Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 10:47
Static task
static1
Behavioral task
behavioral1
Sample
ea4d6b06920a2b27ec6817065154cc8df386ced2f86cea8e2abc249dc543f9a3.exe
Resource
win7-20221111-en
General
-
Target
ea4d6b06920a2b27ec6817065154cc8df386ced2f86cea8e2abc249dc543f9a3.exe
-
Size
269KB
-
MD5
ee53bca111c76cfff04f9427b235abf9
-
SHA1
af4bb468413a569297dcc4aedba6c123b07ce804
-
SHA256
ea4d6b06920a2b27ec6817065154cc8df386ced2f86cea8e2abc249dc543f9a3
-
SHA512
9f903eb4dcf83321ccd38430da5b8fa59c9b30a69ced72c94aacb2509244f0676d912d7f8325a9414defa05da4aa38d517eeaafe9169e1e6a4cb96f9c7d96fef
-
SSDEEP
3072:8bmQz/jd0wQ02CfzKvXfB34zQZ7VPmHYfvJ47zxVJCqNC0zRCP:bcVzOBIzyJuHYfvJ4fH3cP
Malware Config
Extracted
pony
http://fastssamplestrash.com/gate.php
http://funnyinvoiceorg.com/gate.php
http://formaterdocstras.com/gate.php
-
payload_url
http://manusanz.com/wp-content/plugins/cached_data/b1.exe
http://www.marad.it/wp-content/plugins/cached_data/b1.exe
http://marciapimentelbuffet.com.br/wp-content/plugins/cached_data/b1.exe
http://marketplaceaa.com/wp-content/plugins/cached_data/b1.exe
http://martinapeit.com.ar/wp-content/plugins/cached_data/b1.exe
http://matchstickstudios.co.uk/wp-content/plugins/cached_data/b1.exe
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
ea4d6b06920a2b27ec6817065154cc8df386ced2f86cea8e2abc249dc543f9a3.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts ea4d6b06920a2b27ec6817065154cc8df386ced2f86cea8e2abc249dc543f9a3.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
ea4d6b06920a2b27ec6817065154cc8df386ced2f86cea8e2abc249dc543f9a3.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook ea4d6b06920a2b27ec6817065154cc8df386ced2f86cea8e2abc249dc543f9a3.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
ea4d6b06920a2b27ec6817065154cc8df386ced2f86cea8e2abc249dc543f9a3.exedescription pid process Token: SeImpersonatePrivilege 3612 ea4d6b06920a2b27ec6817065154cc8df386ced2f86cea8e2abc249dc543f9a3.exe Token: SeTcbPrivilege 3612 ea4d6b06920a2b27ec6817065154cc8df386ced2f86cea8e2abc249dc543f9a3.exe Token: SeChangeNotifyPrivilege 3612 ea4d6b06920a2b27ec6817065154cc8df386ced2f86cea8e2abc249dc543f9a3.exe Token: SeCreateTokenPrivilege 3612 ea4d6b06920a2b27ec6817065154cc8df386ced2f86cea8e2abc249dc543f9a3.exe Token: SeBackupPrivilege 3612 ea4d6b06920a2b27ec6817065154cc8df386ced2f86cea8e2abc249dc543f9a3.exe Token: SeRestorePrivilege 3612 ea4d6b06920a2b27ec6817065154cc8df386ced2f86cea8e2abc249dc543f9a3.exe Token: SeIncreaseQuotaPrivilege 3612 ea4d6b06920a2b27ec6817065154cc8df386ced2f86cea8e2abc249dc543f9a3.exe Token: SeAssignPrimaryTokenPrivilege 3612 ea4d6b06920a2b27ec6817065154cc8df386ced2f86cea8e2abc249dc543f9a3.exe -
outlook_win_path 1 IoCs
Processes:
ea4d6b06920a2b27ec6817065154cc8df386ced2f86cea8e2abc249dc543f9a3.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook ea4d6b06920a2b27ec6817065154cc8df386ced2f86cea8e2abc249dc543f9a3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea4d6b06920a2b27ec6817065154cc8df386ced2f86cea8e2abc249dc543f9a3.exe"C:\Users\Admin\AppData\Local\Temp\ea4d6b06920a2b27ec6817065154cc8df386ced2f86cea8e2abc249dc543f9a3.exe"1⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path