Analysis
-
max time kernel
191s -
max time network
224s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2022 06:06
Static task
static1
Behavioral task
behavioral1
Sample
be347717ae013115cdc31c2418580a5c614e96ac490cd120e580f44daf1c00e3.exe
Resource
win7-20221111-en
General
-
Target
be347717ae013115cdc31c2418580a5c614e96ac490cd120e580f44daf1c00e3.exe
-
Size
113KB
-
MD5
2ac2446db59c30a05b32f0677e487ab0
-
SHA1
5d34a14c6b72fa7c580311b13a9dc5f5f595ee47
-
SHA256
be347717ae013115cdc31c2418580a5c614e96ac490cd120e580f44daf1c00e3
-
SHA512
4f6e57e0f9a22362b965d9311bfb9cac89eade6cfb2ef02a5cced42c0edabcf69f4d8c541a63e305f1c96937991228f0fbe8f2d216910b2357ec2bf8acc34b49
-
SSDEEP
3072:BbWxwy3FDk3F3g4MOaQFRVfx8p/TmeOjyL:y1Ig4MOR9S/DOjy
Malware Config
Extracted
pony
http://journeyacrossthesky.org/forum/viewtopic.php
http://luckyemily.com/forum/viewtopic.php
http://oshaughnessyfam.com/forum/viewtopic.php
http://actorbell.com/forum/viewtopic.php
-
payload_url
http://imagesuperspot.com/6ptP.exe
http://1954f7e942e67bc1.lolipop.jp/d2z.exe
http://ropapublicitaria.es/5VWumA1.exe
http://colombiantravelservices.com/ucUMruv.exe
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
be347717ae013115cdc31c2418580a5c614e96ac490cd120e580f44daf1c00e3.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts be347717ae013115cdc31c2418580a5c614e96ac490cd120e580f44daf1c00e3.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
be347717ae013115cdc31c2418580a5c614e96ac490cd120e580f44daf1c00e3.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook be347717ae013115cdc31c2418580a5c614e96ac490cd120e580f44daf1c00e3.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
be347717ae013115cdc31c2418580a5c614e96ac490cd120e580f44daf1c00e3.exedescription pid process Token: SeImpersonatePrivilege 3196 be347717ae013115cdc31c2418580a5c614e96ac490cd120e580f44daf1c00e3.exe Token: SeTcbPrivilege 3196 be347717ae013115cdc31c2418580a5c614e96ac490cd120e580f44daf1c00e3.exe Token: SeChangeNotifyPrivilege 3196 be347717ae013115cdc31c2418580a5c614e96ac490cd120e580f44daf1c00e3.exe Token: SeCreateTokenPrivilege 3196 be347717ae013115cdc31c2418580a5c614e96ac490cd120e580f44daf1c00e3.exe Token: SeBackupPrivilege 3196 be347717ae013115cdc31c2418580a5c614e96ac490cd120e580f44daf1c00e3.exe Token: SeRestorePrivilege 3196 be347717ae013115cdc31c2418580a5c614e96ac490cd120e580f44daf1c00e3.exe Token: SeIncreaseQuotaPrivilege 3196 be347717ae013115cdc31c2418580a5c614e96ac490cd120e580f44daf1c00e3.exe Token: SeAssignPrimaryTokenPrivilege 3196 be347717ae013115cdc31c2418580a5c614e96ac490cd120e580f44daf1c00e3.exe -
outlook_win_path 1 IoCs
Processes:
be347717ae013115cdc31c2418580a5c614e96ac490cd120e580f44daf1c00e3.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook be347717ae013115cdc31c2418580a5c614e96ac490cd120e580f44daf1c00e3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\be347717ae013115cdc31c2418580a5c614e96ac490cd120e580f44daf1c00e3.exe"C:\Users\Admin\AppData\Local\Temp\be347717ae013115cdc31c2418580a5c614e96ac490cd120e580f44daf1c00e3.exe"1⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path