Analysis
-
max time kernel
74s -
max time network
98s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 04:09
Static task
static1
Behavioral task
behavioral1
Sample
dd7c054e96f61730670964c414e0e07fee8d1c44564ff183136c6272bdb27ec0.exe
Resource
win7-20220812-en
General
-
Target
dd7c054e96f61730670964c414e0e07fee8d1c44564ff183136c6272bdb27ec0.exe
-
Size
131KB
-
MD5
0b42af1852f7f082ec63617d9a39eac9
-
SHA1
7f29ae89ca3e1a6de9ef326eec49e7d119fbaa13
-
SHA256
dd7c054e96f61730670964c414e0e07fee8d1c44564ff183136c6272bdb27ec0
-
SHA512
673eb35c6494c372ccff4eefbc4b62e37b4c83905584913d4524e766abe39c167e93a4e066d609ba6efea360cdda6181ae32b15ed7d8051cc3a9b73ab90c6a8e
-
SSDEEP
3072:7qu3HSWaxXpX0wWd2QDyIlBnU1DDe0ZSqMud6mq:7pXdY0ld2odUdK3huFq
Malware Config
Extracted
pony
http://zurekconstruction.com/wp-content/themes/twentythirteen/redirect.php
http://4dpotolki.ru/wp-content/index.php
http://formevip.ru/wp-content/plugins/buddypress/redirect.php
http://my-suba.ru/kernel/includes/redirect.php
http://doc-plastic.ru/pages/gate.php
http://yura.pudul.ru/plyushka/sites/default/redirect.php
http://avrorarealty.com/modules/living/gate.php
http://uk-legal.com.ua/modules/content/test.php
http://aisrf.ru/images/011014.jpg
http://zblog.at.ua/images/011014.dat
http://4dpotolki.ru/wp-content/upgrade/011014.dat
http://all-cs.moy.su/prin/011014.dat
http://auto-billiard.ru/data/PRCENTERAUTBIL/attachments/SC/products_files/011014.dat
http://gid-piter.ru/upload/011014.dat
http://k-dialog.ru/libraries/legacy/form/011014.dat
http://ikt-msk.ru/plugins/finder/011014.dat
http://odsint2.com/js/tiny_mce/utils/st.php?id=do
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
dd7c054e96f61730670964c414e0e07fee8d1c44564ff183136c6272bdb27ec0.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts dd7c054e96f61730670964c414e0e07fee8d1c44564ff183136c6272bdb27ec0.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
dd7c054e96f61730670964c414e0e07fee8d1c44564ff183136c6272bdb27ec0.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook dd7c054e96f61730670964c414e0e07fee8d1c44564ff183136c6272bdb27ec0.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
dd7c054e96f61730670964c414e0e07fee8d1c44564ff183136c6272bdb27ec0.exedescription pid process Token: SeImpersonatePrivilege 576 dd7c054e96f61730670964c414e0e07fee8d1c44564ff183136c6272bdb27ec0.exe Token: SeTcbPrivilege 576 dd7c054e96f61730670964c414e0e07fee8d1c44564ff183136c6272bdb27ec0.exe Token: SeChangeNotifyPrivilege 576 dd7c054e96f61730670964c414e0e07fee8d1c44564ff183136c6272bdb27ec0.exe Token: SeCreateTokenPrivilege 576 dd7c054e96f61730670964c414e0e07fee8d1c44564ff183136c6272bdb27ec0.exe Token: SeBackupPrivilege 576 dd7c054e96f61730670964c414e0e07fee8d1c44564ff183136c6272bdb27ec0.exe Token: SeRestorePrivilege 576 dd7c054e96f61730670964c414e0e07fee8d1c44564ff183136c6272bdb27ec0.exe Token: SeIncreaseQuotaPrivilege 576 dd7c054e96f61730670964c414e0e07fee8d1c44564ff183136c6272bdb27ec0.exe Token: SeAssignPrimaryTokenPrivilege 576 dd7c054e96f61730670964c414e0e07fee8d1c44564ff183136c6272bdb27ec0.exe Token: SeImpersonatePrivilege 576 dd7c054e96f61730670964c414e0e07fee8d1c44564ff183136c6272bdb27ec0.exe Token: SeTcbPrivilege 576 dd7c054e96f61730670964c414e0e07fee8d1c44564ff183136c6272bdb27ec0.exe Token: SeChangeNotifyPrivilege 576 dd7c054e96f61730670964c414e0e07fee8d1c44564ff183136c6272bdb27ec0.exe Token: SeCreateTokenPrivilege 576 dd7c054e96f61730670964c414e0e07fee8d1c44564ff183136c6272bdb27ec0.exe Token: SeBackupPrivilege 576 dd7c054e96f61730670964c414e0e07fee8d1c44564ff183136c6272bdb27ec0.exe Token: SeRestorePrivilege 576 dd7c054e96f61730670964c414e0e07fee8d1c44564ff183136c6272bdb27ec0.exe Token: SeIncreaseQuotaPrivilege 576 dd7c054e96f61730670964c414e0e07fee8d1c44564ff183136c6272bdb27ec0.exe Token: SeAssignPrimaryTokenPrivilege 576 dd7c054e96f61730670964c414e0e07fee8d1c44564ff183136c6272bdb27ec0.exe Token: SeImpersonatePrivilege 576 dd7c054e96f61730670964c414e0e07fee8d1c44564ff183136c6272bdb27ec0.exe Token: SeTcbPrivilege 576 dd7c054e96f61730670964c414e0e07fee8d1c44564ff183136c6272bdb27ec0.exe Token: SeChangeNotifyPrivilege 576 dd7c054e96f61730670964c414e0e07fee8d1c44564ff183136c6272bdb27ec0.exe Token: SeCreateTokenPrivilege 576 dd7c054e96f61730670964c414e0e07fee8d1c44564ff183136c6272bdb27ec0.exe Token: SeBackupPrivilege 576 dd7c054e96f61730670964c414e0e07fee8d1c44564ff183136c6272bdb27ec0.exe Token: SeRestorePrivilege 576 dd7c054e96f61730670964c414e0e07fee8d1c44564ff183136c6272bdb27ec0.exe Token: SeIncreaseQuotaPrivilege 576 dd7c054e96f61730670964c414e0e07fee8d1c44564ff183136c6272bdb27ec0.exe Token: SeAssignPrimaryTokenPrivilege 576 dd7c054e96f61730670964c414e0e07fee8d1c44564ff183136c6272bdb27ec0.exe Token: SeImpersonatePrivilege 576 dd7c054e96f61730670964c414e0e07fee8d1c44564ff183136c6272bdb27ec0.exe Token: SeTcbPrivilege 576 dd7c054e96f61730670964c414e0e07fee8d1c44564ff183136c6272bdb27ec0.exe Token: SeChangeNotifyPrivilege 576 dd7c054e96f61730670964c414e0e07fee8d1c44564ff183136c6272bdb27ec0.exe Token: SeCreateTokenPrivilege 576 dd7c054e96f61730670964c414e0e07fee8d1c44564ff183136c6272bdb27ec0.exe Token: SeBackupPrivilege 576 dd7c054e96f61730670964c414e0e07fee8d1c44564ff183136c6272bdb27ec0.exe Token: SeRestorePrivilege 576 dd7c054e96f61730670964c414e0e07fee8d1c44564ff183136c6272bdb27ec0.exe Token: SeIncreaseQuotaPrivilege 576 dd7c054e96f61730670964c414e0e07fee8d1c44564ff183136c6272bdb27ec0.exe Token: SeAssignPrimaryTokenPrivilege 576 dd7c054e96f61730670964c414e0e07fee8d1c44564ff183136c6272bdb27ec0.exe -
outlook_win_path 1 IoCs
Processes:
dd7c054e96f61730670964c414e0e07fee8d1c44564ff183136c6272bdb27ec0.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook dd7c054e96f61730670964c414e0e07fee8d1c44564ff183136c6272bdb27ec0.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd7c054e96f61730670964c414e0e07fee8d1c44564ff183136c6272bdb27ec0.exe"C:\Users\Admin\AppData\Local\Temp\dd7c054e96f61730670964c414e0e07fee8d1c44564ff183136c6272bdb27ec0.exe"1⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/576-54-0x0000000075FB1000-0x0000000075FB3000-memory.dmpFilesize
8KB
-
memory/576-55-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/576-56-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/576-57-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/576-58-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB