Analysis
-
max time kernel
153s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 04:50
Static task
static1
Behavioral task
behavioral1
Sample
BL_PL_&_INVOICE_PDF.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
BL_PL_&_INVOICE_PDF.exe
Resource
win10v2004-20221111-en
General
-
Target
BL_PL_&_INVOICE_PDF.exe
-
Size
134KB
-
MD5
0e087a29f6694524e66020d9454ccdb9
-
SHA1
10e5050f1975938399827be5dab35e5d01cb0c89
-
SHA256
eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c
-
SHA512
9e9c8bb4c3c577a41d930356c8b2d0a9eba0f0692b7e654053b2af478471c1b36db78cd33d2d5b800e661d5a5752e53448fbd299bdc670da5091e704ec10a1af
-
SSDEEP
3072:LlMyoAdZDhDOdtgXwDEi5xZgrdkkeRQHadg/wb:pvomDhi8wgiXZgrulk/
Malware Config
Extracted
pony
http://d-mmoney.favcc1.com/gate.php
-
payload_url
http://d-mmoney.favcc1.com/shit.exe
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
IpOverUsbSvrc.exeatiesrx.exeIpOverUsbSvrc.exepid process 3636 IpOverUsbSvrc.exe 2312 atiesrx.exe 4988 IpOverUsbSvrc.exe -
Processes:
resource yara_rule behavioral2/memory/4880-135-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/4880-137-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/4880-138-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/4880-139-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/4880-149-0x0000000000400000-0x000000000041C000-memory.dmp upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
BL_PL_&_INVOICE_PDF.exeatiesrx.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation BL_PL_&_INVOICE_PDF.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation atiesrx.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook vbc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
IpOverUsbSvrc.exeIpOverUsbSvrc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Multimedia Class Scheduler = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\IpOverUsbSvrc.exe" IpOverUsbSvrc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Multimedia Class Scheduler = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\IpOverUsbSvrc.exe" IpOverUsbSvrc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
BL_PL_&_INVOICE_PDF.exedescription pid process target process PID 2388 set thread context of 4880 2388 BL_PL_&_INVOICE_PDF.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
BL_PL_&_INVOICE_PDF.exeIpOverUsbSvrc.exepid process 2388 BL_PL_&_INVOICE_PDF.exe 3636 IpOverUsbSvrc.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 3636 IpOverUsbSvrc.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 3636 IpOverUsbSvrc.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 3636 IpOverUsbSvrc.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 3636 IpOverUsbSvrc.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe 2388 BL_PL_&_INVOICE_PDF.exe -
Suspicious use of AdjustPrivilegeToken 52 IoCs
Processes:
BL_PL_&_INVOICE_PDF.exevbc.exeIpOverUsbSvrc.exeatiesrx.exeIpOverUsbSvrc.exedescription pid process Token: SeDebugPrivilege 2388 BL_PL_&_INVOICE_PDF.exe Token: SeImpersonatePrivilege 4880 vbc.exe Token: SeTcbPrivilege 4880 vbc.exe Token: SeChangeNotifyPrivilege 4880 vbc.exe Token: SeCreateTokenPrivilege 4880 vbc.exe Token: SeBackupPrivilege 4880 vbc.exe Token: SeRestorePrivilege 4880 vbc.exe Token: SeIncreaseQuotaPrivilege 4880 vbc.exe Token: SeAssignPrimaryTokenPrivilege 4880 vbc.exe Token: SeImpersonatePrivilege 4880 vbc.exe Token: SeTcbPrivilege 4880 vbc.exe Token: SeChangeNotifyPrivilege 4880 vbc.exe Token: SeCreateTokenPrivilege 4880 vbc.exe Token: SeBackupPrivilege 4880 vbc.exe Token: SeRestorePrivilege 4880 vbc.exe Token: SeIncreaseQuotaPrivilege 4880 vbc.exe Token: SeAssignPrimaryTokenPrivilege 4880 vbc.exe Token: SeDebugPrivilege 3636 IpOverUsbSvrc.exe Token: SeImpersonatePrivilege 4880 vbc.exe Token: SeTcbPrivilege 4880 vbc.exe Token: SeChangeNotifyPrivilege 4880 vbc.exe Token: SeCreateTokenPrivilege 4880 vbc.exe Token: SeBackupPrivilege 4880 vbc.exe Token: SeRestorePrivilege 4880 vbc.exe Token: SeIncreaseQuotaPrivilege 4880 vbc.exe Token: SeAssignPrimaryTokenPrivilege 4880 vbc.exe Token: SeImpersonatePrivilege 4880 vbc.exe Token: SeTcbPrivilege 4880 vbc.exe Token: SeChangeNotifyPrivilege 4880 vbc.exe Token: SeCreateTokenPrivilege 4880 vbc.exe Token: SeBackupPrivilege 4880 vbc.exe Token: SeRestorePrivilege 4880 vbc.exe Token: SeIncreaseQuotaPrivilege 4880 vbc.exe Token: SeAssignPrimaryTokenPrivilege 4880 vbc.exe Token: SeImpersonatePrivilege 4880 vbc.exe Token: SeTcbPrivilege 4880 vbc.exe Token: SeChangeNotifyPrivilege 4880 vbc.exe Token: SeCreateTokenPrivilege 4880 vbc.exe Token: SeBackupPrivilege 4880 vbc.exe Token: SeRestorePrivilege 4880 vbc.exe Token: SeIncreaseQuotaPrivilege 4880 vbc.exe Token: SeAssignPrimaryTokenPrivilege 4880 vbc.exe Token: SeImpersonatePrivilege 4880 vbc.exe Token: SeTcbPrivilege 4880 vbc.exe Token: SeChangeNotifyPrivilege 4880 vbc.exe Token: SeCreateTokenPrivilege 4880 vbc.exe Token: SeBackupPrivilege 4880 vbc.exe Token: SeRestorePrivilege 4880 vbc.exe Token: SeIncreaseQuotaPrivilege 4880 vbc.exe Token: SeAssignPrimaryTokenPrivilege 4880 vbc.exe Token: SeDebugPrivilege 2312 atiesrx.exe Token: SeDebugPrivilege 4988 IpOverUsbSvrc.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
BL_PL_&_INVOICE_PDF.exeIpOverUsbSvrc.exevbc.exeatiesrx.exedescription pid process target process PID 2388 wrote to memory of 4880 2388 BL_PL_&_INVOICE_PDF.exe vbc.exe PID 2388 wrote to memory of 4880 2388 BL_PL_&_INVOICE_PDF.exe vbc.exe PID 2388 wrote to memory of 4880 2388 BL_PL_&_INVOICE_PDF.exe vbc.exe PID 2388 wrote to memory of 4880 2388 BL_PL_&_INVOICE_PDF.exe vbc.exe PID 2388 wrote to memory of 4880 2388 BL_PL_&_INVOICE_PDF.exe vbc.exe PID 2388 wrote to memory of 4880 2388 BL_PL_&_INVOICE_PDF.exe vbc.exe PID 2388 wrote to memory of 4880 2388 BL_PL_&_INVOICE_PDF.exe vbc.exe PID 2388 wrote to memory of 3636 2388 BL_PL_&_INVOICE_PDF.exe IpOverUsbSvrc.exe PID 2388 wrote to memory of 3636 2388 BL_PL_&_INVOICE_PDF.exe IpOverUsbSvrc.exe PID 2388 wrote to memory of 3636 2388 BL_PL_&_INVOICE_PDF.exe IpOverUsbSvrc.exe PID 3636 wrote to memory of 2312 3636 IpOverUsbSvrc.exe atiesrx.exe PID 3636 wrote to memory of 2312 3636 IpOverUsbSvrc.exe atiesrx.exe PID 3636 wrote to memory of 2312 3636 IpOverUsbSvrc.exe atiesrx.exe PID 4880 wrote to memory of 3124 4880 vbc.exe cmd.exe PID 4880 wrote to memory of 3124 4880 vbc.exe cmd.exe PID 4880 wrote to memory of 3124 4880 vbc.exe cmd.exe PID 2312 wrote to memory of 4988 2312 atiesrx.exe IpOverUsbSvrc.exe PID 2312 wrote to memory of 4988 2312 atiesrx.exe IpOverUsbSvrc.exe PID 2312 wrote to memory of 4988 2312 atiesrx.exe IpOverUsbSvrc.exe -
outlook_win_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BL_PL_&_INVOICE_PDF.exe"C:\Users\Admin\AppData\Local\Temp\BL_PL_&_INVOICE_PDF.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240674000.bat" "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" "3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe"C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exeC:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe"C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\IpOverUsbSvrc.exe.logFilesize
