Analysis
-
max time kernel
88s -
max time network
42s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 04:50
Static task
static1
Behavioral task
behavioral1
Sample
6758c393b55acff46fe79942c10938ca479824e6e7a8a84cf162c3cab2159847.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
6758c393b55acff46fe79942c10938ca479824e6e7a8a84cf162c3cab2159847.exe
Resource
win10v2004-20220812-en
General
-
Target
6758c393b55acff46fe79942c10938ca479824e6e7a8a84cf162c3cab2159847.exe
-
Size
118KB
-
MD5
83dba5c3dfc7efe675862a7025b62a13
-
SHA1
f9f9266b6e782aba6d7d4efc6c64b4c846c4bc5a
-
SHA256
6758c393b55acff46fe79942c10938ca479824e6e7a8a84cf162c3cab2159847
-
SHA512
ea3cd0809198f36723cd3fea7bcd5ac477cd245252c32fc947a80a78ea6c8c6de12f22c72ea4d0ab4c55c810b61bed6216ddbeadbe6dd48253cb947ef64e4cec
-
SSDEEP
3072:cm0Re3edS7ohDD3nofEk53/jh0/GsjQfNilphGD6q:wEaP3of33Lh0/LQ1ilphk
Malware Config
Extracted
pony
http://nwahiri.host22.com/gate.php
Signatures
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook vbc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\CyberLink PowerStarter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\.exe" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
6758c393b55acff46fe79942c10938ca479824e6e7a8a84cf162c3cab2159847.exedescription pid process target process PID 1160 set thread context of 1440 1160 6758c393b55acff46fe79942c10938ca479824e6e7a8a84cf162c3cab2159847.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
vbc.exedescription pid process Token: SeImpersonatePrivilege 1440 vbc.exe Token: SeTcbPrivilege 1440 vbc.exe Token: SeChangeNotifyPrivilege 1440 vbc.exe Token: SeCreateTokenPrivilege 1440 vbc.exe Token: SeBackupPrivilege 1440 vbc.exe Token: SeRestorePrivilege 1440 vbc.exe Token: SeIncreaseQuotaPrivilege 1440 vbc.exe Token: SeAssignPrimaryTokenPrivilege 1440 vbc.exe Token: SeImpersonatePrivilege 1440 vbc.exe Token: SeTcbPrivilege 1440 vbc.exe Token: SeChangeNotifyPrivilege 1440 vbc.exe Token: SeCreateTokenPrivilege 1440 vbc.exe Token: SeBackupPrivilege 1440 vbc.exe Token: SeRestorePrivilege 1440 vbc.exe Token: SeIncreaseQuotaPrivilege 1440 vbc.exe Token: SeAssignPrimaryTokenPrivilege 1440 vbc.exe Token: SeImpersonatePrivilege 1440 vbc.exe Token: SeTcbPrivilege 1440 vbc.exe Token: SeChangeNotifyPrivilege 1440 vbc.exe Token: SeCreateTokenPrivilege 1440 vbc.exe Token: SeBackupPrivilege 1440 vbc.exe Token: SeRestorePrivilege 1440 vbc.exe Token: SeIncreaseQuotaPrivilege 1440 vbc.exe Token: SeAssignPrimaryTokenPrivilege 1440 vbc.exe Token: SeImpersonatePrivilege 1440 vbc.exe Token: SeTcbPrivilege 1440 vbc.exe Token: SeChangeNotifyPrivilege 1440 vbc.exe Token: SeCreateTokenPrivilege 1440 vbc.exe Token: SeBackupPrivilege 1440 vbc.exe Token: SeRestorePrivilege 1440 vbc.exe Token: SeIncreaseQuotaPrivilege 1440 vbc.exe Token: SeAssignPrimaryTokenPrivilege 1440 vbc.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
6758c393b55acff46fe79942c10938ca479824e6e7a8a84cf162c3cab2159847.execmd.exedescription pid process target process PID 1160 wrote to memory of 1440 1160 6758c393b55acff46fe79942c10938ca479824e6e7a8a84cf162c3cab2159847.exe vbc.exe PID 1160 wrote to memory of 1440 1160 6758c393b55acff46fe79942c10938ca479824e6e7a8a84cf162c3cab2159847.exe vbc.exe PID 1160 wrote to memory of 1440 1160 6758c393b55acff46fe79942c10938ca479824e6e7a8a84cf162c3cab2159847.exe vbc.exe PID 1160 wrote to memory of 1440 1160 6758c393b55acff46fe79942c10938ca479824e6e7a8a84cf162c3cab2159847.exe vbc.exe PID 1160 wrote to memory of 1440 1160 6758c393b55acff46fe79942c10938ca479824e6e7a8a84cf162c3cab2159847.exe vbc.exe PID 1160 wrote to memory of 1440 1160 6758c393b55acff46fe79942c10938ca479824e6e7a8a84cf162c3cab2159847.exe vbc.exe PID 1160 wrote to memory of 1440 1160 6758c393b55acff46fe79942c10938ca479824e6e7a8a84cf162c3cab2159847.exe vbc.exe PID 1160 wrote to memory of 1440 1160 6758c393b55acff46fe79942c10938ca479824e6e7a8a84cf162c3cab2159847.exe vbc.exe PID 1160 wrote to memory of 1440 1160 6758c393b55acff46fe79942c10938ca479824e6e7a8a84cf162c3cab2159847.exe vbc.exe PID 1160 wrote to memory of 1324 1160 6758c393b55acff46fe79942c10938ca479824e6e7a8a84cf162c3cab2159847.exe cmd.exe PID 1160 wrote to memory of 1324 1160 6758c393b55acff46fe79942c10938ca479824e6e7a8a84cf162c3cab2159847.exe cmd.exe PID 1160 wrote to memory of 1324 1160 6758c393b55acff46fe79942c10938ca479824e6e7a8a84cf162c3cab2159847.exe cmd.exe PID 1160 wrote to memory of 1324 1160 6758c393b55acff46fe79942c10938ca479824e6e7a8a84cf162c3cab2159847.exe cmd.exe PID 1324 wrote to memory of 1076 1324 cmd.exe reg.exe PID 1324 wrote to memory of 1076 1324 cmd.exe reg.exe PID 1324 wrote to memory of 1076 1324 cmd.exe reg.exe PID 1324 wrote to memory of 1076 1324 cmd.exe reg.exe -
outlook_win_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6758c393b55acff46fe79942c10938ca479824e6e7a8a84cf162c3cab2159847.exe"C:\Users\Admin\AppData\Local\Temp\6758c393b55acff46fe79942c10938ca479824e6e7a8a84cf162c3cab2159847.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
PID:1440 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "CyberLink PowerStarter" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "CyberLink PowerStarter" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\.exe3⤵
- Adds Run key to start application
PID:1076
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1076-70-0x0000000000000000-mapping.dmp
-
memory/1160-54-0x0000000075A91000-0x0000000075A93000-memory.dmpFilesize
8KB
-
memory/1160-55-0x00000000744E0000-0x0000000074A8B000-memory.dmpFilesize
5.7MB
-
memory/1160-56-0x00000000744E0000-0x0000000074A8B000-memory.dmpFilesize
5.7MB
-
memory/1324-68-0x0000000000000000-mapping.dmp
-
memory/1440-57-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1440-58-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1440-63-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1440-64-0x000000000040FE57-mapping.dmp
-
memory/1440-66-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1440-61-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1440-69-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1440-60-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1440-71-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB