Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
03-12-2022 02:34
Static task
static1
Behavioral task
behavioral1
Sample
fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe
Resource
win7-20220901-en
General
-
Target
fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe
-
Size
80KB
-
MD5
b1e656e698ca0f1c94e2fbd4184a610f
-
SHA1
3bc346e24e2e8569bed03f09c787b46cfaeb348b
-
SHA256
fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0
-
SHA512
a007dc241aeed20ee64934a740184345cdcf89601c2cd8b3cf9258c8c609a8b82bacde324897b98028343c55ff15116432881936fbd408263e5685a358603b4e
-
SSDEEP
1536:xrAJCsyJr5Do0P1W/v3HbCegeRLQI4DsWSQ607i:CEnJt9Q3bCERsEWLd
Malware Config
Extracted
pony
http://pglipik.ru:2346/pony/mac.php
http://pfixsel.ru:2346/pony/mac.php
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exedescription ioc process File created C:\Windows\system32\drivers\etc\test fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe -
Processes:
resource yara_rule behavioral1/memory/852-59-0x0000000000400000-0x000000000042C000-memory.dmp upx behavioral1/memory/852-63-0x0000000000400000-0x000000000042C000-memory.dmp upx -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\7207885 = "cmd.exe /c copy C:\\Users\\Admin\\AppData\\Local\\Temp\\7207682FdOh C:\\Windows\\system32\\drivers\\etc\\hosts /Y && attrib +H C:\\Windows\\system32\\drivers\\etc\\hosts /f" reg.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exedescription pid process Token: SeImpersonatePrivilege 852 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeTcbPrivilege 852 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeChangeNotifyPrivilege 852 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeCreateTokenPrivilege 852 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeBackupPrivilege 852 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeRestorePrivilege 852 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeIncreaseQuotaPrivilege 852 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeAssignPrimaryTokenPrivilege 852 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeImpersonatePrivilege 852 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeTcbPrivilege 852 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeChangeNotifyPrivilege 852 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeCreateTokenPrivilege 852 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeBackupPrivilege 852 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeRestorePrivilege 852 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeIncreaseQuotaPrivilege 852 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeAssignPrimaryTokenPrivilege 852 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeImpersonatePrivilege 852 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeTcbPrivilege 852 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeChangeNotifyPrivilege 852 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeCreateTokenPrivilege 852 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeBackupPrivilege 852 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeRestorePrivilege 852 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeIncreaseQuotaPrivilege 852 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeAssignPrimaryTokenPrivilege 852 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeImpersonatePrivilege 852 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeTcbPrivilege 852 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeChangeNotifyPrivilege 852 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeCreateTokenPrivilege 852 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeBackupPrivilege 852 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeRestorePrivilege 852 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeIncreaseQuotaPrivilege 852 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeAssignPrimaryTokenPrivilege 852 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.execmd.execmd.exedescription pid process target process PID 852 wrote to memory of 1120 852 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe cmd.exe PID 852 wrote to memory of 1120 852 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe cmd.exe PID 852 wrote to memory of 1120 852 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe cmd.exe PID 852 wrote to memory of 1120 852 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe cmd.exe PID 852 wrote to memory of 1640 852 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe cmd.exe PID 852 wrote to memory of 1640 852 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe cmd.exe PID 852 wrote to memory of 1640 852 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe cmd.exe PID 852 wrote to memory of 1640 852 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe cmd.exe PID 1120 wrote to memory of 1916 1120 cmd.exe at.exe PID 1120 wrote to memory of 1916 1120 cmd.exe at.exe PID 1120 wrote to memory of 1916 1120 cmd.exe at.exe PID 1120 wrote to memory of 1916 1120 cmd.exe at.exe PID 1640 wrote to memory of 1792 1640 cmd.exe reg.exe PID 1640 wrote to memory of 1792 1640 cmd.exe reg.exe PID 1640 wrote to memory of 1792 1640 cmd.exe reg.exe PID 1640 wrote to memory of 1792 1640 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe"C:\Users\Admin\AppData\Local\Temp\fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe"1⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c at 00:47:00 cmd.exe /c copy %TEMP%\7207682FdOh %WINDIR%\system32\drivers\etc\hosts /Y && rename %WINDIR%\system32\drivers\etc\hosts hosts.sys2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\at.exeat 00:47:00 cmd.exe /c copy C:\Users\Admin\AppData\Local\Temp\7207682FdOh C:\Windows\system32\drivers\etc\hosts /Y3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windows\CurrentVersion\Run /v 7207885 /t REG_SZ /d "cmd.exe /c copy %TEMP%\7207682FdOh %WINDIR%\system32\drivers\etc\hosts /Y && attrib +H %WINDIR%\system32\drivers\etc\hosts /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windows\CurrentVersion\Run /v 7207885 /t REG_SZ /d "cmd.exe /c copy C:\Users\Admin\AppData\Local\Temp\7207682FdOh C:\Windows\system32\drivers\etc\hosts /Y && attrib +H C:\Windows\system32\drivers\etc\hosts /f3⤵
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/852-54-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/852-55-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/852-56-0x0000000000220000-0x000000000024C000-memory.dmpFilesize
176KB
-
memory/852-57-0x0000000000220000-0x000000000024C000-memory.dmpFilesize
176KB
-
memory/852-58-0x0000000074E41000-0x0000000074E43000-memory.dmpFilesize
8KB
-
memory/852-59-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/852-60-0x0000000000220000-0x000000000024C000-memory.dmpFilesize
176KB
-
memory/852-63-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1120-61-0x0000000000000000-mapping.dmp
-
memory/1640-62-0x0000000000000000-mapping.dmp
-
memory/1792-65-0x0000000000000000-mapping.dmp
-
memory/1916-64-0x0000000000000000-mapping.dmp