Analysis
-
max time kernel
142s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 04:50
Static task
static1
Behavioral task
behavioral1
Sample
6758c393b55acff46fe79942c10938ca479824e6e7a8a84cf162c3cab2159847.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
6758c393b55acff46fe79942c10938ca479824e6e7a8a84cf162c3cab2159847.exe
Resource
win10v2004-20220812-en
General
-
Target
6758c393b55acff46fe79942c10938ca479824e6e7a8a84cf162c3cab2159847.exe
-
Size
118KB
-
MD5
83dba5c3dfc7efe675862a7025b62a13
-
SHA1
f9f9266b6e782aba6d7d4efc6c64b4c846c4bc5a
-
SHA256
6758c393b55acff46fe79942c10938ca479824e6e7a8a84cf162c3cab2159847
-
SHA512
ea3cd0809198f36723cd3fea7bcd5ac477cd245252c32fc947a80a78ea6c8c6de12f22c72ea4d0ab4c55c810b61bed6216ddbeadbe6dd48253cb947ef64e4cec
-
SSDEEP
3072:cm0Re3edS7ohDD3nofEk53/jh0/GsjQfNilphGD6q:wEaP3of33Lh0/LQ1ilphk
Malware Config
Extracted
pony
http://nwahiri.host22.com/gate.php
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6758c393b55acff46fe79942c10938ca479824e6e7a8a84cf162c3cab2159847.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 6758c393b55acff46fe79942c10938ca479824e6e7a8a84cf162c3cab2159847.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook vbc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CyberLink PowerStarter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
6758c393b55acff46fe79942c10938ca479824e6e7a8a84cf162c3cab2159847.exedescription pid process target process PID 1380 set thread context of 4592 1380 6758c393b55acff46fe79942c10938ca479824e6e7a8a84cf162c3cab2159847.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
vbc.exedescription pid process Token: SeImpersonatePrivilege 4592 vbc.exe Token: SeTcbPrivilege 4592 vbc.exe Token: SeChangeNotifyPrivilege 4592 vbc.exe Token: SeCreateTokenPrivilege 4592 vbc.exe Token: SeBackupPrivilege 4592 vbc.exe Token: SeRestorePrivilege 4592 vbc.exe Token: SeIncreaseQuotaPrivilege 4592 vbc.exe Token: SeAssignPrimaryTokenPrivilege 4592 vbc.exe Token: SeImpersonatePrivilege 4592 vbc.exe Token: SeTcbPrivilege 4592 vbc.exe Token: SeChangeNotifyPrivilege 4592 vbc.exe Token: SeCreateTokenPrivilege 4592 vbc.exe Token: SeBackupPrivilege 4592 vbc.exe Token: SeRestorePrivilege 4592 vbc.exe Token: SeIncreaseQuotaPrivilege 4592 vbc.exe Token: SeAssignPrimaryTokenPrivilege 4592 vbc.exe Token: SeImpersonatePrivilege 4592 vbc.exe Token: SeTcbPrivilege 4592 vbc.exe Token: SeChangeNotifyPrivilege 4592 vbc.exe Token: SeCreateTokenPrivilege 4592 vbc.exe Token: SeBackupPrivilege 4592 vbc.exe Token: SeRestorePrivilege 4592 vbc.exe Token: SeIncreaseQuotaPrivilege 4592 vbc.exe Token: SeAssignPrimaryTokenPrivilege 4592 vbc.exe Token: SeImpersonatePrivilege 4592 vbc.exe Token: SeTcbPrivilege 4592 vbc.exe Token: SeChangeNotifyPrivilege 4592 vbc.exe Token: SeCreateTokenPrivilege 4592 vbc.exe Token: SeBackupPrivilege 4592 vbc.exe Token: SeRestorePrivilege 4592 vbc.exe Token: SeIncreaseQuotaPrivilege 4592 vbc.exe Token: SeAssignPrimaryTokenPrivilege 4592 vbc.exe Token: SeImpersonatePrivilege 4592 vbc.exe Token: SeTcbPrivilege 4592 vbc.exe Token: SeChangeNotifyPrivilege 4592 vbc.exe Token: SeCreateTokenPrivilege 4592 vbc.exe Token: SeBackupPrivilege 4592 vbc.exe Token: SeRestorePrivilege 4592 vbc.exe Token: SeIncreaseQuotaPrivilege 4592 vbc.exe Token: SeAssignPrimaryTokenPrivilege 4592 vbc.exe Token: SeImpersonatePrivilege 4592 vbc.exe Token: SeTcbPrivilege 4592 vbc.exe Token: SeChangeNotifyPrivilege 4592 vbc.exe Token: SeCreateTokenPrivilege 4592 vbc.exe Token: SeBackupPrivilege 4592 vbc.exe Token: SeRestorePrivilege 4592 vbc.exe Token: SeIncreaseQuotaPrivilege 4592 vbc.exe Token: SeAssignPrimaryTokenPrivilege 4592 vbc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
6758c393b55acff46fe79942c10938ca479824e6e7a8a84cf162c3cab2159847.execmd.exedescription pid process target process PID 1380 wrote to memory of 4592 1380 6758c393b55acff46fe79942c10938ca479824e6e7a8a84cf162c3cab2159847.exe vbc.exe PID 1380 wrote to memory of 4592 1380 6758c393b55acff46fe79942c10938ca479824e6e7a8a84cf162c3cab2159847.exe vbc.exe PID 1380 wrote to memory of 4592 1380 6758c393b55acff46fe79942c10938ca479824e6e7a8a84cf162c3cab2159847.exe vbc.exe PID 1380 wrote to memory of 4592 1380 6758c393b55acff46fe79942c10938ca479824e6e7a8a84cf162c3cab2159847.exe vbc.exe PID 1380 wrote to memory of 4592 1380 6758c393b55acff46fe79942c10938ca479824e6e7a8a84cf162c3cab2159847.exe vbc.exe PID 1380 wrote to memory of 4592 1380 6758c393b55acff46fe79942c10938ca479824e6e7a8a84cf162c3cab2159847.exe vbc.exe PID 1380 wrote to memory of 4592 1380 6758c393b55acff46fe79942c10938ca479824e6e7a8a84cf162c3cab2159847.exe vbc.exe PID 1380 wrote to memory of 4592 1380 6758c393b55acff46fe79942c10938ca479824e6e7a8a84cf162c3cab2159847.exe vbc.exe PID 1380 wrote to memory of 1948 1380 6758c393b55acff46fe79942c10938ca479824e6e7a8a84cf162c3cab2159847.exe cmd.exe PID 1380 wrote to memory of 1948 1380 6758c393b55acff46fe79942c10938ca479824e6e7a8a84cf162c3cab2159847.exe cmd.exe PID 1380 wrote to memory of 1948 1380 6758c393b55acff46fe79942c10938ca479824e6e7a8a84cf162c3cab2159847.exe cmd.exe PID 1948 wrote to memory of 3640 1948 cmd.exe reg.exe PID 1948 wrote to memory of 3640 1948 cmd.exe reg.exe PID 1948 wrote to memory of 3640 1948 cmd.exe reg.exe -
outlook_win_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6758c393b55acff46fe79942c10938ca479824e6e7a8a84cf162c3cab2159847.exe"C:\Users\Admin\AppData\Local\Temp\6758c393b55acff46fe79942c10938ca479824e6e7a8a84cf162c3cab2159847.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "CyberLink PowerStarter" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "CyberLink PowerStarter" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\.exe3⤵
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1380-132-0x0000000075160000-0x0000000075711000-memory.dmpFilesize
5.7MB
-
memory/1380-133-0x0000000075160000-0x0000000075711000-memory.dmpFilesize
5.7MB
-
memory/1948-138-0x0000000000000000-mapping.dmp
-
memory/3640-139-0x0000000000000000-mapping.dmp
-
memory/4592-134-0x0000000000000000-mapping.dmp
-
memory/4592-135-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/4592-137-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/4592-140-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB