Analysis
-
max time kernel
161s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 15:05
Static task
static1
Behavioral task
behavioral1
Sample
271c55200556b59a200a324d2396fd915b4a1196ff695df3324837e1dfeed02d.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
271c55200556b59a200a324d2396fd915b4a1196ff695df3324837e1dfeed02d.exe
Resource
win10v2004-20221111-en
General
-
Target
271c55200556b59a200a324d2396fd915b4a1196ff695df3324837e1dfeed02d.exe
-
Size
198KB
-
MD5
53710f0860d03137504a072e76d3f036
-
SHA1
7b4912ad92ca95231ad4b45bf33e5a6c66be1750
-
SHA256
271c55200556b59a200a324d2396fd915b4a1196ff695df3324837e1dfeed02d
-
SHA512
ee547fa3f1cde33fbd657209e7454ad7deef82313e27f7841b43581d244094cc39435bbd7355685ba7b9f1476f91e79a6d9ca5a0155db5d06aee9845802d34fc
-
SSDEEP
3072:yoWPI/I3Jl6GB93t0BYrAzww9IwbFG7qyFd6FQPz3kG:ynPdlV3t0zww9tsqyFsS7B
Malware Config
Extracted
pony
http://188.166.15.172/pony//gate.php
Signatures
-
Processes:
resource yara_rule behavioral2/memory/5024-134-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/5024-135-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/5024-136-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/5024-138-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/5024-139-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/5024-141-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/5024-143-0x0000000000400000-0x000000000041C000-memory.dmp upx -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts svchost.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
271c55200556b59a200a324d2396fd915b4a1196ff695df3324837e1dfeed02d.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\chrome.exe" 271c55200556b59a200a324d2396fd915b4a1196ff695df3324837e1dfeed02d.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
271c55200556b59a200a324d2396fd915b4a1196ff695df3324837e1dfeed02d.exedescription pid process target process PID 3784 set thread context of 5024 3784 271c55200556b59a200a324d2396fd915b4a1196ff695df3324837e1dfeed02d.exe svchost.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
svchost.exedescription pid process Token: SeImpersonatePrivilege 5024 svchost.exe Token: SeTcbPrivilege 5024 svchost.exe Token: SeChangeNotifyPrivilege 5024 svchost.exe Token: SeCreateTokenPrivilege 5024 svchost.exe Token: SeBackupPrivilege 5024 svchost.exe Token: SeRestorePrivilege 5024 svchost.exe Token: SeIncreaseQuotaPrivilege 5024 svchost.exe Token: SeAssignPrimaryTokenPrivilege 5024 svchost.exe Token: SeImpersonatePrivilege 5024 svchost.exe Token: SeTcbPrivilege 5024 svchost.exe Token: SeChangeNotifyPrivilege 5024 svchost.exe Token: SeCreateTokenPrivilege 5024 svchost.exe Token: SeBackupPrivilege 5024 svchost.exe Token: SeRestorePrivilege 5024 svchost.exe Token: SeIncreaseQuotaPrivilege 5024 svchost.exe Token: SeAssignPrimaryTokenPrivilege 5024 svchost.exe Token: SeImpersonatePrivilege 5024 svchost.exe Token: SeTcbPrivilege 5024 svchost.exe Token: SeChangeNotifyPrivilege 5024 svchost.exe Token: SeCreateTokenPrivilege 5024 svchost.exe Token: SeBackupPrivilege 5024 svchost.exe Token: SeRestorePrivilege 5024 svchost.exe Token: SeIncreaseQuotaPrivilege 5024 svchost.exe Token: SeAssignPrimaryTokenPrivilege 5024 svchost.exe Token: SeImpersonatePrivilege 5024 svchost.exe Token: SeTcbPrivilege 5024 svchost.exe Token: SeChangeNotifyPrivilege 5024 svchost.exe Token: SeCreateTokenPrivilege 5024 svchost.exe Token: SeBackupPrivilege 5024 svchost.exe Token: SeRestorePrivilege 5024 svchost.exe Token: SeIncreaseQuotaPrivilege 5024 svchost.exe Token: SeAssignPrimaryTokenPrivilege 5024 svchost.exe Token: SeImpersonatePrivilege 5024 svchost.exe Token: SeTcbPrivilege 5024 svchost.exe Token: SeChangeNotifyPrivilege 5024 svchost.exe Token: SeCreateTokenPrivilege 5024 svchost.exe Token: SeBackupPrivilege 5024 svchost.exe Token: SeRestorePrivilege 5024 svchost.exe Token: SeIncreaseQuotaPrivilege 5024 svchost.exe Token: SeAssignPrimaryTokenPrivilege 5024 svchost.exe Token: SeImpersonatePrivilege 5024 svchost.exe Token: SeTcbPrivilege 5024 svchost.exe Token: SeChangeNotifyPrivilege 5024 svchost.exe Token: SeCreateTokenPrivilege 5024 svchost.exe Token: SeBackupPrivilege 5024 svchost.exe Token: SeRestorePrivilege 5024 svchost.exe Token: SeIncreaseQuotaPrivilege 5024 svchost.exe Token: SeAssignPrimaryTokenPrivilege 5024 svchost.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
271c55200556b59a200a324d2396fd915b4a1196ff695df3324837e1dfeed02d.exesvchost.exedescription pid process target process PID 3784 wrote to memory of 4624 3784 271c55200556b59a200a324d2396fd915b4a1196ff695df3324837e1dfeed02d.exe svchost.exe PID 3784 wrote to memory of 4624 3784 271c55200556b59a200a324d2396fd915b4a1196ff695df3324837e1dfeed02d.exe svchost.exe PID 3784 wrote to memory of 4624 3784 271c55200556b59a200a324d2396fd915b4a1196ff695df3324837e1dfeed02d.exe svchost.exe PID 3784 wrote to memory of 5024 3784 271c55200556b59a200a324d2396fd915b4a1196ff695df3324837e1dfeed02d.exe svchost.exe PID 3784 wrote to memory of 5024 3784 271c55200556b59a200a324d2396fd915b4a1196ff695df3324837e1dfeed02d.exe svchost.exe PID 3784 wrote to memory of 5024 3784 271c55200556b59a200a324d2396fd915b4a1196ff695df3324837e1dfeed02d.exe svchost.exe PID 3784 wrote to memory of 5024 3784 271c55200556b59a200a324d2396fd915b4a1196ff695df3324837e1dfeed02d.exe svchost.exe PID 3784 wrote to memory of 5024 3784 271c55200556b59a200a324d2396fd915b4a1196ff695df3324837e1dfeed02d.exe svchost.exe PID 3784 wrote to memory of 5024 3784 271c55200556b59a200a324d2396fd915b4a1196ff695df3324837e1dfeed02d.exe svchost.exe PID 3784 wrote to memory of 5024 3784 271c55200556b59a200a324d2396fd915b4a1196ff695df3324837e1dfeed02d.exe svchost.exe PID 3784 wrote to memory of 5024 3784 271c55200556b59a200a324d2396fd915b4a1196ff695df3324837e1dfeed02d.exe svchost.exe PID 5024 wrote to memory of 3060 5024 svchost.exe cmd.exe PID 5024 wrote to memory of 3060 5024 svchost.exe cmd.exe PID 5024 wrote to memory of 3060 5024 svchost.exe cmd.exe -
outlook_win_path 1 IoCs
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\271c55200556b59a200a324d2396fd915b4a1196ff695df3324837e1dfeed02d.exe"C:\Users\Admin\AppData\Local\Temp\271c55200556b59a200a324d2396fd915b4a1196ff695df3324837e1dfeed02d.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"2⤵PID:4624
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"2⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:5024 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240606343.bat" "C:\Windows\SysWOW64\svchost.exe" "3⤵PID:3060
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\240606343.batFilesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
memory/3060-142-0x0000000000000000-mapping.dmp
-
memory/3784-132-0x00000000752D0000-0x0000000075881000-memory.dmpFilesize
5.7MB
-
memory/3784-140-0x00000000752D0000-0x0000000075881000-memory.dmpFilesize
5.7MB
-
memory/5024-133-0x0000000000000000-mapping.dmp
-
memory/5024-134-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/5024-135-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/5024-136-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/5024-138-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/5024-139-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/5024-141-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/5024-143-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB