Overview

overview

10

Static

static

9ed9ed4872...d5.exe

windows7-x64

10

9ed9ed4872...d5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    27s
  • max time network
    30s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23-12-2022 14:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5.exe

  • Size

    298KB

  • MD5

    40cb01660e4b45213c35e997b94238a0

  • SHA1

    8a1f0f62eede7cd183158567f9b78384074f5fed

  • SHA256

    9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5

  • SHA512

    305cedfe911fc108c33310a9954c368d9f3583f275d8cc002473bbb47294d7171b10854e2f513c589c4d17197e39dadcfc11c19bf9cf5573747651fefe5fd4e4

  • SSDEEP

    6144:fMjokASLOMN9/wJP96/jdLnCd4C0+7s0Vlm2QV7wcNTLysyTXLI/dc46xPy3cYsF:nkAqOi94x96Rjw4C02silwNTLxyTX01a

Score
10/10
crypvaultponycollectiondiscoveryevasionransomwareratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://gruzdom.ru/api/

Signatures

  • CrypVault

    Ransomware family which makes encrypted files look like they have been quarantined by AV.

    ransomwarecrypvault
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5.exe
    "C:\Users\Admin\AppData\Local\Temp\9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5.exe"
    1⤵
    • Drops startup file
    • Accesses Microsoft Outlook accounts
    • Accesses Microsoft Outlook profiles
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • outlook_win_path
    PID:1260
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\VAULT.hta"
      2⤵
      • Modifies Internet Explorer settings
      PID:1740
    • C:\Windows\SysWOW64\wbem\WMIC.exe
      "C:\Windows\System32\wbem\WMIC.exe" process call create "cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1396
  • C:\Windows\system32\cmd.exe
    cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of WriteProcessMemory
    PID:1044
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:1848
    • C:\Windows\system32\bcdedit.exe
      bcdedit.exe /set {default} recoveryenabled no
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:2028
    • C:\Windows\system32\bcdedit.exe
      bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:1608
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1784

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Desktop\VAULT.hta
    Filesize

    4KB

    MD5

    1cf60361078e1c2f1219d27c4b3e760c

    SHA1

    08d350d205da687672b13e22b253932dd1708e75

    SHA256

    c2d9c1bd8bb434dffd5ebbd0e8020ee73123f2e8134b19cbde4b6458f0d05a43

    SHA512

    90f973c08c663dc7ca8575196ca2d6939bbeb9e1943268e8c8bae3b5cd895e85f654726924c86a0f1ffca4830f05c75ac6e80b44d4adeff345e9ff2cacaacccb

    Download Submit

  • memory/1260-54-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1260-55-0x0000000075291000-0x0000000075293000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1260-56-0x00000000002A0000-0x00000000002AF000-memory.dmp

    Filesize

    60KB

    Download

  • memory/1396-60-0x0000000000000000-mapping.dmp

    Download

  • memory/1608-63-0x0000000000000000-mapping.dmp

    Download

  • memory/1740-58-0x0000000000000000-mapping.dmp

    Download

  • memory/1848-61-0x0000000000000000-mapping.dmp

    Download

  • memory/2028-62-0x0000000000000000-mapping.dmp

    Download