Analysis
-
max time kernel
149s -
max time network
106s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 11:27
Static task
static1
Behavioral task
behavioral1
Sample
64d0a4b09f0b5ca8468eca2df0c00326add152414dca23e028fadfa7302a65b2.exe
Resource
win7-20220812-en
General
-
Target
64d0a4b09f0b5ca8468eca2df0c00326add152414dca23e028fadfa7302a65b2.exe
-
Size
244KB
-
MD5
cf164f12ed2851b1ef80b88b7fb16021
-
SHA1
ec141ca587f88822cc138c2a2835e6eb596c3c3b
-
SHA256
64d0a4b09f0b5ca8468eca2df0c00326add152414dca23e028fadfa7302a65b2
-
SHA512
b0155451eec2f877b7de1e3ddaa35035ea0932d0e45429f44a05540fd94ade0f09241e496e23d6ce11977b6735b70ba8933fc7c87810efc6678cf9283e149399
-
SSDEEP
3072:PZC6QlOTr39Q/YeY/pZYIMyP4Cz4rzxbEgrWNC93M5oLpJeGVTbmELx4dXPnamTP:PM6QAHNmY9My4CKenCkoLptL+5PMq
Malware Config
Extracted
pony
http://ireqinvoiceparm.com/gate.php
http://manydocsfastrack.com/gate.php
http://invoiceformater.com/gate.php
-
payload_url
http://fusteriadurany.com/wp-content/plugins/cached_data/pp.exe
http://geppetto.hu/wp-content/plugins/cached_data/pp.exe
http://getitupskateboards.com/wp-content/plugins/cached_data/pp.exe
http://ghcimt.org/wp-content/plugins/cached_data/pp.exe
http://globalindiaconsultancy.org/wp-content/plugins/cached_data/pp.exe
http://gncinsaat.com/wp-content/plugins/cached_data/pp.exe
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
64d0a4b09f0b5ca8468eca2df0c00326add152414dca23e028fadfa7302a65b2.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts 64d0a4b09f0b5ca8468eca2df0c00326add152414dca23e028fadfa7302a65b2.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
64d0a4b09f0b5ca8468eca2df0c00326add152414dca23e028fadfa7302a65b2.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 64d0a4b09f0b5ca8468eca2df0c00326add152414dca23e028fadfa7302a65b2.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
64d0a4b09f0b5ca8468eca2df0c00326add152414dca23e028fadfa7302a65b2.exedescription pid process Token: SeIncBasePriorityPrivilege 1720 64d0a4b09f0b5ca8468eca2df0c00326add152414dca23e028fadfa7302a65b2.exe Token: SeSystemtimePrivilege 1720 64d0a4b09f0b5ca8468eca2df0c00326add152414dca23e028fadfa7302a65b2.exe Token: SeImpersonatePrivilege 1720 64d0a4b09f0b5ca8468eca2df0c00326add152414dca23e028fadfa7302a65b2.exe Token: SeTcbPrivilege 1720 64d0a4b09f0b5ca8468eca2df0c00326add152414dca23e028fadfa7302a65b2.exe Token: SeChangeNotifyPrivilege 1720 64d0a4b09f0b5ca8468eca2df0c00326add152414dca23e028fadfa7302a65b2.exe Token: SeCreateTokenPrivilege 1720 64d0a4b09f0b5ca8468eca2df0c00326add152414dca23e028fadfa7302a65b2.exe Token: SeBackupPrivilege 1720 64d0a4b09f0b5ca8468eca2df0c00326add152414dca23e028fadfa7302a65b2.exe Token: SeRestorePrivilege 1720 64d0a4b09f0b5ca8468eca2df0c00326add152414dca23e028fadfa7302a65b2.exe Token: SeIncreaseQuotaPrivilege 1720 64d0a4b09f0b5ca8468eca2df0c00326add152414dca23e028fadfa7302a65b2.exe Token: SeAssignPrimaryTokenPrivilege 1720 64d0a4b09f0b5ca8468eca2df0c00326add152414dca23e028fadfa7302a65b2.exe -
outlook_win_path 1 IoCs
Processes:
64d0a4b09f0b5ca8468eca2df0c00326add152414dca23e028fadfa7302a65b2.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 64d0a4b09f0b5ca8468eca2df0c00326add152414dca23e028fadfa7302a65b2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\64d0a4b09f0b5ca8468eca2df0c00326add152414dca23e028fadfa7302a65b2.exe"C:\Users\Admin\AppData\Local\Temp\64d0a4b09f0b5ca8468eca2df0c00326add152414dca23e028fadfa7302a65b2.exe"1⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1720-54-0x0000000003850000-0x0000000003867000-memory.dmpFilesize
92KB
-
memory/1720-56-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/1720-55-0x0000000075BD1000-0x0000000075BD3000-memory.dmpFilesize
8KB
-
memory/1720-57-0x0000000003850000-0x0000000003867000-memory.dmpFilesize
92KB