224B
MD5c19eb8c8e7a40e6b987f9d2ee952996e
SHA16fc3049855bc9100643e162511673c6df0f28bfb
SHA256677e9e30350df17e2bc20fa9f7d730e9f7cc6e870d6520a345f5f7dc5b31f58a
SHA512860713b4a787c2189ed12a47d4b68b60ac00c7a253cae52dd4eb9276dacafeae3a81906b6d0742c8ecfdfaa255777c445beb7c2a532f3c677a9903237ac97596
-
C:\Users\Admin\AppData\Local\Temp\240674000.batFilesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exeFilesize
8KB
MD554fbde415453f5c9089b49e65bd5f8e7
SHA1d77b86631f629b52bbebc6e08fbf60c78e8ceab0
SHA2567d31b70e949833d9f78199848b14307e41da511ca4915c20a8ca61ee8eeeedbf
SHA51290dbbb3986ab3f4dda4292b580bfac7c97bbf20f68d0be0af271b9bc5e22a4abc326baaf284be005c6460ecc2187b6ca5d015fab55be3b242122436fcf3ee5ed
-
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exeFilesize
8KB
MD554fbde415453f5c9089b49e65bd5f8e7
SHA1d77b86631f629b52bbebc6e08fbf60c78e8ceab0
SHA2567d31b70e949833d9f78199848b14307e41da511ca4915c20a8ca61ee8eeeedbf
SHA51290dbbb3986ab3f4dda4292b580bfac7c97bbf20f68d0be0af271b9bc5e22a4abc326baaf284be005c6460ecc2187b6ca5d015fab55be3b242122436fcf3ee5ed
-
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exeFilesize
8KB
MD554fbde415453f5c9089b49e65bd5f8e7
SHA1d77b86631f629b52bbebc6e08fbf60c78e8ceab0
SHA2567d31b70e949833d9f78199848b14307e41da511ca4915c20a8ca61ee8eeeedbf
SHA51290dbbb3986ab3f4dda4292b580bfac7c97bbf20f68d0be0af271b9bc5e22a4abc326baaf284be005c6460ecc2187b6ca5d015fab55be3b242122436fcf3ee5ed
-
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exeFilesize
134KB
MD50e087a29f6694524e66020d9454ccdb9
SHA110e5050f1975938399827be5dab35e5d01cb0c89
SHA256eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c
SHA5129e9c8bb4c3c577a41d930356c8b2d0a9eba0f0692b7e654053b2af478471c1b36db78cd33d2d5b800e661d5a5752e53448fbd299bdc670da5091e704ec10a1af
-
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exeFilesize
134KB
MD50e087a29f6694524e66020d9454ccdb9
SHA110e5050f1975938399827be5dab35e5d01cb0c89
SHA256eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c
SHA5129e9c8bb4c3c577a41d930356c8b2d0a9eba0f0692b7e654053b2af478471c1b36db78cd33d2d5b800e661d5a5752e53448fbd299bdc670da5091e704ec10a1af
-
memory/2312-152-0x0000000074D50000-0x0000000075301000-memory.dmpFilesize
5.7MB
-
memory/2312-147-0x0000000074D50000-0x0000000075301000-memory.dmpFilesize
5.7MB
-
memory/2312-143-0x0000000000000000-mapping.dmp
-
memory/2388-132-0x0000000074D50000-0x0000000075301000-memory.dmpFilesize
5.7MB
-
memory/2388-153-0x0000000074D50000-0x0000000075301000-memory.dmpFilesize
5.7MB
-
memory/2388-133-0x0000000074D50000-0x0000000075301000-memory.dmpFilesize
5.7MB
-
memory/3124-148-0x0000000000000000-mapping.dmp
-
memory/3636-151-0x0000000074D50000-0x0000000075301000-memory.dmpFilesize
5.7MB
-
memory/3636-146-0x0000000074D50000-0x0000000075301000-memory.dmpFilesize
5.7MB
-
memory/3636-140-0x0000000000000000-mapping.dmp
-
memory/3636-154-0x0000000074D50000-0x0000000075301000-memory.dmpFilesize
5.7MB
-
memory/4880-149-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/4880-139-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/4880-138-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/4880-137-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/4880-135-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/4880-134-0x0000000000000000-mapping.dmp
-
memory/4988-155-0x0000000000000000-mapping.dmp
-
memory/4988-158-0x0000000074D50000-0x0000000075301000-memory.dmpFilesize
5.7MB
-
memory/4988-159-0x0000000074D50000-0x0000000075301000-memory.dmpFilesize
5.7MB