Analysis
-
max time kernel
74s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 15:13
Static task
static1
Behavioral task
behavioral1
Sample
83c4922e09c975250bed099282a4182a1682822f365e0fa34709363b8df6c6e7.exe
Resource
win7-20220812-en
General
-
Target
83c4922e09c975250bed099282a4182a1682822f365e0fa34709363b8df6c6e7.exe
-
Size
502KB
-
MD5
9457606ebf74d5fd62845aac2b69a612
-
SHA1
e4d2db4317e467a50e2a704facef4c99eca0104d
-
SHA256
83c4922e09c975250bed099282a4182a1682822f365e0fa34709363b8df6c6e7
-
SHA512
bc5088aa8f35c993ee7292d5e13018c8e502af5f43f82d6492978a7b7fe4a359132d0c09739cff016f326885a4b4e40034eef89b1f29d5bf365830e98d28307a
-
SSDEEP
6144:rLPe61lwBk0wLfWAKDc6D7wSr7Odj0BWbHPMSMt8xO6WKv:rbe6TikzLaND7wSEgVSs8xOcv
Malware Config
Extracted
pony
http://indianmoneybag.in/wp-content/themes/twentythirteen/obi/Panel/gate.php
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
NGRFK.exepid process 4592 NGRFK.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\NGRFK.exe upx C:\Users\Admin\AppData\Local\Temp\NGRFK.exe upx behavioral2/memory/4592-136-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/4592-138-0x0000000000400000-0x000000000041D000-memory.dmp upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
83c4922e09c975250bed099282a4182a1682822f365e0fa34709363b8df6c6e7.exeNGRFK.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 83c4922e09c975250bed099282a4182a1682822f365e0fa34709363b8df6c6e7.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation NGRFK.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
NGRFK.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts NGRFK.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
NGRFK.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook NGRFK.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
83c4922e09c975250bed099282a4182a1682822f365e0fa34709363b8df6c6e7.exedescription pid process target process PID 4928 set thread context of 1592 4928 83c4922e09c975250bed099282a4182a1682822f365e0fa34709363b8df6c6e7.exe 83c4922e09c975250bed099282a4182a1682822f365e0fa34709363b8df6c6e7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4144 1592 WerFault.exe 83c4922e09c975250bed099282a4182a1682822f365e0fa34709363b8df6c6e7.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
NGRFK.exedescription pid process Token: SeImpersonatePrivilege 4592 NGRFK.exe Token: SeTcbPrivilege 4592 NGRFK.exe Token: SeChangeNotifyPrivilege 4592 NGRFK.exe Token: SeCreateTokenPrivilege 4592 NGRFK.exe Token: SeBackupPrivilege 4592 NGRFK.exe Token: SeRestorePrivilege 4592 NGRFK.exe Token: SeIncreaseQuotaPrivilege 4592 NGRFK.exe Token: SeAssignPrimaryTokenPrivilege 4592 NGRFK.exe Token: SeImpersonatePrivilege 4592 NGRFK.exe Token: SeTcbPrivilege 4592 NGRFK.exe Token: SeChangeNotifyPrivilege 4592 NGRFK.exe Token: SeCreateTokenPrivilege 4592 NGRFK.exe Token: SeBackupPrivilege 4592 NGRFK.exe Token: SeRestorePrivilege 4592 NGRFK.exe Token: SeIncreaseQuotaPrivilege 4592 NGRFK.exe Token: SeAssignPrimaryTokenPrivilege 4592 NGRFK.exe Token: SeImpersonatePrivilege 4592 NGRFK.exe Token: SeTcbPrivilege 4592 NGRFK.exe Token: SeChangeNotifyPrivilege 4592 NGRFK.exe Token: SeCreateTokenPrivilege 4592 NGRFK.exe Token: SeBackupPrivilege 4592 NGRFK.exe Token: SeRestorePrivilege 4592 NGRFK.exe Token: SeIncreaseQuotaPrivilege 4592 NGRFK.exe Token: SeAssignPrimaryTokenPrivilege 4592 NGRFK.exe Token: SeImpersonatePrivilege 4592 NGRFK.exe Token: SeTcbPrivilege 4592 NGRFK.exe Token: SeChangeNotifyPrivilege 4592 NGRFK.exe Token: SeCreateTokenPrivilege 4592 NGRFK.exe Token: SeBackupPrivilege 4592 NGRFK.exe Token: SeRestorePrivilege 4592 NGRFK.exe Token: SeIncreaseQuotaPrivilege 4592 NGRFK.exe Token: SeAssignPrimaryTokenPrivilege 4592 NGRFK.exe Token: SeImpersonatePrivilege 4592 NGRFK.exe Token: SeTcbPrivilege 4592 NGRFK.exe Token: SeChangeNotifyPrivilege 4592 NGRFK.exe Token: SeCreateTokenPrivilege 4592 NGRFK.exe Token: SeBackupPrivilege 4592 NGRFK.exe Token: SeRestorePrivilege 4592 NGRFK.exe Token: SeIncreaseQuotaPrivilege 4592 NGRFK.exe Token: SeAssignPrimaryTokenPrivilege 4592 NGRFK.exe Token: SeImpersonatePrivilege 4592 NGRFK.exe Token: SeTcbPrivilege 4592 NGRFK.exe Token: SeChangeNotifyPrivilege 4592 NGRFK.exe Token: SeCreateTokenPrivilege 4592 NGRFK.exe Token: SeBackupPrivilege 4592 NGRFK.exe Token: SeRestorePrivilege 4592 NGRFK.exe Token: SeIncreaseQuotaPrivilege 4592 NGRFK.exe Token: SeAssignPrimaryTokenPrivilege 4592 NGRFK.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
83c4922e09c975250bed099282a4182a1682822f365e0fa34709363b8df6c6e7.exeNGRFK.exedescription pid process target process PID 4928 wrote to memory of 4592 4928 83c4922e09c975250bed099282a4182a1682822f365e0fa34709363b8df6c6e7.exe NGRFK.exe PID 4928 wrote to memory of 4592 4928 83c4922e09c975250bed099282a4182a1682822f365e0fa34709363b8df6c6e7.exe NGRFK.exe PID 4928 wrote to memory of 4592 4928 83c4922e09c975250bed099282a4182a1682822f365e0fa34709363b8df6c6e7.exe NGRFK.exe PID 4928 wrote to memory of 1592 4928 83c4922e09c975250bed099282a4182a1682822f365e0fa34709363b8df6c6e7.exe 83c4922e09c975250bed099282a4182a1682822f365e0fa34709363b8df6c6e7.exe PID 4928 wrote to memory of 1592 4928 83c4922e09c975250bed099282a4182a1682822f365e0fa34709363b8df6c6e7.exe 83c4922e09c975250bed099282a4182a1682822f365e0fa34709363b8df6c6e7.exe PID 4928 wrote to memory of 1592 4928 83c4922e09c975250bed099282a4182a1682822f365e0fa34709363b8df6c6e7.exe 83c4922e09c975250bed099282a4182a1682822f365e0fa34709363b8df6c6e7.exe PID 4928 wrote to memory of 1592 4928 83c4922e09c975250bed099282a4182a1682822f365e0fa34709363b8df6c6e7.exe 83c4922e09c975250bed099282a4182a1682822f365e0fa34709363b8df6c6e7.exe PID 4592 wrote to memory of 4152 4592 NGRFK.exe cmd.exe PID 4592 wrote to memory of 4152 4592 NGRFK.exe cmd.exe PID 4592 wrote to memory of 4152 4592 NGRFK.exe cmd.exe -
outlook_win_path 1 IoCs
Processes:
NGRFK.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook NGRFK.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\83c4922e09c975250bed099282a4182a1682822f365e0fa34709363b8df6c6e7.exe"C:\Users\Admin\AppData\Local\Temp\83c4922e09c975250bed099282a4182a1682822f365e0fa34709363b8df6c6e7.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\NGRFK.exe"C:\Users\Admin\AppData\Local\Temp\NGRFK.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240584937.bat" "C:\Users\Admin\AppData\Local\Temp\NGRFK.exe" "3⤵
-
C:\Users\Admin\AppData\Local\Temp\83c4922e09c975250bed099282a4182a1682822f365e0fa34709363b8df6c6e7.exe"C:\Users\Admin\AppData\Local\Temp\83c4922e09c975250bed099282a4182a1682822f365e0fa34709363b8df6c6e7.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 803⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1592 -ip 15921⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\240584937.batFilesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
C:\Users\Admin\AppData\Local\Temp\NGRFK.exeFilesize
34KB
MD5584c952a93d0c0794d52d481bf2991c2
SHA167d2b0d1e7d135054d4c1fc057c7fb5c784aa524
SHA256e5ba35f40059abd42e0df99509749f7654f39859ab704e9a02fef1ec5ed7f9a3
SHA51246ede591d55e8e664f803e8e0b76970a80be74fb95b98139ebcfa6ad9dda8dc43e1ba8d094287bb5ab0194ebb9adb1bf8cf94145f28815357c25110d049ce380
-
C:\Users\Admin\AppData\Local\Temp\NGRFK.exeFilesize
34KB
MD5584c952a93d0c0794d52d481bf2991c2
SHA167d2b0d1e7d135054d4c1fc057c7fb5c784aa524
SHA256e5ba35f40059abd42e0df99509749f7654f39859ab704e9a02fef1ec5ed7f9a3
SHA51246ede591d55e8e664f803e8e0b76970a80be74fb95b98139ebcfa6ad9dda8dc43e1ba8d094287bb5ab0194ebb9adb1bf8cf94145f28815357c25110d049ce380
-
memory/1592-135-0x0000000000000000-mapping.dmp
-
memory/4152-137-0x0000000000000000-mapping.dmp
-
memory/4592-132-0x0000000000000000-mapping.dmp
-
memory/4592-136-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/4592-138-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB