Analysis
-
max time kernel
148s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
03-12-2022 05:05
Static task
static1
Behavioral task
behavioral1
Sample
c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe
Resource
win7-20220901-en
General
-
Target
c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe
-
Size
80KB
-
MD5
a02384c9fff09d0a49469d05e6cbb57a
-
SHA1
044486f2b47210539e2ccf6d51df4ca7fda676f6
-
SHA256
c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85
-
SHA512
8472764fe48e03d18f3ff10967cf5eed0c75266bf27ec33d409ee394776ece550f1d7a5f28175bed24fba28bfe6b9e9d00e53db008c28b2f06afc2b806642080
-
SSDEEP
1536:3fq6HEuN8BHbg3qAteHCOYAYUOuz0vXiIbYiVlV+Peu5ruBff4TGWIQ367o:FN8BH0MhWxXrV+mvBH4Th3
Malware Config
Extracted
pony
http://saleryplax.info:2346/pony/mac.php
http://derotins.info:2346/pony/mac.php
Signatures
-
Drops file in Drivers directory 4 IoCs
Processes:
c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.execmd.execmd.exedescription ioc process File created C:\Windows\system32\drivers\etc\test c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe File created C:\Windows\system32\drivers\etc\hosts.sam cmd.exe File opened for modification C:\Windows\system32\drivers\etc\hosts.sam cmd.exe File opened for modification C:\Windows\system32\drivers\etc\hosts cmd.exe -
Processes:
resource yara_rule behavioral1/memory/1716-62-0x0000000000400000-0x0000000000431000-memory.dmp upx behavioral1/memory/1716-65-0x0000000000400000-0x0000000000431000-memory.dmp upx -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1364 cmd.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\7093100 = "cmd.exe /c copy C:\\Users\\Admin\\AppData\\Local\\Temp\\7092803FdOh C:\\Windows\\system32\\drivers\\etc\\hosts /Y && attrib +H C:\\Windows\\system32\\drivers\\etc\\hosts /f" reg.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exedescription pid process Token: SeImpersonatePrivilege 1716 c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe Token: SeTcbPrivilege 1716 c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe Token: SeChangeNotifyPrivilege 1716 c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe Token: SeCreateTokenPrivilege 1716 c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe Token: SeBackupPrivilege 1716 c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe Token: SeRestorePrivilege 1716 c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe Token: SeIncreaseQuotaPrivilege 1716 c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe Token: SeAssignPrimaryTokenPrivilege 1716 c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe Token: SeImpersonatePrivilege 1716 c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe Token: SeTcbPrivilege 1716 c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe Token: SeChangeNotifyPrivilege 1716 c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe Token: SeCreateTokenPrivilege 1716 c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe Token: SeBackupPrivilege 1716 c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe Token: SeRestorePrivilege 1716 c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe Token: SeIncreaseQuotaPrivilege 1716 c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe Token: SeAssignPrimaryTokenPrivilege 1716 c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe Token: SeImpersonatePrivilege 1716 c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe Token: SeTcbPrivilege 1716 c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe Token: SeChangeNotifyPrivilege 1716 c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe Token: SeCreateTokenPrivilege 1716 c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe Token: SeBackupPrivilege 1716 c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe Token: SeRestorePrivilege 1716 c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe Token: SeIncreaseQuotaPrivilege 1716 c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe Token: SeAssignPrimaryTokenPrivilege 1716 c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe Token: SeImpersonatePrivilege 1716 c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe Token: SeTcbPrivilege 1716 c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe Token: SeChangeNotifyPrivilege 1716 c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe Token: SeCreateTokenPrivilege 1716 c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe Token: SeBackupPrivilege 1716 c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe Token: SeRestorePrivilege 1716 c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe Token: SeIncreaseQuotaPrivilege 1716 c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe Token: SeAssignPrimaryTokenPrivilege 1716 c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.execmd.execmd.execmd.exetaskeng.exedescription pid process target process PID 1716 wrote to memory of 1808 1716 c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe cmd.exe PID 1716 wrote to memory of 1808 1716 c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe cmd.exe PID 1716 wrote to memory of 1808 1716 c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe cmd.exe PID 1716 wrote to memory of 1808 1716 c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe cmd.exe PID 1716 wrote to memory of 544 1716 c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe cmd.exe PID 1716 wrote to memory of 544 1716 c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe cmd.exe PID 1716 wrote to memory of 544 1716 c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe cmd.exe PID 1716 wrote to memory of 544 1716 c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe cmd.exe PID 544 wrote to memory of 556 544 cmd.exe reg.exe PID 544 wrote to memory of 556 544 cmd.exe reg.exe PID 544 wrote to memory of 556 544 cmd.exe reg.exe PID 544 wrote to memory of 556 544 cmd.exe reg.exe PID 1808 wrote to memory of 1148 1808 cmd.exe at.exe PID 1808 wrote to memory of 1148 1808 cmd.exe at.exe PID 1808 wrote to memory of 1148 1808 cmd.exe at.exe PID 1808 wrote to memory of 1148 1808 cmd.exe at.exe PID 1716 wrote to memory of 1364 1716 c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe cmd.exe PID 1716 wrote to memory of 1364 1716 c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe cmd.exe PID 1716 wrote to memory of 1364 1716 c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe cmd.exe PID 1716 wrote to memory of 1364 1716 c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe cmd.exe PID 1364 wrote to memory of 600 1364 cmd.exe PING.EXE PID 1364 wrote to memory of 600 1364 cmd.exe PING.EXE PID 1364 wrote to memory of 600 1364 cmd.exe PING.EXE PID 1364 wrote to memory of 600 1364 cmd.exe PING.EXE PID 1632 wrote to memory of 1676 1632 taskeng.exe cmd.exe PID 1632 wrote to memory of 1676 1632 taskeng.exe cmd.exe PID 1632 wrote to memory of 1676 1632 taskeng.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe"C:\Users\Admin\AppData\Local\Temp\c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe"1⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy %WINDIR%\system32\drivers\etc\hosts %WINDIR%\system32\drivers\etc\hosts.sam /Y && at 04:20:00 cmd.exe /c copy %TEMP%\7092803FdOh %WINDIR%\system32\drivers\etc\hosts /Y2⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\at.exeat 04:20:00 cmd.exe /c copy C:\Users\Admin\AppData\Local\Temp\7092803FdOh C:\Windows\system32\drivers\etc\hosts /Y3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windows\CurrentVersion\Run /v 7093100 /t REG_SZ /d "cmd.exe /c copy %TEMP%\7092803FdOh %WINDIR%\system32\drivers\etc\hosts /Y && attrib +H %WINDIR%\system32\drivers\etc\hosts /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windows\CurrentVersion\Run /v 7093100 /t REG_SZ /d "cmd.exe /c copy C:\Users\Admin\AppData\Local\Temp\7092803FdOh C:\Windows\system32\drivers\etc\hosts /Y && attrib +H C:\Windows\system32\drivers\etc\hosts /f3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping -n 10 127.0.0.1 > NUL && del "C:\Users\Admin\AppData\Local\Temp\c9220984b02542258def3e0262662977b0c5da785f0c14ffe318cc8300c0fa85.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 10 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\taskeng.exetaskeng.exe {C9D066FF-8046-4598-A12A-7701D8B62EFD} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c copy C:\Users\Admin\AppData\Local\Temp\7092803FdOh C:\Windows\system32\drivers\etc\hosts /Y2⤵
- Drops file in Drivers directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7092803FdOhFilesize
1KB
MD55d6101e933aed727c338916ae90aa7cd
SHA18d63692efbbcb7ab9c948234c32985f6edaafa82
SHA256aa2afab0a97cd879fbb30ebd8883b18b3358339583bcb7cc5cf1da8c75de6aad
SHA5125c9ab5692b86f80d2d420218927b4d8673b599a0ef89d6c419ab12aaa12dbc023cd2e356a2f7d8d6ec07b7ee3467bfe8c0db58202fb8a6ec1d04a929529af9d9
-
memory/544-58-0x0000000000000000-mapping.dmp
-
memory/556-59-0x0000000000000000-mapping.dmp
-
memory/600-66-0x0000000000000000-mapping.dmp
-
memory/1148-60-0x0000000000000000-mapping.dmp
-
memory/1364-64-0x0000000000000000-mapping.dmp
-
memory/1676-67-0x0000000000000000-mapping.dmp
-
memory/1716-62-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1716-63-0x0000000000220000-0x0000000000251000-memory.dmpFilesize
196KB
-
memory/1716-54-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1716-65-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1716-56-0x00000000765B1000-0x00000000765B3000-memory.dmpFilesize
8KB
-
memory/1716-55-0x0000000000220000-0x0000000000251000-memory.dmpFilesize
196KB
-
memory/1808-57-0x0000000000000000-mapping.dmp