Analysis
-
max time kernel
206s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 04:50
Static task
static1
Behavioral task
behavioral1
Sample
BL_PL_&_INVOICE_PDF.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
BL_PL_&_INVOICE_PDF.exe
Resource
win10v2004-20221111-en
General
-
Target
BL_PL_&_INVOICE_PDF.exe
-
Size
134KB
-
MD5
0e087a29f6694524e66020d9454ccdb9
-
SHA1
10e5050f1975938399827be5dab35e5d01cb0c89
-
SHA256
eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c
-
SHA512
9e9c8bb4c3c577a41d930356c8b2d0a9eba0f0692b7e654053b2af478471c1b36db78cd33d2d5b800e661d5a5752e53448fbd299bdc670da5091e704ec10a1af
-
SSDEEP
3072:LlMyoAdZDhDOdtgXwDEi5xZgrdkkeRQHadg/wb:pvomDhi8wgiXZgrulk/
Malware Config
Extracted
pony
http://d-mmoney.favcc1.com/gate.php
-
payload_url
http://d-mmoney.favcc1.com/shit.exe
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
IpOverUsbSvrc.exeatiesrx.exeIpOverUsbSvrc.exepid process 1320 IpOverUsbSvrc.exe 860 atiesrx.exe 1360 IpOverUsbSvrc.exe -
Processes:
resource yara_rule behavioral1/memory/588-58-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/588-60-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/588-61-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/588-65-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/588-66-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/588-67-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/588-81-0x0000000000400000-0x000000000041C000-memory.dmp upx -
Loads dropped DLL 2 IoCs
Processes:
BL_PL_&_INVOICE_PDF.exeIpOverUsbSvrc.exepid process 2008 BL_PL_&_INVOICE_PDF.exe 1320 IpOverUsbSvrc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook vbc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
IpOverUsbSvrc.exeIpOverUsbSvrc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Multimedia Class Scheduler = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\IpOverUsbSvrc.exe" IpOverUsbSvrc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Multimedia Class Scheduler = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\IpOverUsbSvrc.exe" IpOverUsbSvrc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
BL_PL_&_INVOICE_PDF.exedescription pid process target process PID 2008 set thread context of 588 2008 BL_PL_&_INVOICE_PDF.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
BL_PL_&_INVOICE_PDF.exeIpOverUsbSvrc.exeIpOverUsbSvrc.exepid process 2008 BL_PL_&_INVOICE_PDF.exe 1320 IpOverUsbSvrc.exe 2008 BL_PL_&_INVOICE_PDF.exe 2008 BL_PL_&_INVOICE_PDF.exe 2008 BL_PL_&_INVOICE_PDF.exe 2008 BL_PL_&_INVOICE_PDF.exe 2008 BL_PL_&_INVOICE_PDF.exe 2008 BL_PL_&_INVOICE_PDF.exe 2008 BL_PL_&_INVOICE_PDF.exe 2008 BL_PL_&_INVOICE_PDF.exe 2008 BL_PL_&_INVOICE_PDF.exe 2008 BL_PL_&_INVOICE_PDF.exe 2008 BL_PL_&_INVOICE_PDF.exe 2008 BL_PL_&_INVOICE_PDF.exe 2008 BL_PL_&_INVOICE_PDF.exe 2008 BL_PL_&_INVOICE_PDF.exe 2008 BL_PL_&_INVOICE_PDF.exe 2008 BL_PL_&_INVOICE_PDF.exe 2008 BL_PL_&_INVOICE_PDF.exe 2008 BL_PL_&_INVOICE_PDF.exe 2008 BL_PL_&_INVOICE_PDF.exe 2008 BL_PL_&_INVOICE_PDF.exe 1320 IpOverUsbSvrc.exe 2008 BL_PL_&_INVOICE_PDF.exe 2008 BL_PL_&_INVOICE_PDF.exe 1320 IpOverUsbSvrc.exe 2008 BL_PL_&_INVOICE_PDF.exe 2008 BL_PL_&_INVOICE_PDF.exe 1320 IpOverUsbSvrc.exe 2008 BL_PL_&_INVOICE_PDF.exe 2008 BL_PL_&_INVOICE_PDF.exe 2008 BL_PL_&_INVOICE_PDF.exe 1320 IpOverUsbSvrc.exe 2008 BL_PL_&_INVOICE_PDF.exe 2008 BL_PL_&_INVOICE_PDF.exe 1320 IpOverUsbSvrc.exe 2008 BL_PL_&_INVOICE_PDF.exe 2008 BL_PL_&_INVOICE_PDF.exe 2008 BL_PL_&_INVOICE_PDF.exe 1360 IpOverUsbSvrc.exe 2008 BL_PL_&_INVOICE_PDF.exe 2008 BL_PL_&_INVOICE_PDF.exe 2008 BL_PL_&_INVOICE_PDF.exe 1360 IpOverUsbSvrc.exe 2008 BL_PL_&_INVOICE_PDF.exe 2008 BL_PL_&_INVOICE_PDF.exe 1360 IpOverUsbSvrc.exe 2008 BL_PL_&_INVOICE_PDF.exe 2008 BL_PL_&_INVOICE_PDF.exe 1360 IpOverUsbSvrc.exe 2008 BL_PL_&_INVOICE_PDF.exe 2008 BL_PL_&_INVOICE_PDF.exe 2008 BL_PL_&_INVOICE_PDF.exe 1360 IpOverUsbSvrc.exe 2008 BL_PL_&_INVOICE_PDF.exe 2008 BL_PL_&_INVOICE_PDF.exe 1360 IpOverUsbSvrc.exe 2008 BL_PL_&_INVOICE_PDF.exe 2008 BL_PL_&_INVOICE_PDF.exe 1360 IpOverUsbSvrc.exe 2008 BL_PL_&_INVOICE_PDF.exe 2008 BL_PL_&_INVOICE_PDF.exe 2008 BL_PL_&_INVOICE_PDF.exe 1360 IpOverUsbSvrc.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
BL_PL_&_INVOICE_PDF.exevbc.exeIpOverUsbSvrc.exeatiesrx.exeIpOverUsbSvrc.exedescription pid process Token: SeDebugPrivilege 2008 BL_PL_&_INVOICE_PDF.exe Token: SeImpersonatePrivilege 588 vbc.exe Token: SeTcbPrivilege 588 vbc.exe Token: SeChangeNotifyPrivilege 588 vbc.exe Token: SeCreateTokenPrivilege 588 vbc.exe Token: SeBackupPrivilege 588 vbc.exe Token: SeRestorePrivilege 588 vbc.exe Token: SeIncreaseQuotaPrivilege 588 vbc.exe Token: SeAssignPrimaryTokenPrivilege 588 vbc.exe Token: SeDebugPrivilege 1320 IpOverUsbSvrc.exe Token: SeImpersonatePrivilege 588 vbc.exe Token: SeTcbPrivilege 588 vbc.exe Token: SeChangeNotifyPrivilege 588 vbc.exe Token: SeCreateTokenPrivilege 588 vbc.exe Token: SeBackupPrivilege 588 vbc.exe Token: SeRestorePrivilege 588 vbc.exe Token: SeIncreaseQuotaPrivilege 588 vbc.exe Token: SeAssignPrimaryTokenPrivilege 588 vbc.exe Token: SeImpersonatePrivilege 588 vbc.exe Token: SeTcbPrivilege 588 vbc.exe Token: SeChangeNotifyPrivilege 588 vbc.exe Token: SeCreateTokenPrivilege 588 vbc.exe Token: SeBackupPrivilege 588 vbc.exe Token: SeRestorePrivilege 588 vbc.exe Token: SeIncreaseQuotaPrivilege 588 vbc.exe Token: SeAssignPrimaryTokenPrivilege 588 vbc.exe Token: SeImpersonatePrivilege 588 vbc.exe Token: SeTcbPrivilege 588 vbc.exe Token: SeChangeNotifyPrivilege 588 vbc.exe Token: SeCreateTokenPrivilege 588 vbc.exe Token: SeBackupPrivilege 588 vbc.exe Token: SeRestorePrivilege 588 vbc.exe Token: SeIncreaseQuotaPrivilege 588 vbc.exe Token: SeAssignPrimaryTokenPrivilege 588 vbc.exe Token: SeDebugPrivilege 860 atiesrx.exe Token: SeDebugPrivilege 1360 IpOverUsbSvrc.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
BL_PL_&_INVOICE_PDF.exeIpOverUsbSvrc.exevbc.exedescription pid process target process PID 2008 wrote to memory of 588 2008 BL_PL_&_INVOICE_PDF.exe vbc.exe PID 2008 wrote to memory of 588 2008 BL_PL_&_INVOICE_PDF.exe vbc.exe PID 2008 wrote to memory of 588 2008 BL_PL_&_INVOICE_PDF.exe vbc.exe PID 2008 wrote to memory of 588 2008 BL_PL_&_INVOICE_PDF.exe vbc.exe PID 2008 wrote to memory of 588 2008 BL_PL_&_INVOICE_PDF.exe vbc.exe PID 2008 wrote to memory of 588 2008 BL_PL_&_INVOICE_PDF.exe vbc.exe PID 2008 wrote to memory of 588 2008 BL_PL_&_INVOICE_PDF.exe vbc.exe PID 2008 wrote to memory of 588 2008 BL_PL_&_INVOICE_PDF.exe vbc.exe PID 2008 wrote to memory of 1320 2008 BL_PL_&_INVOICE_PDF.exe IpOverUsbSvrc.exe PID 2008 wrote to memory of 1320 2008 BL_PL_&_INVOICE_PDF.exe IpOverUsbSvrc.exe PID 2008 wrote to memory of 1320 2008 BL_PL_&_INVOICE_PDF.exe IpOverUsbSvrc.exe PID 2008 wrote to memory of 1320 2008 BL_PL_&_INVOICE_PDF.exe IpOverUsbSvrc.exe PID 1320 wrote to memory of 860 1320 IpOverUsbSvrc.exe atiesrx.exe PID 1320 wrote to memory of 860 1320 IpOverUsbSvrc.exe atiesrx.exe PID 1320 wrote to memory of 860 1320 IpOverUsbSvrc.exe atiesrx.exe PID 1320 wrote to memory of 860 1320 IpOverUsbSvrc.exe atiesrx.exe PID 588 wrote to memory of 288 588 vbc.exe cmd.exe PID 588 wrote to memory of 288 588 vbc.exe cmd.exe PID 588 wrote to memory of 288 588 vbc.exe cmd.exe PID 588 wrote to memory of 288 588 vbc.exe cmd.exe PID 2008 wrote to memory of 1360 2008 BL_PL_&_INVOICE_PDF.exe IpOverUsbSvrc.exe PID 2008 wrote to memory of 1360 2008 BL_PL_&_INVOICE_PDF.exe IpOverUsbSvrc.exe PID 2008 wrote to memory of 1360 2008 BL_PL_&_INVOICE_PDF.exe IpOverUsbSvrc.exe PID 2008 wrote to memory of 1360 2008 BL_PL_&_INVOICE_PDF.exe IpOverUsbSvrc.exe -
outlook_win_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BL_PL_&_INVOICE_PDF.exe"C:\Users\Admin\AppData\Local\Temp\BL_PL_&_INVOICE_PDF.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7200366.bat" "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" "3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe"C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exeC:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe"C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7200366.batFilesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exeFilesize
8KB
MD554fbde415453f5c9089b49e65bd5f8e7
SHA1d77b86631f629b52bbebc6e08fbf60c78e8ceab0
SHA2567d31b70e949833d9f78199848b14307e41da511ca4915c20a8ca61ee8eeeedbf
SHA51290dbbb3986ab3f4dda4292b580bfac7c97bbf20f68d0be0af271b9bc5e22a4abc326baaf284be005c6460ecc2187b6ca5d015fab55be3b242122436fcf3ee5ed
-
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exeFilesize
8KB
MD554fbde415453f5c9089b49e65bd5f8e7
SHA1d77b86631f629b52bbebc6e08fbf60c78e8ceab0
SHA2567d31b70e949833d9f78199848b14307e41da511ca4915c20a8ca61ee8eeeedbf
SHA51290dbbb3986ab3f4dda4292b580bfac7c97bbf20f68d0be0af271b9bc5e22a4abc326baaf284be005c6460ecc2187b6ca5d015fab55be3b242122436fcf3ee5ed
-
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exeFilesize
8KB
MD554fbde415453f5c9089b49e65bd5f8e7
SHA1d77b86631f629b52bbebc6e08fbf60c78e8ceab0
SHA2567d31b70e949833d9f78199848b14307e41da511ca4915c20a8ca61ee8eeeedbf
SHA51290dbbb3986ab3f4dda4292b580bfac7c97bbf20f68d0be0af271b9bc5e22a4abc326baaf284be005c6460ecc2187b6ca5d015fab55be3b242122436fcf3ee5ed
-
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exeFilesize
134KB
MD50e087a29f6694524e66020d9454ccdb9
SHA110e5050f1975938399827be5dab35e5d01cb0c89
SHA256eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c
SHA5129e9c8bb4c3c577a41d930356c8b2d0a9eba0f0692b7e654053b2af478471c1b36db78cd33d2d5b800e661d5a5752e53448fbd299bdc670da5091e704ec10a1af
-
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exeFilesize
134KB
MD50e087a29f6694524e66020d9454ccdb9
SHA110e5050f1975938399827be5dab35e5d01cb0c89
SHA256eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c
SHA5129e9c8bb4c3c577a41d930356c8b2d0a9eba0f0692b7e654053b2af478471c1b36db78cd33d2d5b800e661d5a5752e53448fbd299bdc670da5091e704ec10a1af
-
\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exeFilesize
8KB
MD554fbde415453f5c9089b49e65bd5f8e7
SHA1d77b86631f629b52bbebc6e08fbf60c78e8ceab0
SHA2567d31b70e949833d9f78199848b14307e41da511ca4915c20a8ca61ee8eeeedbf
SHA51290dbbb3986ab3f4dda4292b580bfac7c97bbf20f68d0be0af271b9bc5e22a4abc326baaf284be005c6460ecc2187b6ca5d015fab55be3b242122436fcf3ee5ed
-
\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exeFilesize
134KB
MD50e087a29f6694524e66020d9454ccdb9
SHA110e5050f1975938399827be5dab35e5d01cb0c89
SHA256eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c
SHA5129e9c8bb4c3c577a41d930356c8b2d0a9eba0f0692b7e654053b2af478471c1b36db78cd33d2d5b800e661d5a5752e53448fbd299bdc670da5091e704ec10a1af
-
memory/288-80-0x0000000000000000-mapping.dmp
-
memory/588-81-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/588-67-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/588-65-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/588-62-0x000000000041A1F0-mapping.dmp
-
memory/588-61-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/588-60-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/588-58-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/588-57-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/588-66-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/860-84-0x0000000074DE0000-0x000000007538B000-memory.dmpFilesize
5.7MB
-
memory/860-75-0x0000000000000000-mapping.dmp
-
memory/860-79-0x0000000074DE0000-0x000000007538B000-memory.dmpFilesize
5.7MB
-
memory/1320-78-0x0000000074DE0000-0x000000007538B000-memory.dmpFilesize
5.7MB
-
memory/1320-83-0x0000000074DE0000-0x000000007538B000-memory.dmpFilesize
5.7MB
-
memory/1320-69-0x0000000000000000-mapping.dmp
-
memory/1320-85-0x0000000074DE0000-0x000000007538B000-memory.dmpFilesize
5.7MB
-
memory/1360-86-0x0000000000000000-mapping.dmp
-
memory/1360-89-0x0000000074DE0000-0x000000007538B000-memory.dmpFilesize
5.7MB
-
memory/1360-90-0x0000000074DE0000-0x000000007538B000-memory.dmpFilesize
5.7MB
-
memory/2008-54-0x0000000076AE1000-0x0000000076AE3000-memory.dmpFilesize
8KB
-
memory/2008-56-0x0000000074DE0000-0x000000007538B000-memory.dmpFilesize
5.7MB
-
memory/2008-55-0x0000000074DE0000-0x000000007538B000-memory.dmpFilesize
5.7MB