Analysis
-
max time kernel
91s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
27-03-2023 22:06
Static task
static1
Behavioral task
behavioral1
Sample
a012ea7953293c568c474301838e653c.exe
Resource
win7-20230220-en
General
-
Target
a012ea7953293c568c474301838e653c.exe
-
Size
401KB
-
MD5
a012ea7953293c568c474301838e653c
-
SHA1
ffecf15fceb89c31b387e712155e582ec6ebf721
-
SHA256
f078ff57bfb8da5ccb26d1c77bffc97b4ce67f2eae7fb22d5a544ce8a28c8aa4
-
SHA512
5c8bfa8cb3e76d3a6b4ae0c7e6c5d6e863925965c45716a05d844fbc4169d3e33ab59eb507c0635ad9415b548b5e276ca78cae4d0701359c6ac01227f6734fcb
-
SSDEEP
6144:R0+VNlPdwzTzgnDbVeMMEI408lMRcH9QZpYcwIe9DkL3pR:qm3azXcMEI4FlMudQZsDU3pR
Malware Config
Extracted
pony
http://parkinsworld.cf/parkins/gate.php
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/2384-136-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/2384-138-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/2384-139-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/2384-141-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/2384-142-0x0000000000400000-0x000000000041D000-memory.dmp upx -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
a012ea7953293c568c474301838e653c.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts a012ea7953293c568c474301838e653c.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
a012ea7953293c568c474301838e653c.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook a012ea7953293c568c474301838e653c.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
a012ea7953293c568c474301838e653c.exedescription ioc process File created C:\Windows\assembly\Desktop.ini a012ea7953293c568c474301838e653c.exe File opened for modification C:\Windows\assembly\Desktop.ini a012ea7953293c568c474301838e653c.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a012ea7953293c568c474301838e653c.exedescription pid process target process PID 5096 set thread context of 2384 5096 a012ea7953293c568c474301838e653c.exe a012ea7953293c568c474301838e653c.exe -
Drops file in Windows directory 3 IoCs
Processes:
a012ea7953293c568c474301838e653c.exedescription ioc process File opened for modification C:\Windows\assembly a012ea7953293c568c474301838e653c.exe File created C:\Windows\assembly\Desktop.ini a012ea7953293c568c474301838e653c.exe File opened for modification C:\Windows\assembly\Desktop.ini a012ea7953293c568c474301838e653c.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
a012ea7953293c568c474301838e653c.exepid process 5096 a012ea7953293c568c474301838e653c.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
Processes:
a012ea7953293c568c474301838e653c.exea012ea7953293c568c474301838e653c.exedescription pid process Token: SeDebugPrivilege 5096 a012ea7953293c568c474301838e653c.exe Token: SeImpersonatePrivilege 2384 a012ea7953293c568c474301838e653c.exe Token: SeTcbPrivilege 2384 a012ea7953293c568c474301838e653c.exe Token: SeChangeNotifyPrivilege 2384 a012ea7953293c568c474301838e653c.exe Token: SeCreateTokenPrivilege 2384 a012ea7953293c568c474301838e653c.exe Token: SeBackupPrivilege 2384 a012ea7953293c568c474301838e653c.exe Token: SeRestorePrivilege 2384 a012ea7953293c568c474301838e653c.exe Token: SeIncreaseQuotaPrivilege 2384 a012ea7953293c568c474301838e653c.exe Token: SeAssignPrimaryTokenPrivilege 2384 a012ea7953293c568c474301838e653c.exe Token: SeImpersonatePrivilege 2384 a012ea7953293c568c474301838e653c.exe Token: SeTcbPrivilege 2384 a012ea7953293c568c474301838e653c.exe Token: SeChangeNotifyPrivilege 2384 a012ea7953293c568c474301838e653c.exe Token: SeCreateTokenPrivilege 2384 a012ea7953293c568c474301838e653c.exe Token: SeBackupPrivilege 2384 a012ea7953293c568c474301838e653c.exe Token: SeRestorePrivilege 2384 a012ea7953293c568c474301838e653c.exe Token: SeIncreaseQuotaPrivilege 2384 a012ea7953293c568c474301838e653c.exe Token: SeAssignPrimaryTokenPrivilege 2384 a012ea7953293c568c474301838e653c.exe Token: SeImpersonatePrivilege 2384 a012ea7953293c568c474301838e653c.exe Token: SeTcbPrivilege 2384 a012ea7953293c568c474301838e653c.exe Token: SeChangeNotifyPrivilege 2384 a012ea7953293c568c474301838e653c.exe Token: SeCreateTokenPrivilege 2384 a012ea7953293c568c474301838e653c.exe Token: SeBackupPrivilege 2384 a012ea7953293c568c474301838e653c.exe Token: SeRestorePrivilege 2384 a012ea7953293c568c474301838e653c.exe Token: SeIncreaseQuotaPrivilege 2384 a012ea7953293c568c474301838e653c.exe Token: SeAssignPrimaryTokenPrivilege 2384 a012ea7953293c568c474301838e653c.exe Token: SeImpersonatePrivilege 2384 a012ea7953293c568c474301838e653c.exe Token: SeTcbPrivilege 2384 a012ea7953293c568c474301838e653c.exe Token: SeChangeNotifyPrivilege 2384 a012ea7953293c568c474301838e653c.exe Token: SeCreateTokenPrivilege 2384 a012ea7953293c568c474301838e653c.exe Token: SeBackupPrivilege 2384 a012ea7953293c568c474301838e653c.exe Token: SeRestorePrivilege 2384 a012ea7953293c568c474301838e653c.exe Token: SeIncreaseQuotaPrivilege 2384 a012ea7953293c568c474301838e653c.exe Token: SeAssignPrimaryTokenPrivilege 2384 a012ea7953293c568c474301838e653c.exe Token: SeImpersonatePrivilege 2384 a012ea7953293c568c474301838e653c.exe Token: SeTcbPrivilege 2384 a012ea7953293c568c474301838e653c.exe Token: SeChangeNotifyPrivilege 2384 a012ea7953293c568c474301838e653c.exe Token: SeCreateTokenPrivilege 2384 a012ea7953293c568c474301838e653c.exe Token: SeBackupPrivilege 2384 a012ea7953293c568c474301838e653c.exe Token: SeRestorePrivilege 2384 a012ea7953293c568c474301838e653c.exe Token: SeIncreaseQuotaPrivilege 2384 a012ea7953293c568c474301838e653c.exe Token: SeAssignPrimaryTokenPrivilege 2384 a012ea7953293c568c474301838e653c.exe Token: SeImpersonatePrivilege 2384 a012ea7953293c568c474301838e653c.exe Token: SeTcbPrivilege 2384 a012ea7953293c568c474301838e653c.exe Token: SeChangeNotifyPrivilege 2384 a012ea7953293c568c474301838e653c.exe Token: SeCreateTokenPrivilege 2384 a012ea7953293c568c474301838e653c.exe Token: SeBackupPrivilege 2384 a012ea7953293c568c474301838e653c.exe Token: SeRestorePrivilege 2384 a012ea7953293c568c474301838e653c.exe Token: SeIncreaseQuotaPrivilege 2384 a012ea7953293c568c474301838e653c.exe Token: SeAssignPrimaryTokenPrivilege 2384 a012ea7953293c568c474301838e653c.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
a012ea7953293c568c474301838e653c.exedescription pid process target process PID 5096 wrote to memory of 2384 5096 a012ea7953293c568c474301838e653c.exe a012ea7953293c568c474301838e653c.exe PID 5096 wrote to memory of 2384 5096 a012ea7953293c568c474301838e653c.exe a012ea7953293c568c474301838e653c.exe PID 5096 wrote to memory of 2384 5096 a012ea7953293c568c474301838e653c.exe a012ea7953293c568c474301838e653c.exe PID 5096 wrote to memory of 2384 5096 a012ea7953293c568c474301838e653c.exe a012ea7953293c568c474301838e653c.exe PID 5096 wrote to memory of 2384 5096 a012ea7953293c568c474301838e653c.exe a012ea7953293c568c474301838e653c.exe PID 5096 wrote to memory of 2384 5096 a012ea7953293c568c474301838e653c.exe a012ea7953293c568c474301838e653c.exe PID 5096 wrote to memory of 2384 5096 a012ea7953293c568c474301838e653c.exe a012ea7953293c568c474301838e653c.exe -
outlook_win_path 1 IoCs
Processes:
a012ea7953293c568c474301838e653c.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook a012ea7953293c568c474301838e653c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a012ea7953293c568c474301838e653c.exe"C:\Users\Admin\AppData\Local\Temp\a012ea7953293c568c474301838e653c.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a012ea7953293c568c474301838e653c.exe"C:\Users\Admin\AppData\Local\Temp\a012ea7953293c568c474301838e653c.exe"2⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2384-136-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/2384-138-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/2384-139-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/2384-141-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/2384-142-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/5096-140-0x0000000001750000-0x0000000001760000-memory.dmpFilesize
64KB