Analysis
-
max time kernel
138s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 04:51
Static task
static1
Behavioral task
behavioral1
Sample
a0adc790907eb9deaa6eee79194386aeaa5b05917b38ea48e70148f6379d3465.exe
Resource
win7-20220812-en
General
-
Target
a0adc790907eb9deaa6eee79194386aeaa5b05917b38ea48e70148f6379d3465.exe
-
Size
327KB
-
MD5
4943388126d9d718ebde510c47c60642
-
SHA1
3b94eda32cec5981cf4d2e5c6d924a3119f7075e
-
SHA256
a0adc790907eb9deaa6eee79194386aeaa5b05917b38ea48e70148f6379d3465
-
SHA512
33437912eef5d5b838b5664c76d8c014a5d58f1dfd8f8eeca9e1549c58ec53e34e645ce73903608d7e2823014931751bbf82e7d04ef4eaa63766a14f08f5b6b1
-
SSDEEP
6144:dUrqA3AheuswyPnJ5ejM6bfx8/6AwUSj9:dUWA3AheuswysJ8/xwU29
Malware Config
Extracted
pony
http://uche.fh2web.com/secure/secure.php
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Server.sfx.exeServer.exepid process 4812 Server.sfx.exe 1240 Server.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exe upx C:\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exe upx behavioral2/memory/1240-140-0x0000000000400000-0x000000000041C000-memory.dmp upx -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a0adc790907eb9deaa6eee79194386aeaa5b05917b38ea48e70148f6379d3465.exeServer.sfx.exeServer.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation a0adc790907eb9deaa6eee79194386aeaa5b05917b38ea48e70148f6379d3465.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation Server.sfx.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation Server.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
Server.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Server.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
Server.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Server.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
Server.exedescription pid process Token: SeImpersonatePrivilege 1240 Server.exe Token: SeTcbPrivilege 1240 Server.exe Token: SeChangeNotifyPrivilege 1240 Server.exe Token: SeCreateTokenPrivilege 1240 Server.exe Token: SeBackupPrivilege 1240 Server.exe Token: SeRestorePrivilege 1240 Server.exe Token: SeIncreaseQuotaPrivilege 1240 Server.exe Token: SeAssignPrimaryTokenPrivilege 1240 Server.exe Token: SeImpersonatePrivilege 1240 Server.exe Token: SeTcbPrivilege 1240 Server.exe Token: SeChangeNotifyPrivilege 1240 Server.exe Token: SeCreateTokenPrivilege 1240 Server.exe Token: SeBackupPrivilege 1240 Server.exe Token: SeRestorePrivilege 1240 Server.exe Token: SeIncreaseQuotaPrivilege 1240 Server.exe Token: SeAssignPrimaryTokenPrivilege 1240 Server.exe Token: SeImpersonatePrivilege 1240 Server.exe Token: SeTcbPrivilege 1240 Server.exe Token: SeChangeNotifyPrivilege 1240 Server.exe Token: SeCreateTokenPrivilege 1240 Server.exe Token: SeBackupPrivilege 1240 Server.exe Token: SeRestorePrivilege 1240 Server.exe Token: SeIncreaseQuotaPrivilege 1240 Server.exe Token: SeAssignPrimaryTokenPrivilege 1240 Server.exe Token: SeImpersonatePrivilege 1240 Server.exe Token: SeTcbPrivilege 1240 Server.exe Token: SeChangeNotifyPrivilege 1240 Server.exe Token: SeCreateTokenPrivilege 1240 Server.exe Token: SeBackupPrivilege 1240 Server.exe Token: SeRestorePrivilege 1240 Server.exe Token: SeIncreaseQuotaPrivilege 1240 Server.exe Token: SeAssignPrimaryTokenPrivilege 1240 Server.exe Token: SeImpersonatePrivilege 1240 Server.exe Token: SeTcbPrivilege 1240 Server.exe Token: SeChangeNotifyPrivilege 1240 Server.exe Token: SeCreateTokenPrivilege 1240 Server.exe Token: SeBackupPrivilege 1240 Server.exe Token: SeRestorePrivilege 1240 Server.exe Token: SeIncreaseQuotaPrivilege 1240 Server.exe Token: SeAssignPrimaryTokenPrivilege 1240 Server.exe Token: SeImpersonatePrivilege 1240 Server.exe Token: SeTcbPrivilege 1240 Server.exe Token: SeChangeNotifyPrivilege 1240 Server.exe Token: SeCreateTokenPrivilege 1240 Server.exe Token: SeBackupPrivilege 1240 Server.exe Token: SeRestorePrivilege 1240 Server.exe Token: SeIncreaseQuotaPrivilege 1240 Server.exe Token: SeAssignPrimaryTokenPrivilege 1240 Server.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
a0adc790907eb9deaa6eee79194386aeaa5b05917b38ea48e70148f6379d3465.execmd.exeServer.sfx.exeServer.exedescription pid process target process PID 4992 wrote to memory of 4828 4992 a0adc790907eb9deaa6eee79194386aeaa5b05917b38ea48e70148f6379d3465.exe cmd.exe PID 4992 wrote to memory of 4828 4992 a0adc790907eb9deaa6eee79194386aeaa5b05917b38ea48e70148f6379d3465.exe cmd.exe PID 4992 wrote to memory of 4828 4992 a0adc790907eb9deaa6eee79194386aeaa5b05917b38ea48e70148f6379d3465.exe cmd.exe PID 4828 wrote to memory of 4812 4828 cmd.exe Server.sfx.exe PID 4828 wrote to memory of 4812 4828 cmd.exe Server.sfx.exe PID 4828 wrote to memory of 4812 4828 cmd.exe Server.sfx.exe PID 4812 wrote to memory of 1240 4812 Server.sfx.exe Server.exe PID 4812 wrote to memory of 1240 4812 Server.sfx.exe Server.exe PID 4812 wrote to memory of 1240 4812 Server.sfx.exe Server.exe PID 1240 wrote to memory of 2404 1240 Server.exe cmd.exe PID 1240 wrote to memory of 2404 1240 Server.exe cmd.exe PID 1240 wrote to memory of 2404 1240 Server.exe cmd.exe -
outlook_win_path 1 IoCs
Processes:
Server.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Server.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0adc790907eb9deaa6eee79194386aeaa5b05917b38ea48e70148f6379d3465.exe"C:\Users\Admin\AppData\Local\Temp\a0adc790907eb9deaa6eee79194386aeaa5b05917b38ea48e70148f6379d3465.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\fud.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.sfx.exeServer.sfx.exe -plove1man -dC:\Users\Admin\AppData\Local\Temp3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:1240 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240571234.bat" "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exe" "5⤵PID:2404
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\240571234.batFilesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.sfx.exeFilesize
122KB
MD5973140ccce28e4ddfa10dda7318b70cf
SHA16f7e74580d4b511b473dab8a9812c89b70b585f5
SHA25635f427945cd471a08570e98b0e0e55e5c4c64cb49084b2c9df164af9c2fa7c93
SHA512d9bddbc0da1ff820c15e303310a436058ae5fa56488ebcb106fc7ae0d79db081e05c9344ca577518decfa014ec79aff39fd37535b3830f05ede31a392dae24be
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.sfx.exeFilesize
122KB
MD5973140ccce28e4ddfa10dda7318b70cf
SHA16f7e74580d4b511b473dab8a9812c89b70b585f5
SHA25635f427945cd471a08570e98b0e0e55e5c4c64cb49084b2c9df164af9c2fa7c93
SHA512d9bddbc0da1ff820c15e303310a436058ae5fa56488ebcb106fc7ae0d79db081e05c9344ca577518decfa014ec79aff39fd37535b3830f05ede31a392dae24be
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\fud.batFilesize
50B
MD56b4314e21650404a968ecded1df08b4d
SHA1c23b86ec637b5af3475579de5d637990d938927c
SHA25602c65ff60ba11f9f9859705cf0e833e6cd950fff62366af946c4c18f87ca25d5
SHA512b90dd81388b02079ef19a872931519e52907b15f1c56cf8e17c5a9322786b11e037bb88a10ce0e91c242df591001127e475b3f7af198b65eb7f6af7f04c06ef7
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exeFilesize
34KB
MD5da909d651c90018244db95fd1985c166
SHA10458ddc68f5ed2a925e7d5dea8f57876e6479fb5
SHA2561fe4aa004615364dcdfdc73d44498d64498e3562f0b3cdef0d4237b78904f849
SHA5129e338133718e511fa3a7cde6525ef4e66198de3fbe3c11cc0f822df3745e4ffcce4f9b7609191099fed055f76d76c26619fe832528bb0f00ce4303ce4a742083
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exeFilesize
34KB
MD5da909d651c90018244db95fd1985c166
SHA10458ddc68f5ed2a925e7d5dea8f57876e6479fb5
SHA2561fe4aa004615364dcdfdc73d44498d64498e3562f0b3cdef0d4237b78904f849
SHA5129e338133718e511fa3a7cde6525ef4e66198de3fbe3c11cc0f822df3745e4ffcce4f9b7609191099fed055f76d76c26619fe832528bb0f00ce4303ce4a742083
-
memory/1240-137-0x0000000000000000-mapping.dmp
-
memory/1240-140-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/2404-141-0x0000000000000000-mapping.dmp
-
memory/4812-134-0x0000000000000000-mapping.dmp
-
memory/4828-132-0x0000000000000000-mapping.dmp