Analysis

  • max time kernel
    42s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-12-2022 14:36

General

  • Target

    9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5.exe

  • Size

    298KB

  • MD5

    40cb01660e4b45213c35e997b94238a0

  • SHA1

    8a1f0f62eede7cd183158567f9b78384074f5fed

  • SHA256

    9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5

  • SHA512

    305cedfe911fc108c33310a9954c368d9f3583f275d8cc002473bbb47294d7171b10854e2f513c589c4d17197e39dadcfc11c19bf9cf5573747651fefe5fd4e4

  • SSDEEP

    6144:fMjokASLOMN9/wJP96/jdLnCd4C0+7s0Vlm2QV7wcNTLysyTXLI/dc46xPy3cYsF:nkAqOi94x96Rjw4C02silwNTLxyTX01a

Malware Config

Extracted

Family

pony

C2

http://gruzdom.ru/api/

Signatures

  • CrypVault

    Ransomware family which makes encrypted files look like they have been quarantined by AV.

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5.exe
    "C:\Users\Admin\AppData\Local\Temp\9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5.exe"
    1⤵
    • Drops startup file
    • Accesses Microsoft Outlook accounts
    • Accesses Microsoft Outlook profiles
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • outlook_win_path
    PID:1824
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\VAULT.hta"
      2⤵
      • Modifies Internet Explorer settings
      PID:2020
    • C:\Windows\SysWOW64\wbem\WMIC.exe
      "C:\Windows\System32\wbem\WMIC.exe" process call create "cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:636
  • C:\Windows\system32\cmd.exe
    cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of WriteProcessMemory
    PID:1620
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:1516
    • C:\Windows\system32\bcdedit.exe
      bcdedit.exe /set {default} recoveryenabled no
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:1532
    • C:\Windows\system32\bcdedit.exe
      bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:1400
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:940

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Desktop\VAULT.hta

    Filesize

    4KB

    MD5

    1cf60361078e1c2f1219d27c4b3e760c

    SHA1

    08d350d205da687672b13e22b253932dd1708e75

    SHA256

    c2d9c1bd8bb434dffd5ebbd0e8020ee73123f2e8134b19cbde4b6458f0d05a43

    SHA512

    90f973c08c663dc7ca8575196ca2d6939bbeb9e1943268e8c8bae3b5cd895e85f654726924c86a0f1ffca4830f05c75ac6e80b44d4adeff345e9ff2cacaacccb

  • memory/1824-54-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

  • memory/1824-55-0x0000000075571000-0x0000000075573000-memory.dmp

    Filesize

    8KB

  • memory/1824-56-0x00000000002A0000-0x00000000002AF000-memory.dmp

    Filesize

    60KB