Overview

overview

10

Static

static

3f9bfbb9ac...4e.exe

windows7-x64

10

3f9bfbb9ac...4e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    48s
  • max time network
    52s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    23-12-2022 14:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3f9bfbb9ac8cde1e7038b66d961dd149be2f86348c0a30d4455cffed6dc1614e.exe

  • Size

    319KB

  • MD5

    37db790ae1c5c9d514f0b21b2ee41eba

  • SHA1

    b82c08f43f11430773d313ee362ca0726bbafa24

  • SHA256

    3f9bfbb9ac8cde1e7038b66d961dd149be2f86348c0a30d4455cffed6dc1614e

  • SHA512

    79c8cfad6f27739cd567d2f49035ab37081d38677e9b0ac28942d4221a4327c9f44fc3deb31038543710d533369681c8a82561b97008e33dc6e3d5e5f2937c0f

  • SSDEEP

    6144:fMjokASLOMN9/wJP96/0ma0ZlDFWs9zAnmeDWB2hDukzinSiikKWfxCdvHnQSd2b:nkAqOi94x968mR/DDzBO82hpinSiikxp

Score
10/10
crypvaultponycollectiondiscoveryevasionransomwareratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://gruzdom.ru/api/

Signatures

  • CrypVault

    Ransomware family which makes encrypted files look like they have been quarantined by AV.

    ransomwarecrypvault
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3f9bfbb9ac8cde1e7038b66d961dd149be2f86348c0a30d4455cffed6dc1614e.exe
    "C:\Users\Admin\AppData\Local\Temp\3f9bfbb9ac8cde1e7038b66d961dd149be2f86348c0a30d4455cffed6dc1614e.exe"
    1⤵
    • Drops startup file
    • Accesses Microsoft Outlook accounts
    • Accesses Microsoft Outlook profiles
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • outlook_win_path
    PID:1328
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\VAULT.hta"
      2⤵
      • Modifies Internet Explorer settings
      PID:1332
    • C:\Windows\SysWOW64\wbem\WMIC.exe
      "C:\Windows\System32\wbem\WMIC.exe" process call create "cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1476
  • C:\Windows\system32\cmd.exe
    cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of WriteProcessMemory
    PID:1384
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:2040
    • C:\Windows\system32\bcdedit.exe
      bcdedit.exe /set {default} recoveryenabled no
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:748
    • C:\Windows\system32\bcdedit.exe
      bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:1456
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1244

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Desktop\VAULT.hta
    Filesize

    4KB

    MD5

    1cf60361078e1c2f1219d27c4b3e760c

    SHA1

    08d350d205da687672b13e22b253932dd1708e75

    SHA256

    c2d9c1bd8bb434dffd5ebbd0e8020ee73123f2e8134b19cbde4b6458f0d05a43

    SHA512

    90f973c08c663dc7ca8575196ca2d6939bbeb9e1943268e8c8bae3b5cd895e85f654726924c86a0f1ffca4830f05c75ac6e80b44d4adeff345e9ff2cacaacccb

    Download Submit

  • memory/748-67-0x0000000000000000-mapping.dmp

    Download

  • memory/1328-54-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1328-55-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1328-56-0x0000000000360000-0x000000000036F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/1332-58-0x0000000000000000-mapping.dmp

    Download

  • memory/1456-68-0x0000000000000000-mapping.dmp

    Download

  • memory/1476-61-0x0000000000000000-mapping.dmp

    Download

  • memory/2040-64-0x0000000000000000-mapping.dmp

    Download