Analysis
-
max time kernel
268s -
max time network
294s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2022 02:34
Static task
static1
Behavioral task
behavioral1
Sample
fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe
Resource
win7-20220901-en
General
-
Target
fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe
-
Size
80KB
-
MD5
b1e656e698ca0f1c94e2fbd4184a610f
-
SHA1
3bc346e24e2e8569bed03f09c787b46cfaeb348b
-
SHA256
fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0
-
SHA512
a007dc241aeed20ee64934a740184345cdcf89601c2cd8b3cf9258c8c609a8b82bacde324897b98028343c55ff15116432881936fbd408263e5685a358603b4e
-
SSDEEP
1536:xrAJCsyJr5Do0P1W/v3HbCegeRLQI4DsWSQ607i:CEnJt9Q3bCERsEWLd
Malware Config
Extracted
pony
http://pglipik.ru:2346/pony/mac.php
http://pfixsel.ru:2346/pony/mac.php
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exedescription ioc process File created C:\Windows\system32\drivers\etc\test fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe -
Processes:
resource yara_rule behavioral2/memory/5076-137-0x0000000000400000-0x000000000042C000-memory.dmp upx behavioral2/memory/5076-138-0x0000000000400000-0x000000000042C000-memory.dmp upx behavioral2/memory/5076-142-0x0000000000400000-0x000000000042C000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\240832750 = "cmd.exe /c copy C:\\Users\\Admin\\AppData\\Local\\Temp\\240820359FdOh C:\\Windows\\system32\\drivers\\etc\\hosts /Y && attrib +H C:\\Windows\\system32\\drivers\\etc\\hosts /f" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\windows\CurrentVersion\Run reg.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exedescription pid process Token: SeImpersonatePrivilege 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeTcbPrivilege 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeChangeNotifyPrivilege 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeCreateTokenPrivilege 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeBackupPrivilege 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeRestorePrivilege 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeIncreaseQuotaPrivilege 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeAssignPrimaryTokenPrivilege 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeImpersonatePrivilege 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeTcbPrivilege 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeChangeNotifyPrivilege 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeCreateTokenPrivilege 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeBackupPrivilege 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeRestorePrivilege 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeIncreaseQuotaPrivilege 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeAssignPrimaryTokenPrivilege 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeImpersonatePrivilege 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeTcbPrivilege 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeChangeNotifyPrivilege 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeCreateTokenPrivilege 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeBackupPrivilege 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeRestorePrivilege 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeIncreaseQuotaPrivilege 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeAssignPrimaryTokenPrivilege 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeImpersonatePrivilege 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeTcbPrivilege 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeChangeNotifyPrivilege 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeCreateTokenPrivilege 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeBackupPrivilege 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeRestorePrivilege 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeIncreaseQuotaPrivilege 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeAssignPrimaryTokenPrivilege 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeImpersonatePrivilege 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeTcbPrivilege 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeChangeNotifyPrivilege 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeCreateTokenPrivilege 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeBackupPrivilege 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeRestorePrivilege 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeIncreaseQuotaPrivilege 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeAssignPrimaryTokenPrivilege 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeImpersonatePrivilege 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeTcbPrivilege 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeChangeNotifyPrivilege 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeCreateTokenPrivilege 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeBackupPrivilege 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeRestorePrivilege 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeIncreaseQuotaPrivilege 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe Token: SeAssignPrimaryTokenPrivilege 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.execmd.execmd.exedescription pid process target process PID 5076 wrote to memory of 1956 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe cmd.exe PID 5076 wrote to memory of 1956 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe cmd.exe PID 5076 wrote to memory of 1956 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe cmd.exe PID 5076 wrote to memory of 2244 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe cmd.exe PID 5076 wrote to memory of 2244 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe cmd.exe PID 5076 wrote to memory of 2244 5076 fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe cmd.exe PID 1956 wrote to memory of 3256 1956 cmd.exe at.exe PID 1956 wrote to memory of 3256 1956 cmd.exe at.exe PID 1956 wrote to memory of 3256 1956 cmd.exe at.exe PID 2244 wrote to memory of 1792 2244 cmd.exe reg.exe PID 2244 wrote to memory of 1792 2244 cmd.exe reg.exe PID 2244 wrote to memory of 1792 2244 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe"C:\Users\Admin\AppData\Local\Temp\fa5751c99e2ffee4d8ce6ec338029f9849fa576e58a945828359754d4de957c0.exe"1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c at 01:50:00 cmd.exe /c copy %TEMP%\240820359FdOh %WINDIR%\system32\drivers\etc\hosts /Y && rename %WINDIR%\system32\drivers\etc\hosts hosts.sys2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\at.exeat 01:50:00 cmd.exe /c copy C:\Users\Admin\AppData\Local\Temp\240820359FdOh C:\Windows\system32\drivers\etc\hosts /Y3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windows\CurrentVersion\Run /v 240832750 /t REG_SZ /d "cmd.exe /c copy %TEMP%\240820359FdOh %WINDIR%\system32\drivers\etc\hosts /Y && attrib +H %WINDIR%\system32\drivers\etc\hosts /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windows\CurrentVersion\Run /v 240832750 /t REG_SZ /d "cmd.exe /c copy C:\Users\Admin\AppData\Local\Temp\240820359FdOh C:\Windows\system32\drivers\etc\hosts /Y && attrib +H C:\Windows\system32\drivers\etc\hosts /f3⤵
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1792-144-0x0000000000000000-mapping.dmp
-
memory/1956-140-0x0000000000000000-mapping.dmp
-
memory/2244-141-0x0000000000000000-mapping.dmp
-
memory/3256-143-0x0000000000000000-mapping.dmp
-
memory/5076-135-0x0000000002020000-0x000000000204C000-memory.dmpFilesize
176KB
-
memory/5076-137-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/5076-138-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/5076-139-0x0000000002020000-0x000000000204C000-memory.dmpFilesize
176KB
-
memory/5076-136-0x0000000002020000-0x000000000204C000-memory.dmpFilesize
176KB
-
memory/5076-132-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/5076-142-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/5076-134-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/5076-133-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB