Analysis
-
max time kernel
48s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 08:28
Static task
static1
Behavioral task
behavioral1
Sample
280b08fba32335ab603ffbc5da3749cdfff9ad455af538bb064679217994e754.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
280b08fba32335ab603ffbc5da3749cdfff9ad455af538bb064679217994e754.exe
Resource
win10v2004-20220812-en
General
-
Target
280b08fba32335ab603ffbc5da3749cdfff9ad455af538bb064679217994e754.exe
-
Size
487KB
-
MD5
97c95b8c854064398f2e4550da31d2fb
-
SHA1
ac9bc2198b173b30eb417bc770ddbc8c350d431b
-
SHA256
280b08fba32335ab603ffbc5da3749cdfff9ad455af538bb064679217994e754
-
SHA512
6a296af5ce7d8c7c02e5e879c316db57c08e632c7111114458cdb71999aba73b0c7153b3c0c40b6ce2463249ef42707f93194e48263b7a2fbf3c36277e0d2d84
-
SSDEEP
6144:3zAKjPdTC+lPSPrlCCWrjTCgxpTu+/tRdYSOq6h5idL+UM2mBe8EjoqqmjfspN:UKj1TvNLjTCgHR3Iq6aL+qmIUF
Malware Config
Extracted
pony
http://indianmoneybag.in/wp-content/themes/twentythirteen/obi/Panel/gate.php
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
RMIEB.exepid process 1188 RMIEB.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\RMIEB.exe upx \Users\Admin\AppData\Local\Temp\RMIEB.exe upx C:\Users\Admin\AppData\Local\Temp\RMIEB.exe upx behavioral1/memory/1188-61-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral1/memory/1188-64-0x0000000000400000-0x000000000041D000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\RMIEB.exe upx -
Loads dropped DLL 2 IoCs
Processes:
280b08fba32335ab603ffbc5da3749cdfff9ad455af538bb064679217994e754.exepid process 1268 280b08fba32335ab603ffbc5da3749cdfff9ad455af538bb064679217994e754.exe 1268 280b08fba32335ab603ffbc5da3749cdfff9ad455af538bb064679217994e754.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
RMIEB.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts RMIEB.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
RMIEB.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook RMIEB.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
280b08fba32335ab603ffbc5da3749cdfff9ad455af538bb064679217994e754.exedescription pid process target process PID 1268 set thread context of 1336 1268 280b08fba32335ab603ffbc5da3749cdfff9ad455af538bb064679217994e754.exe 280b08fba32335ab603ffbc5da3749cdfff9ad455af538bb064679217994e754.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
RMIEB.exedescription pid process Token: SeImpersonatePrivilege 1188 RMIEB.exe Token: SeTcbPrivilege 1188 RMIEB.exe Token: SeChangeNotifyPrivilege 1188 RMIEB.exe Token: SeCreateTokenPrivilege 1188 RMIEB.exe Token: SeBackupPrivilege 1188 RMIEB.exe Token: SeRestorePrivilege 1188 RMIEB.exe Token: SeIncreaseQuotaPrivilege 1188 RMIEB.exe Token: SeAssignPrimaryTokenPrivilege 1188 RMIEB.exe Token: SeImpersonatePrivilege 1188 RMIEB.exe Token: SeTcbPrivilege 1188 RMIEB.exe Token: SeChangeNotifyPrivilege 1188 RMIEB.exe Token: SeCreateTokenPrivilege 1188 RMIEB.exe Token: SeBackupPrivilege 1188 RMIEB.exe Token: SeRestorePrivilege 1188 RMIEB.exe Token: SeIncreaseQuotaPrivilege 1188 RMIEB.exe Token: SeAssignPrimaryTokenPrivilege 1188 RMIEB.exe Token: SeImpersonatePrivilege 1188 RMIEB.exe Token: SeTcbPrivilege 1188 RMIEB.exe Token: SeChangeNotifyPrivilege 1188 RMIEB.exe Token: SeCreateTokenPrivilege 1188 RMIEB.exe Token: SeBackupPrivilege 1188 RMIEB.exe Token: SeRestorePrivilege 1188 RMIEB.exe Token: SeIncreaseQuotaPrivilege 1188 RMIEB.exe Token: SeAssignPrimaryTokenPrivilege 1188 RMIEB.exe Token: SeImpersonatePrivilege 1188 RMIEB.exe Token: SeTcbPrivilege 1188 RMIEB.exe Token: SeChangeNotifyPrivilege 1188 RMIEB.exe Token: SeCreateTokenPrivilege 1188 RMIEB.exe Token: SeBackupPrivilege 1188 RMIEB.exe Token: SeRestorePrivilege 1188 RMIEB.exe Token: SeIncreaseQuotaPrivilege 1188 RMIEB.exe Token: SeAssignPrimaryTokenPrivilege 1188 RMIEB.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
280b08fba32335ab603ffbc5da3749cdfff9ad455af538bb064679217994e754.exeRMIEB.exedescription pid process target process PID 1268 wrote to memory of 1188 1268 280b08fba32335ab603ffbc5da3749cdfff9ad455af538bb064679217994e754.exe RMIEB.exe PID 1268 wrote to memory of 1188 1268 280b08fba32335ab603ffbc5da3749cdfff9ad455af538bb064679217994e754.exe RMIEB.exe PID 1268 wrote to memory of 1188 1268 280b08fba32335ab603ffbc5da3749cdfff9ad455af538bb064679217994e754.exe RMIEB.exe PID 1268 wrote to memory of 1188 1268 280b08fba32335ab603ffbc5da3749cdfff9ad455af538bb064679217994e754.exe RMIEB.exe PID 1268 wrote to memory of 1336 1268 280b08fba32335ab603ffbc5da3749cdfff9ad455af538bb064679217994e754.exe 280b08fba32335ab603ffbc5da3749cdfff9ad455af538bb064679217994e754.exe PID 1268 wrote to memory of 1336 1268 280b08fba32335ab603ffbc5da3749cdfff9ad455af538bb064679217994e754.exe 280b08fba32335ab603ffbc5da3749cdfff9ad455af538bb064679217994e754.exe PID 1268 wrote to memory of 1336 1268 280b08fba32335ab603ffbc5da3749cdfff9ad455af538bb064679217994e754.exe 280b08fba32335ab603ffbc5da3749cdfff9ad455af538bb064679217994e754.exe PID 1268 wrote to memory of 1336 1268 280b08fba32335ab603ffbc5da3749cdfff9ad455af538bb064679217994e754.exe 280b08fba32335ab603ffbc5da3749cdfff9ad455af538bb064679217994e754.exe PID 1268 wrote to memory of 1336 1268 280b08fba32335ab603ffbc5da3749cdfff9ad455af538bb064679217994e754.exe 280b08fba32335ab603ffbc5da3749cdfff9ad455af538bb064679217994e754.exe PID 1188 wrote to memory of 1996 1188 RMIEB.exe cmd.exe PID 1188 wrote to memory of 1996 1188 RMIEB.exe cmd.exe PID 1188 wrote to memory of 1996 1188 RMIEB.exe cmd.exe PID 1188 wrote to memory of 1996 1188 RMIEB.exe cmd.exe -
outlook_win_path 1 IoCs
Processes:
RMIEB.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook RMIEB.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\280b08fba32335ab603ffbc5da3749cdfff9ad455af538bb064679217994e754.exe"C:\Users\Admin\AppData\Local\Temp\280b08fba32335ab603ffbc5da3749cdfff9ad455af538bb064679217994e754.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RMIEB.exe"C:\Users\Admin\AppData\Local\Temp\RMIEB.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7093693.bat" "C:\Users\Admin\AppData\Local\Temp\RMIEB.exe" "3⤵
-
C:\Users\Admin\AppData\Local\Temp\280b08fba32335ab603ffbc5da3749cdfff9ad455af538bb064679217994e754.exe"C:\Users\Admin\AppData\Local\Temp\280b08fba32335ab603ffbc5da3749cdfff9ad455af538bb064679217994e754.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7093693.batFilesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
C:\Users\Admin\AppData\Local\Temp\RMIEB.exeFilesize
34KB
MD5584c952a93d0c0794d52d481bf2991c2
SHA167d2b0d1e7d135054d4c1fc057c7fb5c784aa524
SHA256e5ba35f40059abd42e0df99509749f7654f39859ab704e9a02fef1ec5ed7f9a3
SHA51246ede591d55e8e664f803e8e0b76970a80be74fb95b98139ebcfa6ad9dda8dc43e1ba8d094287bb5ab0194ebb9adb1bf8cf94145f28815357c25110d049ce380
-
C:\Users\Admin\AppData\Local\Temp\RMIEB.exeFilesize
34KB
MD5584c952a93d0c0794d52d481bf2991c2
SHA167d2b0d1e7d135054d4c1fc057c7fb5c784aa524
SHA256e5ba35f40059abd42e0df99509749f7654f39859ab704e9a02fef1ec5ed7f9a3
SHA51246ede591d55e8e664f803e8e0b76970a80be74fb95b98139ebcfa6ad9dda8dc43e1ba8d094287bb5ab0194ebb9adb1bf8cf94145f28815357c25110d049ce380
-
\Users\Admin\AppData\Local\Temp\RMIEB.exeFilesize
34KB
MD5584c952a93d0c0794d52d481bf2991c2
SHA167d2b0d1e7d135054d4c1fc057c7fb5c784aa524
SHA256e5ba35f40059abd42e0df99509749f7654f39859ab704e9a02fef1ec5ed7f9a3
SHA51246ede591d55e8e664f803e8e0b76970a80be74fb95b98139ebcfa6ad9dda8dc43e1ba8d094287bb5ab0194ebb9adb1bf8cf94145f28815357c25110d049ce380
-
\Users\Admin\AppData\Local\Temp\RMIEB.exeFilesize
34KB
MD5584c952a93d0c0794d52d481bf2991c2
SHA167d2b0d1e7d135054d4c1fc057c7fb5c784aa524
SHA256e5ba35f40059abd42e0df99509749f7654f39859ab704e9a02fef1ec5ed7f9a3
SHA51246ede591d55e8e664f803e8e0b76970a80be74fb95b98139ebcfa6ad9dda8dc43e1ba8d094287bb5ab0194ebb9adb1bf8cf94145f28815357c25110d049ce380
-
memory/1188-57-0x0000000000000000-mapping.dmp
-
memory/1188-61-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1188-64-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1268-54-0x00000000757A1000-0x00000000757A3000-memory.dmpFilesize
8KB
-
memory/1268-60-0x0000000000440000-0x000000000045D000-memory.dmpFilesize
116KB
-
memory/1336-62-0x000000000002B055-mapping.dmp
-
memory/1996-63-0x0000000000000000-mapping.dmp