Analysis
-
max time kernel
42s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 04:51
Static task
static1
Behavioral task
behavioral1
Sample
a0adc790907eb9deaa6eee79194386aeaa5b05917b38ea48e70148f6379d3465.exe
Resource
win7-20220812-en
General
-
Target
a0adc790907eb9deaa6eee79194386aeaa5b05917b38ea48e70148f6379d3465.exe
-
Size
327KB
-
MD5
4943388126d9d718ebde510c47c60642
-
SHA1
3b94eda32cec5981cf4d2e5c6d924a3119f7075e
-
SHA256
a0adc790907eb9deaa6eee79194386aeaa5b05917b38ea48e70148f6379d3465
-
SHA512
33437912eef5d5b838b5664c76d8c014a5d58f1dfd8f8eeca9e1549c58ec53e34e645ce73903608d7e2823014931751bbf82e7d04ef4eaa63766a14f08f5b6b1
-
SSDEEP
6144:dUrqA3AheuswyPnJ5ejM6bfx8/6AwUSj9:dUWA3AheuswysJ8/xwU29
Malware Config
Extracted
pony
http://uche.fh2web.com/secure/secure.php
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Server.sfx.exeServer.exepid process 1376 Server.sfx.exe 1452 Server.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\RarSFX1\Server.exe upx \Users\Admin\AppData\Local\Temp\RarSFX1\Server.exe upx C:\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exe upx behavioral1/memory/1452-70-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1452-72-0x0000000000400000-0x000000000041C000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exe upx -
Loads dropped DLL 3 IoCs
Processes:
cmd.exeServer.sfx.exepid process 1296 cmd.exe 1376 Server.sfx.exe 1376 Server.sfx.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
Server.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Server.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
Server.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Server.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
Server.exedescription pid process Token: SeImpersonatePrivilege 1452 Server.exe Token: SeTcbPrivilege 1452 Server.exe Token: SeChangeNotifyPrivilege 1452 Server.exe Token: SeCreateTokenPrivilege 1452 Server.exe Token: SeBackupPrivilege 1452 Server.exe Token: SeRestorePrivilege 1452 Server.exe Token: SeIncreaseQuotaPrivilege 1452 Server.exe Token: SeAssignPrimaryTokenPrivilege 1452 Server.exe Token: SeImpersonatePrivilege 1452 Server.exe Token: SeTcbPrivilege 1452 Server.exe Token: SeChangeNotifyPrivilege 1452 Server.exe Token: SeCreateTokenPrivilege 1452 Server.exe Token: SeBackupPrivilege 1452 Server.exe Token: SeRestorePrivilege 1452 Server.exe Token: SeIncreaseQuotaPrivilege 1452 Server.exe Token: SeAssignPrimaryTokenPrivilege 1452 Server.exe Token: SeImpersonatePrivilege 1452 Server.exe Token: SeTcbPrivilege 1452 Server.exe Token: SeChangeNotifyPrivilege 1452 Server.exe Token: SeCreateTokenPrivilege 1452 Server.exe Token: SeBackupPrivilege 1452 Server.exe Token: SeRestorePrivilege 1452 Server.exe Token: SeIncreaseQuotaPrivilege 1452 Server.exe Token: SeAssignPrimaryTokenPrivilege 1452 Server.exe Token: SeImpersonatePrivilege 1452 Server.exe Token: SeTcbPrivilege 1452 Server.exe Token: SeChangeNotifyPrivilege 1452 Server.exe Token: SeCreateTokenPrivilege 1452 Server.exe Token: SeBackupPrivilege 1452 Server.exe Token: SeRestorePrivilege 1452 Server.exe Token: SeIncreaseQuotaPrivilege 1452 Server.exe Token: SeAssignPrimaryTokenPrivilege 1452 Server.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
a0adc790907eb9deaa6eee79194386aeaa5b05917b38ea48e70148f6379d3465.execmd.exeServer.sfx.exeServer.exedescription pid process target process PID 2008 wrote to memory of 1296 2008 a0adc790907eb9deaa6eee79194386aeaa5b05917b38ea48e70148f6379d3465.exe cmd.exe PID 2008 wrote to memory of 1296 2008 a0adc790907eb9deaa6eee79194386aeaa5b05917b38ea48e70148f6379d3465.exe cmd.exe PID 2008 wrote to memory of 1296 2008 a0adc790907eb9deaa6eee79194386aeaa5b05917b38ea48e70148f6379d3465.exe cmd.exe PID 2008 wrote to memory of 1296 2008 a0adc790907eb9deaa6eee79194386aeaa5b05917b38ea48e70148f6379d3465.exe cmd.exe PID 2008 wrote to memory of 1296 2008 a0adc790907eb9deaa6eee79194386aeaa5b05917b38ea48e70148f6379d3465.exe cmd.exe PID 2008 wrote to memory of 1296 2008 a0adc790907eb9deaa6eee79194386aeaa5b05917b38ea48e70148f6379d3465.exe cmd.exe PID 2008 wrote to memory of 1296 2008 a0adc790907eb9deaa6eee79194386aeaa5b05917b38ea48e70148f6379d3465.exe cmd.exe PID 1296 wrote to memory of 1376 1296 cmd.exe Server.sfx.exe PID 1296 wrote to memory of 1376 1296 cmd.exe Server.sfx.exe PID 1296 wrote to memory of 1376 1296 cmd.exe Server.sfx.exe PID 1296 wrote to memory of 1376 1296 cmd.exe Server.sfx.exe PID 1296 wrote to memory of 1376 1296 cmd.exe Server.sfx.exe PID 1296 wrote to memory of 1376 1296 cmd.exe Server.sfx.exe PID 1296 wrote to memory of 1376 1296 cmd.exe Server.sfx.exe PID 1376 wrote to memory of 1452 1376 Server.sfx.exe Server.exe PID 1376 wrote to memory of 1452 1376 Server.sfx.exe Server.exe PID 1376 wrote to memory of 1452 1376 Server.sfx.exe Server.exe PID 1376 wrote to memory of 1452 1376 Server.sfx.exe Server.exe PID 1376 wrote to memory of 1452 1376 Server.sfx.exe Server.exe PID 1376 wrote to memory of 1452 1376 Server.sfx.exe Server.exe PID 1376 wrote to memory of 1452 1376 Server.sfx.exe Server.exe PID 1452 wrote to memory of 1284 1452 Server.exe cmd.exe PID 1452 wrote to memory of 1284 1452 Server.exe cmd.exe PID 1452 wrote to memory of 1284 1452 Server.exe cmd.exe PID 1452 wrote to memory of 1284 1452 Server.exe cmd.exe PID 1452 wrote to memory of 1284 1452 Server.exe cmd.exe PID 1452 wrote to memory of 1284 1452 Server.exe cmd.exe PID 1452 wrote to memory of 1284 1452 Server.exe cmd.exe -
outlook_win_path 1 IoCs
Processes:
Server.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Server.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0adc790907eb9deaa6eee79194386aeaa5b05917b38ea48e70148f6379d3465.exe"C:\Users\Admin\AppData\Local\Temp\a0adc790907eb9deaa6eee79194386aeaa5b05917b38ea48e70148f6379d3465.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\fud.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.sfx.exeServer.sfx.exe -plove1man -dC:\Users\Admin\AppData\Local\Temp3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:1452 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7081415.bat" "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exe" "5⤵PID:1284
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7081415.batFilesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.sfx.exeFilesize
122KB
MD5973140ccce28e4ddfa10dda7318b70cf
SHA16f7e74580d4b511b473dab8a9812c89b70b585f5
SHA25635f427945cd471a08570e98b0e0e55e5c4c64cb49084b2c9df164af9c2fa7c93
SHA512d9bddbc0da1ff820c15e303310a436058ae5fa56488ebcb106fc7ae0d79db081e05c9344ca577518decfa014ec79aff39fd37535b3830f05ede31a392dae24be
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.sfx.exeFilesize
122KB
MD5973140ccce28e4ddfa10dda7318b70cf
SHA16f7e74580d4b511b473dab8a9812c89b70b585f5
SHA25635f427945cd471a08570e98b0e0e55e5c4c64cb49084b2c9df164af9c2fa7c93
SHA512d9bddbc0da1ff820c15e303310a436058ae5fa56488ebcb106fc7ae0d79db081e05c9344ca577518decfa014ec79aff39fd37535b3830f05ede31a392dae24be
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\fud.batFilesize
50B
MD56b4314e21650404a968ecded1df08b4d
SHA1c23b86ec637b5af3475579de5d637990d938927c
SHA25602c65ff60ba11f9f9859705cf0e833e6cd950fff62366af946c4c18f87ca25d5
SHA512b90dd81388b02079ef19a872931519e52907b15f1c56cf8e17c5a9322786b11e037bb88a10ce0e91c242df591001127e475b3f7af198b65eb7f6af7f04c06ef7
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exeFilesize
34KB
MD5da909d651c90018244db95fd1985c166
SHA10458ddc68f5ed2a925e7d5dea8f57876e6479fb5
SHA2561fe4aa004615364dcdfdc73d44498d64498e3562f0b3cdef0d4237b78904f849
SHA5129e338133718e511fa3a7cde6525ef4e66198de3fbe3c11cc0f822df3745e4ffcce4f9b7609191099fed055f76d76c26619fe832528bb0f00ce4303ce4a742083
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exeFilesize
34KB
MD5da909d651c90018244db95fd1985c166
SHA10458ddc68f5ed2a925e7d5dea8f57876e6479fb5
SHA2561fe4aa004615364dcdfdc73d44498d64498e3562f0b3cdef0d4237b78904f849
SHA5129e338133718e511fa3a7cde6525ef4e66198de3fbe3c11cc0f822df3745e4ffcce4f9b7609191099fed055f76d76c26619fe832528bb0f00ce4303ce4a742083
-
\Users\Admin\AppData\Local\Temp\RarSFX0\Server.sfx.exeFilesize
122KB
MD5973140ccce28e4ddfa10dda7318b70cf
SHA16f7e74580d4b511b473dab8a9812c89b70b585f5
SHA25635f427945cd471a08570e98b0e0e55e5c4c64cb49084b2c9df164af9c2fa7c93
SHA512d9bddbc0da1ff820c15e303310a436058ae5fa56488ebcb106fc7ae0d79db081e05c9344ca577518decfa014ec79aff39fd37535b3830f05ede31a392dae24be
-
\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exeFilesize
34KB
MD5da909d651c90018244db95fd1985c166
SHA10458ddc68f5ed2a925e7d5dea8f57876e6479fb5
SHA2561fe4aa004615364dcdfdc73d44498d64498e3562f0b3cdef0d4237b78904f849
SHA5129e338133718e511fa3a7cde6525ef4e66198de3fbe3c11cc0f822df3745e4ffcce4f9b7609191099fed055f76d76c26619fe832528bb0f00ce4303ce4a742083
-
\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exeFilesize
34KB
MD5da909d651c90018244db95fd1985c166
SHA10458ddc68f5ed2a925e7d5dea8f57876e6479fb5
SHA2561fe4aa004615364dcdfdc73d44498d64498e3562f0b3cdef0d4237b78904f849
SHA5129e338133718e511fa3a7cde6525ef4e66198de3fbe3c11cc0f822df3745e4ffcce4f9b7609191099fed055f76d76c26619fe832528bb0f00ce4303ce4a742083
-
memory/1284-71-0x0000000000000000-mapping.dmp
-
memory/1296-55-0x0000000000000000-mapping.dmp
-
memory/1376-68-0x0000000000510000-0x000000000052C000-memory.dmpFilesize
112KB
-
memory/1376-69-0x0000000000510000-0x000000000052C000-memory.dmpFilesize
112KB
-
memory/1376-60-0x0000000000000000-mapping.dmp
-
memory/1452-65-0x0000000000000000-mapping.dmp
-
memory/1452-70-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1452-72-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/2008-54-0x00000000761F1000-0x00000000761F3000-memory.dmpFilesize
8KB