebfd87ec39e8faf7065b6304b0793270f7ffa7ab4db30d6ba0e75
-
memory/1736-135-0x0000000000000000-mapping.dmp
-
memory/3168-149-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/3168-143-0x0000000000000000-mapping.dmp
-
memory/3168-147-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/3168-148-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/3168-144-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/3168-160-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/3636-154-0x00000000005D0000-0x00000000005D4000-memory.dmpFilesize
16KB
-
memory/3636-140-0x0000000000000000-mapping.dmp
-
memory/4312-161-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/4312-152-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/4312-150-0x0000000000000000-mapping.dmp
-
memory/4312-165-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/4312-163-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/4312-167-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/4636-134-0x0000000000000000-mapping.dmp
-
memory/4908-159-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/4908-151-0x0000000000000000-mapping.dmp
-
memory/4908-166-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB