Analysis
-
max time kernel
179s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 14:45
Static task
static1
Behavioral task
behavioral1
Sample
2adb07916f90ebe960d28568427815fda73b01a40a47b9e7bedb487b8301b96d.exe
Resource
win7-20220812-en
General
-
Target
2adb07916f90ebe960d28568427815fda73b01a40a47b9e7bedb487b8301b96d.exe
-
Size
1.3MB
-
MD5
c75f98e9bde735b1785b9f3e3d7b6ad6
-
SHA1
8028222efcf71c343aa3ce45b2dde05403696a3d
-
SHA256
2adb07916f90ebe960d28568427815fda73b01a40a47b9e7bedb487b8301b96d
-
SHA512
59b8b5fefe4b72becf3eefbbb70480174f9b2ae588e99cb5cc3b623847f0018ce603f3c4a6dcf9dc328618e71a68442ff5f7a214d2cec000ded1bc53aad81499
-
SSDEEP
24576:i2O/GlAIaOXAN/+rtH/GsMb7g6zwzRQegxP265:vPXAZetHo5k1tS
Malware Config
Extracted
pony
http://finalego.000a.de/1/gate.php
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Order.exepid process 1664 Order.exe -
Processes:
resource yara_rule behavioral2/memory/2236-139-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/2236-140-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/2236-141-0x0000000000400000-0x000000000041D000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2adb07916f90ebe960d28568427815fda73b01a40a47b9e7bedb487b8301b96d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 2adb07916f90ebe960d28568427815fda73b01a40a47b9e7bedb487b8301b96d.exe -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts RegSvcs.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Order.exedescription pid process target process PID 1664 set thread context of 2236 1664 Order.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Order.exepid process 1664 Order.exe 1664 Order.exe 1664 Order.exe 1664 Order.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
Processes:
Order.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 1664 Order.exe Token: SeImpersonatePrivilege 2236 RegSvcs.exe Token: SeTcbPrivilege 2236 RegSvcs.exe Token: SeChangeNotifyPrivilege 2236 RegSvcs.exe Token: SeCreateTokenPrivilege 2236 RegSvcs.exe Token: SeBackupPrivilege 2236 RegSvcs.exe Token: SeRestorePrivilege 2236 RegSvcs.exe Token: SeIncreaseQuotaPrivilege 2236 RegSvcs.exe Token: SeAssignPrimaryTokenPrivilege 2236 RegSvcs.exe Token: SeImpersonatePrivilege 2236 RegSvcs.exe Token: SeTcbPrivilege 2236 RegSvcs.exe Token: SeChangeNotifyPrivilege 2236 RegSvcs.exe Token: SeCreateTokenPrivilege 2236 RegSvcs.exe Token: SeBackupPrivilege 2236 RegSvcs.exe Token: SeRestorePrivilege 2236 RegSvcs.exe Token: SeIncreaseQuotaPrivilege 2236 RegSvcs.exe Token: SeAssignPrimaryTokenPrivilege 2236 RegSvcs.exe Token: SeImpersonatePrivilege 2236 RegSvcs.exe Token: SeTcbPrivilege 2236 RegSvcs.exe Token: SeChangeNotifyPrivilege 2236 RegSvcs.exe Token: SeCreateTokenPrivilege 2236 RegSvcs.exe Token: SeBackupPrivilege 2236 RegSvcs.exe Token: SeRestorePrivilege 2236 RegSvcs.exe Token: SeIncreaseQuotaPrivilege 2236 RegSvcs.exe Token: SeAssignPrimaryTokenPrivilege 2236 RegSvcs.exe Token: SeImpersonatePrivilege 2236 RegSvcs.exe Token: SeTcbPrivilege 2236 RegSvcs.exe Token: SeChangeNotifyPrivilege 2236 RegSvcs.exe Token: SeCreateTokenPrivilege 2236 RegSvcs.exe Token: SeBackupPrivilege 2236 RegSvcs.exe Token: SeRestorePrivilege 2236 RegSvcs.exe Token: SeIncreaseQuotaPrivilege 2236 RegSvcs.exe Token: SeAssignPrimaryTokenPrivilege 2236 RegSvcs.exe Token: SeImpersonatePrivilege 2236 RegSvcs.exe Token: SeTcbPrivilege 2236 RegSvcs.exe Token: SeChangeNotifyPrivilege 2236 RegSvcs.exe Token: SeCreateTokenPrivilege 2236 RegSvcs.exe Token: SeBackupPrivilege 2236 RegSvcs.exe Token: SeRestorePrivilege 2236 RegSvcs.exe Token: SeIncreaseQuotaPrivilege 2236 RegSvcs.exe Token: SeAssignPrimaryTokenPrivilege 2236 RegSvcs.exe Token: SeImpersonatePrivilege 2236 RegSvcs.exe Token: SeTcbPrivilege 2236 RegSvcs.exe Token: SeChangeNotifyPrivilege 2236 RegSvcs.exe Token: SeCreateTokenPrivilege 2236 RegSvcs.exe Token: SeBackupPrivilege 2236 RegSvcs.exe Token: SeRestorePrivilege 2236 RegSvcs.exe Token: SeIncreaseQuotaPrivilege 2236 RegSvcs.exe Token: SeAssignPrimaryTokenPrivilege 2236 RegSvcs.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
2adb07916f90ebe960d28568427815fda73b01a40a47b9e7bedb487b8301b96d.exeOrder.exeRegSvcs.exedescription pid process target process PID 1672 wrote to memory of 1664 1672 2adb07916f90ebe960d28568427815fda73b01a40a47b9e7bedb487b8301b96d.exe Order.exe PID 1672 wrote to memory of 1664 1672 2adb07916f90ebe960d28568427815fda73b01a40a47b9e7bedb487b8301b96d.exe Order.exe PID 1672 wrote to memory of 1664 1672 2adb07916f90ebe960d28568427815fda73b01a40a47b9e7bedb487b8301b96d.exe Order.exe PID 1664 wrote to memory of 2236 1664 Order.exe RegSvcs.exe PID 1664 wrote to memory of 2236 1664 Order.exe RegSvcs.exe PID 1664 wrote to memory of 2236 1664 Order.exe RegSvcs.exe PID 1664 wrote to memory of 2236 1664 Order.exe RegSvcs.exe PID 1664 wrote to memory of 2236 1664 Order.exe RegSvcs.exe PID 2236 wrote to memory of 4056 2236 RegSvcs.exe cmd.exe PID 2236 wrote to memory of 4056 2236 RegSvcs.exe cmd.exe PID 2236 wrote to memory of 4056 2236 RegSvcs.exe cmd.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2adb07916f90ebe960d28568427815fda73b01a40a47b9e7bedb487b8301b96d.exe"C:\Users\Admin\AppData\Local\Temp\2adb07916f90ebe960d28568427815fda73b01a40a47b9e7bedb487b8301b96d.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\3llb9dt7w4t\Order.exe"C:\Users\Admin\3llb9dt7w4t\Order.exe" xhtiy2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240686218.bat" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" "4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\3LLB9D~1\pwbf.NYPFilesize
34KB
MD5f399b73ee327486c2a1141022b7bc6af
SHA16dd7c7ebfbbfad9e1ccdac2a33753103de44e940
SHA25651e36dfa1b9bff164a486d1a0ea72afa5336526c11c2ef9a8dc1b810ae5686b8
SHA51263fde7c94498b9f6f9b284d9b1f80309ddb4e8ac17389897d35bdd4e5f88a26b21d38d8473161789e267f5b8684eb136e51553d0ea08c268a658547c3be1e6be
-
C:\Users\Admin\3LLB9D~1\xaiuob.NPIFilesize
32B
MD57bedf5d1e14c7254ef5d1bfa35e49d8a
SHA103fad752cfaaceb5a576b7ebe787e5dcd40d0776
SHA256f5a92af8b21c593f37ca0163a874ef0102dae8d9b79e8dbd330ca3d6dd312ec3
SHA5120448c5b29f6c7aa69db75b7b34387d3ba60ed74ccb63b8de91ff148aaad851f335526445ff1e09ab6726a4f53599bfbdd64194beab48202dd32a6dffb2db0ec5
-
C:\Users\Admin\3llb9dt7w4t\Order.exeFilesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
C:\Users\Admin\3llb9dt7w4t\Order.exeFilesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
C:\Users\Admin\3llb9dt7w4t\xhtiyFilesize
646.7MB
MD5b187219b690411c0fd06cd65e65f6769
SHA13edfde714b9558af20eae08e94c117a8932310aa
SHA256f76cc795d9a25863638ea815ce0e64f69b8a09eb76dbc81acef31b479b0dc7d6
SHA5123750fca3f7fba3a2d007e6f2269a62647f65d91078fc9b6ce02225a086f93363d8eb2e86801586fe5e82ee2afad01f6216ec99e1eb5d6372e9b52c45ff381fbe
-
C:\Users\Admin\AppData\Local\Temp\240686218.batFilesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
memory/1664-132-0x0000000000000000-mapping.dmp
-
memory/2236-138-0x0000000000000000-mapping.dmp
-
memory/2236-139-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/2236-140-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/2236-141-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/4056-142-0x0000000000000000-mapping.dmp