Analysis
-
max time kernel
149s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 10:58
Static task
static1
Behavioral task
behavioral1
Sample
f7ea603361599bed0b24f771da5b1b01126423d438dab2a1bfc7c7e4f6a1abec.exe
Resource
win7-20220901-en
General
-
Target
f7ea603361599bed0b24f771da5b1b01126423d438dab2a1bfc7c7e4f6a1abec.exe
-
Size
251KB
-
MD5
002b4e3fc895582b5efed565ca1ffd2f
-
SHA1
dc4c15eea157364faa550d10696f2e9c7d475ebc
-
SHA256
f7ea603361599bed0b24f771da5b1b01126423d438dab2a1bfc7c7e4f6a1abec
-
SHA512
30f59b4d31166cd94e7d841f60fb090315aa9926d4bbf57b7f0f2383ef78d3fe6affd6240b6177963a4a124bfc502c16a5d673e79f1b5bc6fabec16eda79c3e5
-
SSDEEP
3072:WqAHdiwrVn0+uyoWthZWNwhjKf1CIIjlWmyZa1ZOWTFS4xj3u4NGIkdJ4dDmSt0:WtdY9EWNAjHZxZZOWDxje4E0e
Malware Config
Extracted
pony
http://moskalskiybodun.com/gate.php
http://funnyinvoiceorg.com/gate.php
http://formaterdocstras.com/gate.php
-
payload_url
http://dkpconsulting.com/wp-content/plugins/cached_data/bb.exe
http://doc.giovanniborsi.it/wp-content/plugins/cached_data/bb.exe
http://dom660000.ru/wp-content/plugins/cached_data/bb.exe
http://domdobleska.ru/wp-content/plugins/cached_data/bb.exe
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
f7ea603361599bed0b24f771da5b1b01126423d438dab2a1bfc7c7e4f6a1abec.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts f7ea603361599bed0b24f771da5b1b01126423d438dab2a1bfc7c7e4f6a1abec.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
f7ea603361599bed0b24f771da5b1b01126423d438dab2a1bfc7c7e4f6a1abec.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook f7ea603361599bed0b24f771da5b1b01126423d438dab2a1bfc7c7e4f6a1abec.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
f7ea603361599bed0b24f771da5b1b01126423d438dab2a1bfc7c7e4f6a1abec.exedescription pid process Token: SeImpersonatePrivilege 840 f7ea603361599bed0b24f771da5b1b01126423d438dab2a1bfc7c7e4f6a1abec.exe Token: SeTcbPrivilege 840 f7ea603361599bed0b24f771da5b1b01126423d438dab2a1bfc7c7e4f6a1abec.exe Token: SeChangeNotifyPrivilege 840 f7ea603361599bed0b24f771da5b1b01126423d438dab2a1bfc7c7e4f6a1abec.exe Token: SeCreateTokenPrivilege 840 f7ea603361599bed0b24f771da5b1b01126423d438dab2a1bfc7c7e4f6a1abec.exe Token: SeBackupPrivilege 840 f7ea603361599bed0b24f771da5b1b01126423d438dab2a1bfc7c7e4f6a1abec.exe Token: SeRestorePrivilege 840 f7ea603361599bed0b24f771da5b1b01126423d438dab2a1bfc7c7e4f6a1abec.exe Token: SeIncreaseQuotaPrivilege 840 f7ea603361599bed0b24f771da5b1b01126423d438dab2a1bfc7c7e4f6a1abec.exe Token: SeAssignPrimaryTokenPrivilege 840 f7ea603361599bed0b24f771da5b1b01126423d438dab2a1bfc7c7e4f6a1abec.exe -
outlook_win_path 1 IoCs
Processes:
f7ea603361599bed0b24f771da5b1b01126423d438dab2a1bfc7c7e4f6a1abec.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook f7ea603361599bed0b24f771da5b1b01126423d438dab2a1bfc7c7e4f6a1abec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7ea603361599bed0b24f771da5b1b01126423d438dab2a1bfc7c7e4f6a1abec.exe"C:\Users\Admin\AppData\Local\Temp\f7ea603361599bed0b24f771da5b1b01126423d438dab2a1bfc7c7e4f6a1abec.exe"1⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path