Analysis
-
max time kernel
206s -
max time network
212s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 16:04
Static task
static1
Behavioral task
behavioral1
Sample
cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe
Resource
win7-20221111-en
General
-
Target
cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe
-
Size
134KB
-
MD5
ac2dc3101f04217a7298be46988676c9
-
SHA1
088b5b41f2ff31fa83a8fe37e4acbfab8a8d7c6b
-
SHA256
cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f
-
SHA512
57d9d80f5e0bdaf0b68e1da1d0c32f3e699f812155dc75bab97c02b112be9f7e47aedbd38eb7c2d6576fe41b360dd7a40d1720a2948202db9c0f04ded89d29eb
-
SSDEEP
3072:bwJ52Y7ZoH5XJacWGljfTGn/FiymdNOiPjkb3LTgykBjr6W9z:bwHysr+jbu/MyGdi3kYW9z
Malware Config
Extracted
pony
http://bigbone10.info/pony/gate.php
http://bigbone10.info:8080/pony/gate.php
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe -
Loads dropped DLL 1 IoCs
Processes:
cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exepid process 652 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exedescription pid process target process PID 652 set thread context of 2624 652 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exedescription pid process Token: SeImpersonatePrivilege 2624 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe Token: SeTcbPrivilege 2624 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe Token: SeChangeNotifyPrivilege 2624 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe Token: SeCreateTokenPrivilege 2624 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe Token: SeBackupPrivilege 2624 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe Token: SeRestorePrivilege 2624 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe Token: SeIncreaseQuotaPrivilege 2624 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe Token: SeAssignPrimaryTokenPrivilege 2624 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe Token: SeImpersonatePrivilege 2624 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe Token: SeTcbPrivilege 2624 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe Token: SeChangeNotifyPrivilege 2624 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe Token: SeCreateTokenPrivilege 2624 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe Token: SeBackupPrivilege 2624 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe Token: SeRestorePrivilege 2624 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe Token: SeIncreaseQuotaPrivilege 2624 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe Token: SeAssignPrimaryTokenPrivilege 2624 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe Token: SeImpersonatePrivilege 2624 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe Token: SeTcbPrivilege 2624 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe Token: SeChangeNotifyPrivilege 2624 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe Token: SeCreateTokenPrivilege 2624 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe Token: SeBackupPrivilege 2624 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe Token: SeRestorePrivilege 2624 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe Token: SeIncreaseQuotaPrivilege 2624 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe Token: SeAssignPrimaryTokenPrivilege 2624 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe Token: SeImpersonatePrivilege 2624 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe Token: SeTcbPrivilege 2624 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe Token: SeChangeNotifyPrivilege 2624 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe Token: SeCreateTokenPrivilege 2624 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe Token: SeBackupPrivilege 2624 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe Token: SeRestorePrivilege 2624 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe Token: SeIncreaseQuotaPrivilege 2624 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe Token: SeAssignPrimaryTokenPrivilege 2624 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe Token: SeImpersonatePrivilege 2624 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe Token: SeTcbPrivilege 2624 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe Token: SeChangeNotifyPrivilege 2624 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe Token: SeCreateTokenPrivilege 2624 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe Token: SeBackupPrivilege 2624 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe Token: SeRestorePrivilege 2624 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe Token: SeIncreaseQuotaPrivilege 2624 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe Token: SeAssignPrimaryTokenPrivilege 2624 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe Token: SeImpersonatePrivilege 2624 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe Token: SeTcbPrivilege 2624 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe Token: SeChangeNotifyPrivilege 2624 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe Token: SeCreateTokenPrivilege 2624 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe Token: SeBackupPrivilege 2624 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe Token: SeRestorePrivilege 2624 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe Token: SeIncreaseQuotaPrivilege 2624 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe Token: SeAssignPrimaryTokenPrivilege 2624 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.execf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exedescription pid process target process PID 652 wrote to memory of 2624 652 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe PID 652 wrote to memory of 2624 652 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe PID 652 wrote to memory of 2624 652 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe PID 652 wrote to memory of 2624 652 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe PID 652 wrote to memory of 2624 652 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe PID 652 wrote to memory of 2624 652 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe PID 652 wrote to memory of 2624 652 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe PID 2624 wrote to memory of 1736 2624 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe cmd.exe PID 2624 wrote to memory of 1736 2624 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe cmd.exe PID 2624 wrote to memory of 1736 2624 cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe cmd.exe -
outlook_win_path 1 IoCs
Processes:
cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe"C:\Users\Admin\AppData\Local\Temp\cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe"C:\Users\Admin\AppData\Local\Temp\cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe"2⤵
- Checks computer location settings
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240755703.bat" "C:\Users\Admin\AppData\Local\Temp\cf16860894597ff36e93ced6cdd681b90156e254419a4ad9dbde6aebf5c3166f.exe" "3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nsd852F.tmp\Bactria.dllFilesize
52KB
MD5a79b10744c06271ba5692b5abf45c1fc
SHA153b2daa8256eb2e7ad31f0c052a873c08fe1b163
SHA2562e88b23343b44812377ac3901fa5e64d959d997bc4c0e8a9649af9b48b8b9348
SHA51282247dc49cb9322a5cd8b1f37e697d7756deb1c4a26bf9c04a5625926a7d50c7a797c07fda1f03ea0292692fab6262121d316ffb20848ffe51995eeeb6c82f52
-
memory/1736-139-0x0000000000000000-mapping.dmp
-
memory/2624-133-0x0000000000000000-mapping.dmp
-
memory/2624-134-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/2624-136-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/2624-137-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/2624-138-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB