Analysis
-
max time kernel
233s -
max time network
333s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 12:10
Static task
static1
Behavioral task
behavioral1
Sample
a1f12c346b487f5054ca918323fbada1aad97bd46dedb5ff5ff75d7bb34b0fde.jar
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
a1f12c346b487f5054ca918323fbada1aad97bd46dedb5ff5ff75d7bb34b0fde.jar
Resource
win10v2004-20220812-en
General
-
Target
a1f12c346b487f5054ca918323fbada1aad97bd46dedb5ff5ff75d7bb34b0fde.jar
-
Size
147KB
-
MD5
84fb7ae55623298b8e648ff5c7dc2115
-
SHA1
1af05edd024bf064f1d03c640ab6a09b3a3f0d7c
-
SHA256
a1f12c346b487f5054ca918323fbada1aad97bd46dedb5ff5ff75d7bb34b0fde
-
SHA512
401f0e31489404d494a1a7068866a43fd981a5bbc5698c816d970596d05a8c032c773db8103b63178797dab121b166797e8ca2502bdc72c3e7afcc5a74e9d00e
-
SSDEEP
3072:ASXpIshi44JexXmSKpPULrtYnqAOUkiQKjh4YmTmLbb58Kdz+CmmCrUk:PIEiPhSUPUqqA9jtSCLbqKRrm94k
Malware Config
Extracted
pony
http://sweet0rium.com/dd/Panel/gate.php
http://www.sweet0rium.com/dd/Panel/gate.php
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
asdqw67728263020026206530INVOICES.exeFind.exepid process 884 asdqw67728263020026206530INVOICES.exe 1132 Find.exe -
Processes:
resource yara_rule behavioral1/memory/1704-90-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral1/memory/1704-92-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral1/memory/1704-93-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral1/memory/1704-96-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral1/memory/1704-99-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral1/memory/1704-100-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral1/memory/1704-102-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral1/memory/1704-103-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral1/memory/1704-105-0x0000000000400000-0x000000000041D000-memory.dmp upx -
Loads dropped DLL 3 IoCs
Processes:
asdqw67728263020026206530INVOICES.exepid process 884 asdqw67728263020026206530INVOICES.exe 884 asdqw67728263020026206530INVOICES.exe 884 asdqw67728263020026206530INVOICES.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook vbc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ggg = "C:\\ProgramData\\Find.exe" reg.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Find.exeasdqw67728263020026206530INVOICES.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 Find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum asdqw67728263020026206530INVOICES.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 asdqw67728263020026206530INVOICES.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Find.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Find.exedescription pid process target process PID 1132 set thread context of 1704 1132 Find.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
asdqw67728263020026206530INVOICES.exepid process 884 asdqw67728263020026206530INVOICES.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
asdqw67728263020026206530INVOICES.exeFind.exevbc.exedescription pid process Token: SeDebugPrivilege 884 asdqw67728263020026206530INVOICES.exe Token: SeDebugPrivilege 1132 Find.exe Token: SeImpersonatePrivilege 1704 vbc.exe Token: SeTcbPrivilege 1704 vbc.exe Token: SeChangeNotifyPrivilege 1704 vbc.exe Token: SeCreateTokenPrivilege 1704 vbc.exe Token: SeBackupPrivilege 1704 vbc.exe Token: SeRestorePrivilege 1704 vbc.exe Token: SeIncreaseQuotaPrivilege 1704 vbc.exe Token: SeAssignPrimaryTokenPrivilege 1704 vbc.exe Token: SeImpersonatePrivilege 1704 vbc.exe Token: SeTcbPrivilege 1704 vbc.exe Token: SeChangeNotifyPrivilege 1704 vbc.exe Token: SeCreateTokenPrivilege 1704 vbc.exe Token: SeBackupPrivilege 1704 vbc.exe Token: SeRestorePrivilege 1704 vbc.exe Token: SeIncreaseQuotaPrivilege 1704 vbc.exe Token: SeAssignPrimaryTokenPrivilege 1704 vbc.exe Token: SeImpersonatePrivilege 1704 vbc.exe Token: SeTcbPrivilege 1704 vbc.exe Token: SeChangeNotifyPrivilege 1704 vbc.exe Token: SeCreateTokenPrivilege 1704 vbc.exe Token: SeBackupPrivilege 1704 vbc.exe Token: SeRestorePrivilege 1704 vbc.exe Token: SeIncreaseQuotaPrivilege 1704 vbc.exe Token: SeAssignPrimaryTokenPrivilege 1704 vbc.exe Token: SeImpersonatePrivilege 1704 vbc.exe Token: SeTcbPrivilege 1704 vbc.exe Token: SeChangeNotifyPrivilege 1704 vbc.exe Token: SeCreateTokenPrivilege 1704 vbc.exe Token: SeBackupPrivilege 1704 vbc.exe Token: SeRestorePrivilege 1704 vbc.exe Token: SeIncreaseQuotaPrivilege 1704 vbc.exe Token: SeAssignPrimaryTokenPrivilege 1704 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
java.exepid process 1160 java.exe -
Suspicious use of WriteProcessMemory 49 IoCs
Processes:
java.execmd.exeasdqw67728263020026206530INVOICES.execmd.exeFind.exevbc.exedescription pid process target process PID 1160 wrote to memory of 1084 1160 java.exe cmd.exe PID 1160 wrote to memory of 1084 1160 java.exe cmd.exe PID 1160 wrote to memory of 1084 1160 java.exe cmd.exe PID 1084 wrote to memory of 884 1084 cmd.exe asdqw67728263020026206530INVOICES.exe PID 1084 wrote to memory of 884 1084 cmd.exe asdqw67728263020026206530INVOICES.exe PID 1084 wrote to memory of 884 1084 cmd.exe asdqw67728263020026206530INVOICES.exe PID 1084 wrote to memory of 884 1084 cmd.exe asdqw67728263020026206530INVOICES.exe PID 1084 wrote to memory of 884 1084 cmd.exe asdqw67728263020026206530INVOICES.exe PID 1084 wrote to memory of 884 1084 cmd.exe asdqw67728263020026206530INVOICES.exe PID 1084 wrote to memory of 884 1084 cmd.exe asdqw67728263020026206530INVOICES.exe PID 884 wrote to memory of 864 884 asdqw67728263020026206530INVOICES.exe cmd.exe PID 884 wrote to memory of 864 884 asdqw67728263020026206530INVOICES.exe cmd.exe PID 884 wrote to memory of 864 884 asdqw67728263020026206530INVOICES.exe cmd.exe PID 884 wrote to memory of 864 884 asdqw67728263020026206530INVOICES.exe cmd.exe PID 884 wrote to memory of 864 884 asdqw67728263020026206530INVOICES.exe cmd.exe PID 884 wrote to memory of 864 884 asdqw67728263020026206530INVOICES.exe cmd.exe PID 884 wrote to memory of 864 884 asdqw67728263020026206530INVOICES.exe cmd.exe PID 884 wrote to memory of 1132 884 asdqw67728263020026206530INVOICES.exe Find.exe PID 884 wrote to memory of 1132 884 asdqw67728263020026206530INVOICES.exe Find.exe PID 884 wrote to memory of 1132 884 asdqw67728263020026206530INVOICES.exe Find.exe PID 884 wrote to memory of 1132 884 asdqw67728263020026206530INVOICES.exe Find.exe PID 884 wrote to memory of 1132 884 asdqw67728263020026206530INVOICES.exe Find.exe PID 884 wrote to memory of 1132 884 asdqw67728263020026206530INVOICES.exe Find.exe PID 884 wrote to memory of 1132 884 asdqw67728263020026206530INVOICES.exe Find.exe PID 864 wrote to memory of 924 864 cmd.exe reg.exe PID 864 wrote to memory of 924 864 cmd.exe reg.exe PID 864 wrote to memory of 924 864 cmd.exe reg.exe PID 864 wrote to memory of 924 864 cmd.exe reg.exe PID 864 wrote to memory of 924 864 cmd.exe reg.exe PID 864 wrote to memory of 924 864 cmd.exe reg.exe PID 864 wrote to memory of 924 864 cmd.exe reg.exe PID 1132 wrote to memory of 1704 1132 Find.exe vbc.exe PID 1132 wrote to memory of 1704 1132 Find.exe vbc.exe PID 1132 wrote to memory of 1704 1132 Find.exe vbc.exe PID 1132 wrote to memory of 1704 1132 Find.exe vbc.exe PID 1132 wrote to memory of 1704 1132 Find.exe vbc.exe PID 1132 wrote to memory of 1704 1132 Find.exe vbc.exe PID 1132 wrote to memory of 1704 1132 Find.exe vbc.exe PID 1132 wrote to memory of 1704 1132 Find.exe vbc.exe PID 1132 wrote to memory of 1704 1132 Find.exe vbc.exe PID 1132 wrote to memory of 1704 1132 Find.exe vbc.exe PID 1132 wrote to memory of 1704 1132 Find.exe vbc.exe PID 1704 wrote to memory of 1740 1704 vbc.exe cmd.exe PID 1704 wrote to memory of 1740 1704 vbc.exe cmd.exe PID 1704 wrote to memory of 1740 1704 vbc.exe cmd.exe PID 1704 wrote to memory of 1740 1704 vbc.exe cmd.exe PID 1704 wrote to memory of 1740 1704 vbc.exe cmd.exe PID 1704 wrote to memory of 1740 1704 vbc.exe cmd.exe PID 1704 wrote to memory of 1740 1704 vbc.exe cmd.exe -
outlook_win_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook vbc.exe
Processes
-
C:\Windows\system32\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\a1f12c346b487f5054ca918323fbada1aad97bd46dedb5ff5ff75d7bb34b0fde.jar1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\asdqw67728263020026206530INVOICES.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asdqw67728263020026206530INVOICES.exeC:\Users\Admin\AppData\Local\Temp\asdqw67728263020026206530INVOICES.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ggg" /t REG_SZ /d "C:\ProgramData\Find.exe" & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ggg" /t REG_SZ /d "C:\ProgramData\Find.exe"5⤵
- Adds Run key to start application
-
C:\ProgramData\Find.exe"C:\ProgramData\Find.exe"4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"5⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7369705.bat" "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" "6⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Find.exeFilesize
165KB
MD5ddfeb9dd1daa1c89a2a2054dfadabd86
SHA13fd8ad5d2a01d238027440d257abecb3e275a2cd
SHA256ac8c02ae07d639de97b9fb9a1c45506d9e66aa637c68a191bd5ea6a3840689d7
SHA5124928340e39a38f78bb91ab7907cbfad71211f4286ff0123361994d2f542a4633ff7a417b78dc24d7744225813850f457fdfc2cffc8032053077fc6c757f6908f
-
C:\Users\Admin\AppData\Local\Temp\7369705.batFilesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
C:\Users\Admin\AppData\Local\Temp\asdqw67728263020026206530INVOICES.exeFilesize
165KB
MD5ddfeb9dd1daa1c89a2a2054dfadabd86
SHA13fd8ad5d2a01d238027440d257abecb3e275a2cd
SHA256ac8c02ae07d639de97b9fb9a1c45506d9e66aa637c68a191bd5ea6a3840689d7
SHA5124928340e39a38f78bb91ab7907cbfad71211f4286ff0123361994d2f542a4633ff7a417b78dc24d7744225813850f457fdfc2cffc8032053077fc6c757f6908f
-
C:\Users\Admin\AppData\Local\Temp\asdqw67728263020026206530INVOICES.exeFilesize
165KB
MD5ddfeb9dd1daa1c89a2a2054dfadabd86
SHA13fd8ad5d2a01d238027440d257abecb3e275a2cd
SHA256ac8c02ae07d639de97b9fb9a1c45506d9e66aa637c68a191bd5ea6a3840689d7
SHA5124928340e39a38f78bb91ab7907cbfad71211f4286ff0123361994d2f542a4633ff7a417b78dc24d7744225813850f457fdfc2cffc8032053077fc6c757f6908f
-
\Users\Admin\AppData\Local\Temp\asdqw67728263020026206530INVOICES.exeFilesize
165KB
MD5ddfeb9dd1daa1c89a2a2054dfadabd86
SHA13fd8ad5d2a01d238027440d257abecb3e275a2cd
SHA256ac8c02ae07d639de97b9fb9a1c45506d9e66aa637c68a191bd5ea6a3840689d7
SHA5124928340e39a38f78bb91ab7907cbfad71211f4286ff0123361994d2f542a4633ff7a417b78dc24d7744225813850f457fdfc2cffc8032053077fc6c757f6908f
-
\Users\Admin\AppData\Local\Temp\asdqw67728263020026206530INVOICES.exeFilesize
165KB
MD5ddfeb9dd1daa1c89a2a2054dfadabd86
SHA13fd8ad5d2a01d238027440d257abecb3e275a2cd
SHA256ac8c02ae07d639de97b9fb9a1c45506d9e66aa637c68a191bd5ea6a3840689d7
SHA5124928340e39a38f78bb91ab7907cbfad71211f4286ff0123361994d2f542a4633ff7a417b78dc24d7744225813850f457fdfc2cffc8032053077fc6c757f6908f
-
\Users\Admin\AppData\Local\Temp\asdqw67728263020026206530INVOICES.exeFilesize
165KB
MD5ddfeb9dd1daa1c89a2a2054dfadabd86
SHA13fd8ad5d2a01d238027440d257abecb3e275a2cd
SHA256ac8c02ae07d639de97b9fb9a1c45506d9e66aa637c68a191bd5ea6a3840689d7
SHA5124928340e39a38f78bb91ab7907cbfad71211f4286ff0123361994d2f542a4633ff7a417b78dc24d7744225813850f457fdfc2cffc8032053077fc6c757f6908f
-
memory/864-80-0x0000000000000000-mapping.dmp
-
memory/884-85-0x0000000072E10000-0x00000000733BB000-memory.dmpFilesize
5.7MB
-
memory/884-74-0x00000000753F1000-0x00000000753F3000-memory.dmpFilesize
8KB
-
memory/884-72-0x0000000000000000-mapping.dmp
-
memory/884-78-0x0000000072E10000-0x00000000733BB000-memory.dmpFilesize
5.7MB
-
memory/884-79-0x0000000072E10000-0x00000000733BB000-memory.dmpFilesize
5.7MB
-
memory/924-86-0x0000000000000000-mapping.dmp
-
memory/1084-69-0x0000000000000000-mapping.dmp
-
memory/1132-81-0x0000000000000000-mapping.dmp
-
memory/1132-88-0x0000000072860000-0x0000000072E0B000-memory.dmpFilesize
5.7MB
-
memory/1132-101-0x0000000072860000-0x0000000072E0B000-memory.dmpFilesize
5.7MB
-
memory/1160-68-0x0000000002220000-0x0000000005220000-memory.dmpFilesize
48.0MB
-
memory/1160-54-0x000007FEFB651000-0x000007FEFB653000-memory.dmpFilesize
8KB
-
memory/1160-64-0x0000000002220000-0x0000000005220000-memory.dmpFilesize
48.0MB
-
memory/1704-92-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1704-93-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1704-94-0x000000000041AF70-mapping.dmp
-
memory/1704-96-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1704-99-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1704-90-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1704-100-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1704-102-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1704-103-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1704-105-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1704-89-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1740-104-0x0000000000000000-mapping.dmp