Analysis
-
max time kernel
177s -
max time network
191s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 12:10
Static task
static1
Behavioral task
behavioral1
Sample
a1f12c346b487f5054ca918323fbada1aad97bd46dedb5ff5ff75d7bb34b0fde.jar
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
a1f12c346b487f5054ca918323fbada1aad97bd46dedb5ff5ff75d7bb34b0fde.jar
Resource
win10v2004-20220812-en
General
-
Target
a1f12c346b487f5054ca918323fbada1aad97bd46dedb5ff5ff75d7bb34b0fde.jar
-
Size
147KB
-
MD5
84fb7ae55623298b8e648ff5c7dc2115
-
SHA1
1af05edd024bf064f1d03c640ab6a09b3a3f0d7c
-
SHA256
a1f12c346b487f5054ca918323fbada1aad97bd46dedb5ff5ff75d7bb34b0fde
-
SHA512
401f0e31489404d494a1a7068866a43fd981a5bbc5698c816d970596d05a8c032c773db8103b63178797dab121b166797e8ca2502bdc72c3e7afcc5a74e9d00e
-
SSDEEP
3072:ASXpIshi44JexXmSKpPULrtYnqAOUkiQKjh4YmTmLbb58Kdz+CmmCrUk:PIEiPhSUPUqqA9jtSCLbqKRrm94k
Malware Config
Extracted
pony
http://sweet0rium.com/dd/Panel/gate.php
http://www.sweet0rium.com/dd/Panel/gate.php
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
asdqw74006004306124631850INVOICES.exeFind.exepid process 3748 asdqw74006004306124631850INVOICES.exe 2448 Find.exe -
Processes:
resource yara_rule behavioral2/memory/1300-155-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/1300-157-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/1300-158-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/1300-160-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/1300-162-0x0000000000400000-0x000000000041D000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
asdqw74006004306124631850INVOICES.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation asdqw74006004306124631850INVOICES.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook vbc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ggg = "C:\\ProgramData\\Find.exe" reg.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Find.exeasdqw74006004306124631850INVOICES.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum asdqw74006004306124631850INVOICES.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 asdqw74006004306124631850INVOICES.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Find.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Find.exedescription pid process target process PID 2448 set thread context of 1300 2448 Find.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
asdqw74006004306124631850INVOICES.exeFind.exevbc.exedescription pid process Token: SeDebugPrivilege 3748 asdqw74006004306124631850INVOICES.exe Token: SeDebugPrivilege 2448 Find.exe Token: SeImpersonatePrivilege 1300 vbc.exe Token: SeTcbPrivilege 1300 vbc.exe Token: SeChangeNotifyPrivilege 1300 vbc.exe Token: SeCreateTokenPrivilege 1300 vbc.exe Token: SeBackupPrivilege 1300 vbc.exe Token: SeRestorePrivilege 1300 vbc.exe Token: SeIncreaseQuotaPrivilege 1300 vbc.exe Token: SeAssignPrimaryTokenPrivilege 1300 vbc.exe Token: SeImpersonatePrivilege 1300 vbc.exe Token: SeTcbPrivilege 1300 vbc.exe Token: SeChangeNotifyPrivilege 1300 vbc.exe Token: SeCreateTokenPrivilege 1300 vbc.exe Token: SeBackupPrivilege 1300 vbc.exe Token: SeRestorePrivilege 1300 vbc.exe Token: SeIncreaseQuotaPrivilege 1300 vbc.exe Token: SeAssignPrimaryTokenPrivilege 1300 vbc.exe Token: SeImpersonatePrivilege 1300 vbc.exe Token: SeTcbPrivilege 1300 vbc.exe Token: SeChangeNotifyPrivilege 1300 vbc.exe Token: SeCreateTokenPrivilege 1300 vbc.exe Token: SeBackupPrivilege 1300 vbc.exe Token: SeRestorePrivilege 1300 vbc.exe Token: SeIncreaseQuotaPrivilege 1300 vbc.exe Token: SeAssignPrimaryTokenPrivilege 1300 vbc.exe Token: SeImpersonatePrivilege 1300 vbc.exe Token: SeTcbPrivilege 1300 vbc.exe Token: SeChangeNotifyPrivilege 1300 vbc.exe Token: SeCreateTokenPrivilege 1300 vbc.exe Token: SeBackupPrivilege 1300 vbc.exe Token: SeRestorePrivilege 1300 vbc.exe Token: SeIncreaseQuotaPrivilege 1300 vbc.exe Token: SeAssignPrimaryTokenPrivilege 1300 vbc.exe Token: SeImpersonatePrivilege 1300 vbc.exe Token: SeTcbPrivilege 1300 vbc.exe Token: SeChangeNotifyPrivilege 1300 vbc.exe Token: SeCreateTokenPrivilege 1300 vbc.exe Token: SeBackupPrivilege 1300 vbc.exe Token: SeRestorePrivilege 1300 vbc.exe Token: SeIncreaseQuotaPrivilege 1300 vbc.exe Token: SeAssignPrimaryTokenPrivilege 1300 vbc.exe Token: SeImpersonatePrivilege 1300 vbc.exe Token: SeTcbPrivilege 1300 vbc.exe Token: SeChangeNotifyPrivilege 1300 vbc.exe Token: SeCreateTokenPrivilege 1300 vbc.exe Token: SeBackupPrivilege 1300 vbc.exe Token: SeRestorePrivilege 1300 vbc.exe Token: SeIncreaseQuotaPrivilege 1300 vbc.exe Token: SeAssignPrimaryTokenPrivilege 1300 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
java.exepid process 3528 java.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
java.execmd.exeasdqw74006004306124631850INVOICES.execmd.exeFind.exevbc.exedescription pid process target process PID 3528 wrote to memory of 4036 3528 java.exe cmd.exe PID 3528 wrote to memory of 4036 3528 java.exe cmd.exe PID 4036 wrote to memory of 3748 4036 cmd.exe asdqw74006004306124631850INVOICES.exe PID 4036 wrote to memory of 3748 4036 cmd.exe asdqw74006004306124631850INVOICES.exe PID 4036 wrote to memory of 3748 4036 cmd.exe asdqw74006004306124631850INVOICES.exe PID 3748 wrote to memory of 2728 3748 asdqw74006004306124631850INVOICES.exe cmd.exe PID 3748 wrote to memory of 2728 3748 asdqw74006004306124631850INVOICES.exe cmd.exe PID 3748 wrote to memory of 2728 3748 asdqw74006004306124631850INVOICES.exe cmd.exe PID 2728 wrote to memory of 3096 2728 cmd.exe reg.exe PID 2728 wrote to memory of 3096 2728 cmd.exe reg.exe PID 2728 wrote to memory of 3096 2728 cmd.exe reg.exe PID 3748 wrote to memory of 2448 3748 asdqw74006004306124631850INVOICES.exe Find.exe PID 3748 wrote to memory of 2448 3748 asdqw74006004306124631850INVOICES.exe Find.exe PID 3748 wrote to memory of 2448 3748 asdqw74006004306124631850INVOICES.exe Find.exe PID 2448 wrote to memory of 1300 2448 Find.exe vbc.exe PID 2448 wrote to memory of 1300 2448 Find.exe vbc.exe PID 2448 wrote to memory of 1300 2448 Find.exe vbc.exe PID 2448 wrote to memory of 1300 2448 Find.exe vbc.exe PID 2448 wrote to memory of 1300 2448 Find.exe vbc.exe PID 2448 wrote to memory of 1300 2448 Find.exe vbc.exe PID 2448 wrote to memory of 1300 2448 Find.exe vbc.exe PID 1300 wrote to memory of 3584 1300 vbc.exe cmd.exe PID 1300 wrote to memory of 3584 1300 vbc.exe cmd.exe PID 1300 wrote to memory of 3584 1300 vbc.exe cmd.exe -
outlook_win_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook vbc.exe
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\a1f12c346b487f5054ca918323fbada1aad97bd46dedb5ff5ff75d7bb34b0fde.jar1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\asdqw74006004306124631850INVOICES.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asdqw74006004306124631850INVOICES.exeC:\Users\Admin\AppData\Local\Temp\asdqw74006004306124631850INVOICES.exe3⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ggg" /t REG_SZ /d "C:\ProgramData\Find.exe" & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ggg" /t REG_SZ /d "C:\ProgramData\Find.exe"5⤵
- Adds Run key to start application
-
C:\ProgramData\Find.exe"C:\ProgramData\Find.exe"4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"5⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240608843.bat" "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" "6⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Find.exeFilesize
165KB
MD5ddfeb9dd1daa1c89a2a2054dfadabd86
SHA13fd8ad5d2a01d238027440d257abecb3e275a2cd
SHA256ac8c02ae07d639de97b9fb9a1c45506d9e66aa637c68a191bd5ea6a3840689d7
SHA5124928340e39a38f78bb91ab7907cbfad71211f4286ff0123361994d2f542a4633ff7a417b78dc24d7744225813850f457fdfc2cffc8032053077fc6c757f6908f
-
C:\Users\Admin\AppData\Local\Temp\240608843.batFilesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
C:\Users\Admin\AppData\Local\Temp\asdqw74006004306124631850INVOICES.exeFilesize
165KB
MD5ddfeb9dd1daa1c89a2a2054dfadabd86
SHA13fd8ad5d2a01d238027440d257abecb3e275a2cd
SHA256ac8c02ae07d639de97b9fb9a1c45506d9e66aa637c68a191bd5ea6a3840689d7
SHA5124928340e39a38f78bb91ab7907cbfad71211f4286ff0123361994d2f542a4633ff7a417b78dc24d7744225813850f457fdfc2cffc8032053077fc6c757f6908f
-
C:\Users\Admin\AppData\Local\Temp\asdqw74006004306124631850INVOICES.exeFilesize
165KB
MD5ddfeb9dd1daa1c89a2a2054dfadabd86
SHA13fd8ad5d2a01d238027440d257abecb3e275a2cd
SHA256ac8c02ae07d639de97b9fb9a1c45506d9e66aa637c68a191bd5ea6a3840689d7
SHA5124928340e39a38f78bb91ab7907cbfad71211f4286ff0123361994d2f542a4633ff7a417b78dc24d7744225813850f457fdfc2cffc8032053077fc6c757f6908f
-
memory/1300-154-0x0000000000000000-mapping.dmp
-
memory/1300-162-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1300-160-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1300-158-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1300-157-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1300-155-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/2448-152-0x0000000075100000-0x00000000756B1000-memory.dmpFilesize
5.7MB
-
memory/2448-150-0x0000000000000000-mapping.dmp
-
memory/2448-159-0x0000000075100000-0x00000000756B1000-memory.dmpFilesize
5.7MB
-
memory/2728-148-0x0000000000000000-mapping.dmp
-
memory/3096-149-0x0000000000000000-mapping.dmp
-
memory/3528-134-0x0000000002E50000-0x0000000003E50000-memory.dmpFilesize
16.0MB
-
memory/3584-161-0x0000000000000000-mapping.dmp
-
memory/3748-153-0x0000000075100000-0x00000000756B1000-memory.dmpFilesize
5.7MB
-
memory/3748-147-0x0000000075100000-0x00000000756B1000-memory.dmpFilesize
5.7MB
-
memory/3748-144-0x0000000000000000-mapping.dmp
-
memory/4036-142-0x0000000000000000-mapping.dmp