Analysis
-
max time kernel
152s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 10:47
Static task
static1
Behavioral task
behavioral1
Sample
3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe
Resource
win7-20220812-en
General
-
Target
3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe
-
Size
468KB
-
MD5
b6843f93ba472e9a18bacead1573596f
-
SHA1
cbe1a3ce097bdb4b25f647ccccb891ffb3c6e529
-
SHA256
3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98
-
SHA512
b6657df6478e1e4b607e15a1b5f6aa93a2a08caa6c1ea70fa13529a02c60fed3406433c91c475c512de7d19ff1586c96d2d3a311562ed6f8ba400da6100b040c
-
SSDEEP
3072:ENZGGl2ccmCiL35QksWmZ/Dkw1itSqEKRVDOcgiFg72xaWF:ENZG5ccm9HmxDNW3Kcba
Malware Config
Extracted
pony
http://hytlfe.com/me/mf/shit.php
-
payload_url
http://hytlfe.com/me/mf/zcong.exe
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
csrss.exepid process 1732 csrss.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1036 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exepid process 1552 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe 1552 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exedescription pid process target process PID 1552 set thread context of 900 1552 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.execsrss.exepid process 1552 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe 1732 csrss.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.execsrss.exedescription pid process Token: SeDebugPrivilege 1552 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe Token: SeImpersonatePrivilege 900 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe Token: SeTcbPrivilege 900 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe Token: SeChangeNotifyPrivilege 900 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe Token: SeCreateTokenPrivilege 900 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe Token: SeBackupPrivilege 900 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe Token: SeRestorePrivilege 900 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe Token: SeIncreaseQuotaPrivilege 900 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe Token: SeAssignPrimaryTokenPrivilege 900 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe Token: SeDebugPrivilege 1732 csrss.exe Token: SeImpersonatePrivilege 900 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe Token: SeTcbPrivilege 900 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe Token: SeChangeNotifyPrivilege 900 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe Token: SeCreateTokenPrivilege 900 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe Token: SeBackupPrivilege 900 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe Token: SeRestorePrivilege 900 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe Token: SeIncreaseQuotaPrivilege 900 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe Token: SeAssignPrimaryTokenPrivilege 900 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe Token: SeImpersonatePrivilege 900 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe Token: SeTcbPrivilege 900 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe Token: SeChangeNotifyPrivilege 900 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe Token: SeCreateTokenPrivilege 900 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe Token: SeBackupPrivilege 900 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe Token: SeRestorePrivilege 900 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe Token: SeIncreaseQuotaPrivilege 900 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe Token: SeAssignPrimaryTokenPrivilege 900 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe Token: SeImpersonatePrivilege 900 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe Token: SeTcbPrivilege 900 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe Token: SeChangeNotifyPrivilege 900 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe Token: SeCreateTokenPrivilege 900 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe Token: SeBackupPrivilege 900 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe Token: SeRestorePrivilege 900 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe Token: SeIncreaseQuotaPrivilege 900 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe Token: SeAssignPrimaryTokenPrivilege 900 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exedescription pid process target process PID 1552 wrote to memory of 900 1552 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe PID 1552 wrote to memory of 900 1552 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe PID 1552 wrote to memory of 900 1552 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe PID 1552 wrote to memory of 900 1552 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe PID 1552 wrote to memory of 900 1552 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe PID 1552 wrote to memory of 900 1552 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe PID 1552 wrote to memory of 900 1552 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe PID 1552 wrote to memory of 900 1552 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe PID 1552 wrote to memory of 900 1552 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe PID 1552 wrote to memory of 1732 1552 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe csrss.exe PID 1552 wrote to memory of 1732 1552 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe csrss.exe PID 1552 wrote to memory of 1732 1552 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe csrss.exe PID 1552 wrote to memory of 1732 1552 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe csrss.exe PID 900 wrote to memory of 1036 900 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe cmd.exe PID 900 wrote to memory of 1036 900 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe cmd.exe PID 900 wrote to memory of 1036 900 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe cmd.exe PID 900 wrote to memory of 1036 900 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe cmd.exe -
outlook_win_path 1 IoCs
Processes:
3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe"C:\Users\Admin\AppData\Local\Temp\3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe"C:\Users\Admin\AppData\Local\Temp\3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe"2⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7210756.bat" "C:\Users\Admin\AppData\Local\Temp\3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe" "3⤵
- Deletes itself
-
C:\Users\Admin\AppData\Local\Temp\csrss.exe"C:\Users\Admin\AppData\Local\Temp\csrss.exe" -keyhide -prochide 900 -reg C:\Users\Admin\AppData\Local\Temp\3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe -proc 900 C:\Users\Admin\AppData\Local\Temp\3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7210756.batFilesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
C:\Users\Admin\AppData\Local\Temp\csrss.exeFilesize
468KB
MD5b6843f93ba472e9a18bacead1573596f
SHA1cbe1a3ce097bdb4b25f647ccccb891ffb3c6e529
SHA2563b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98
SHA512b6657df6478e1e4b607e15a1b5f6aa93a2a08caa6c1ea70fa13529a02c60fed3406433c91c475c512de7d19ff1586c96d2d3a311562ed6f8ba400da6100b040c
-
C:\Users\Admin\AppData\Local\Temp\csrss.exeFilesize
468KB
MD5b6843f93ba472e9a18bacead1573596f
SHA1cbe1a3ce097bdb4b25f647ccccb891ffb3c6e529
SHA2563b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98
SHA512b6657df6478e1e4b607e15a1b5f6aa93a2a08caa6c1ea70fa13529a02c60fed3406433c91c475c512de7d19ff1586c96d2d3a311562ed6f8ba400da6100b040c
-
\Users\Admin\AppData\Local\Temp\csrss.exeFilesize
468KB
MD5b6843f93ba472e9a18bacead1573596f
SHA1cbe1a3ce097bdb4b25f647ccccb891ffb3c6e529
SHA2563b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98
SHA512b6657df6478e1e4b607e15a1b5f6aa93a2a08caa6c1ea70fa13529a02c60fed3406433c91c475c512de7d19ff1586c96d2d3a311562ed6f8ba400da6100b040c
-
\Users\Admin\AppData\Local\Temp\csrss.exeFilesize
468KB
MD5b6843f93ba472e9a18bacead1573596f
SHA1cbe1a3ce097bdb4b25f647ccccb891ffb3c6e529
SHA2563b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98
SHA512b6657df6478e1e4b607e15a1b5f6aa93a2a08caa6c1ea70fa13529a02c60fed3406433c91c475c512de7d19ff1586c96d2d3a311562ed6f8ba400da6100b040c
-
memory/900-77-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/900-57-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/900-66-0x0000000000410659-mapping.dmp
-
memory/900-69-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/900-59-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/900-64-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/900-61-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/900-82-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/900-79-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/900-56-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1036-81-0x0000000000000000-mapping.dmp
-
memory/1552-54-0x0000000075241000-0x0000000075243000-memory.dmpFilesize
8KB
-
memory/1552-55-0x0000000074740000-0x0000000074CEB000-memory.dmpFilesize
5.7MB
-
memory/1552-76-0x0000000074740000-0x0000000074CEB000-memory.dmpFilesize
5.7MB
-
memory/1732-72-0x0000000000000000-mapping.dmp
-
memory/1732-80-0x0000000074740000-0x0000000074CEB000-memory.dmpFilesize
5.7MB
-
memory/1732-78-0x0000000074740000-0x0000000074CEB000-memory.dmpFilesize
5.7MB