Analysis
-
max time kernel
152s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
26-11-2022 15:13
General
-
Target
a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe
-
Size
500KB
-
MD5
2ac9e60e9e4770c8fcfb4c87a38bdc13
-
SHA1
0e7812057990cef7a6fe6b06037d0e54700d08bb
-
SHA256
a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30
-
SHA512
c10b261725b291ed8aadfa80ba8302e8fd8c6ca2ccbf3702f650df9b44bc8626468f818cf099f5379042c2483ae629bca5a3a96a0f246181704afe9dceb2c718
-
SSDEEP
6144:hLPe67l7q1fcC3P2uYDEDEkBQGcxjgBSIEFDiKexjyFWnffPW:hbe6ZCcapYEDiWEF2KWVff+
Malware Config
Extracted
pony
http://indianmoneybag.in/wp-content/themes/twentythirteen/obi/Panel/gate.php
Signatures
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Executes dropped EXE 4 IoCs
-
UPX packed file 7 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 48 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe"C:\Users\Admin\AppData\Local\Temp\a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe"C:\Users\Admin\AppData\Local\Temp\a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Uhic\fire.exe"C:\Users\Admin\AppData\Roaming\Uhic\fire.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\NQXLL.exe"C:\Users\Admin\AppData\Local\Temp\NQXLL.exe"5⤵
- Executes dropped EXE
- Checks computer location settings
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240625500.bat" "C:\Users\Admin\AppData\Local\Temp\NQXLL.exe" "6⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
-
C:\Users\Admin\AppData\Roaming\Uhic\fire.exe"C:\Users\Admin\AppData\Roaming\Uhic\fire.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp6ce3c868.bat"4⤵
-
C:\Users\Admin\AppData\Local\Temp\NQXLL.exe"C:\Users\Admin\AppData\Local\Temp\NQXLL.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240605437.bat" "C:\Users\Admin\AppData\Local\Temp\NQXLL.exe" "4⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\240605437.batFilesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
C:\Users\Admin\AppData\Local\Temp\NQXLL.exeFilesize
34KB
MD5584c952a93d0c0794d52d481bf2991c2
SHA167d2b0d1e7d135054d4c1fc057c7fb5c784aa524
SHA256e5ba35f40059abd42e0df99509749f7654f39859ab704e9a02fef1ec5ed7f9a3
SHA51246ede591d55e8e664f803e8e0b76970a80be74fb95b98139ebcfa6ad9dda8dc43e1ba8d094287bb5ab0194ebb9adb1bf8cf94145f28815357c25110d049ce380
-
C:\Users\Admin\AppData\Local\Temp\NQXLL.exeFilesize
34KB
MD5584c952a93d0c0794d52d481bf2991c2
SHA167d2b0d1e7d135054d4c1fc057c7fb5c784aa524
SHA256e5ba35f40059abd42e0df99509749f7654f39859ab704e9a02fef1ec5ed7f9a3
SHA51246ede591d55e8e664f803e8e0b76970a80be74fb95b98139ebcfa6ad9dda8dc43e1ba8d094287bb5ab0194ebb9adb1bf8cf94145f28815357c25110d049ce380
-
C:\Users\Admin\AppData\Local\Temp\NQXLL.exeFilesize
34KB
MD5584c952a93d0c0794d52d481bf2991c2
SHA167d2b0d1e7d135054d4c1fc057c7fb5c784aa524
SHA256e5ba35f40059abd42e0df99509749f7654f39859ab704e9a02fef1ec5ed7f9a3
SHA51246ede591d55e8e664f803e8e0b76970a80be74fb95b98139ebcfa6ad9dda8dc43e1ba8d094287bb5ab0194ebb9adb1bf8cf94145f28815357c25110d049ce380
-
C:\Users\Admin\AppData\Local\Temp\NQXLL.exeFilesize
34KB
MD5584c952a93d0c0794d52d481bf2991c2
SHA167d2b0d1e7d135054d4c1fc057c7fb5c784aa524
SHA256e5ba35f40059abd42e0df99509749f7654f39859ab704e9a02fef1ec5ed7f9a3
SHA51246ede591d55e8e664f803e8e0b76970a80be74fb95b98139ebcfa6ad9dda8dc43e1ba8d094287bb5ab0194ebb9adb1bf8cf94145f28815357c25110d049ce380
-
C:\Users\Admin\AppData\Local\Temp\tmp6ce3c868.batFilesize
307B
MD5a01f2ea8cce5364df498097004e87e85
SHA1def9fc4f0439cea6e1043dfc8f442c9f028cb64e
SHA256c6dd1f743c7d8dbb700164606eaf58a0ab8369ab08b76f06dd161c07dc4e1083
SHA512c0f530af19c5773680b33c8d5549879daf20f12410e7e50f4e3e25dd3adee3461cd0da4e9f4bd963d67e5cc3ff3d49b55c7aff7ec4395595c6fc38beb8f96cbb
-
C:\Users\Admin\AppData\Roaming\Bate\xauzt.ukeFilesize
2KB
MD566ec21eda37e12a4253e28d702677285
SHA1f0c7af05ee041404f5411a4e007b729940b32a8b
SHA256b69e5670370385b1d94c94ac49f13eed4975ef28cf50ba82aca2fc6a4a0dd178
SHA5123f4e7d7ea2df5dc3922727c80b8f7c0ee79060fb8de33795debcdd748bff652d2d447c195cc00f1455a441e268228aa79e2934b022c02af3c790d059ffb20017
-
C:\Users\Admin\AppData\Roaming\Uhic\fire.exeFilesize
500KB
MD53f87a907fdeb434075675a3208f1d990
SHA16df1746ad105c433795791b8a4b42201f090fefc
SHA2565a62eacbc28b772c1b3a30440dcae55bd992378711a9effd6185e4f2e9521851
SHA5128875bc0980fed2528db9241996794abc8f197596142f119b593215304799f506bbb6e47f6ffe4a617820cee034da7df24e3a23b33fee1921b8eb4a61a4fee463
-
C:\Users\Admin\AppData\Roaming\Uhic\fire.exeFilesize
500KB
MD53f87a907fdeb434075675a3208f1d990
SHA16df1746ad105c433795791b8a4b42201f090fefc
SHA2565a62eacbc28b772c1b3a30440dcae55bd992378711a9effd6185e4f2e9521851
SHA5128875bc0980fed2528db9241996794abc8f197596142f119b593215304799f506bbb6e47f6ffe4a617820cee034da7df24e3a23b33fee1921b8eb4a61a4fee463
-
C:\Users\Admin\AppData\Roaming\Uhic\fire.exeFilesize
500KB
MD53f87a907fdeb434075675a3208f1d990
SHA16df1746ad105c433795791b8a4b42201f090fefc
SHA2565a62eacbc28b772c1b3a30440dcae55bd992378711a9effd6185e4f2e9521851
SHA5128875bc0980fed2528db9241996794abc8f197596142f119b593215304799f506bbb6e47f6ffe4a617820cee034da7df24e3a23b33fee1921b8eb4a61a4fee463
-
memory/1096-142-0x0000000000000000-mapping.dmp
-
memory/1212-161-0x00000000020E0000-0x000000000211B000-memory.dmpFilesize
236KB
-
memory/1212-162-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1212-167-0x00000000020E0000-0x000000000211B000-memory.dmpFilesize
236KB
-
memory/1212-149-0x0000000000000000-mapping.dmp
-
memory/3552-132-0x0000000000000000-mapping.dmp
-
memory/3552-137-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/3552-147-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/3772-139-0x0000000000400000-0x000000000043B000-memory.dmpFilesize
236KB
-
memory/3772-141-0x0000000000400000-0x000000000043B000-memory.dmpFilesize
236KB
-
memory/3772-140-0x0000000000400000-0x000000000043B000-memory.dmpFilesize
236KB
-
memory/3772-145-0x0000000000400000-0x000000000043B000-memory.dmpFilesize
236KB
-
memory/3772-157-0x0000000000400000-0x000000000043B000-memory.dmpFilesize
236KB
-
memory/3772-159-0x0000000001450000-0x000000000148B000-memory.dmpFilesize
236KB
-
memory/3772-136-0x0000000000400000-0x000000000043B000-memory.dmpFilesize
236KB
-
memory/3772-138-0x0000000000400000-0x000000000043B000-memory.dmpFilesize
236KB
-
memory/3772-135-0x0000000000000000-mapping.dmp
-
memory/4448-165-0x0000000000000000-mapping.dmp
-
memory/4448-166-0x0000000000C10000-0x0000000000C4B000-memory.dmpFilesize
236KB
-
memory/4448-168-0x0000000000C10000-0x0000000000C4B000-memory.dmpFilesize
236KB
-
memory/4688-156-0x0000000000000000-mapping.dmp
-
memory/5040-146-0x0000000000000000-mapping.dmp
-
memory/5080-151-0x0000000000000000-mapping.dmp
-
memory/5080-163-0x0000000000400000-0x000000000043B000-memory.dmpFilesize
236KB
-
memory/5080-169-0x0000000000400000-0x000000000043B000-memory.dmpFilesize
236KB