Analysis
-
max time kernel
141s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21-03-2024 02:03
Static task
static1
Behavioral task
behavioral1
Sample
da689860f1cda970dc761ec35abe58b1.exe
Resource
win7-20240221-en
General
-
Target
da689860f1cda970dc761ec35abe58b1.exe
-
Size
128KB
-
MD5
da689860f1cda970dc761ec35abe58b1
-
SHA1
128b10c229ef035250640e13e3b9468bb150fa2d
-
SHA256
008bc8ffc634432b9f9fff419eb7fcf0bf0688de60649b1882b152fc61dc71e0
-
SHA512
af874a0039023353a0bfcb301901784b2a7eda1fc7dd3172bcf5d7f967d4e631362cafb6071f67ddb58822e1bf4041445cf2d3eab1adf1841b6da1bde2347ce1
-
SSDEEP
3072:uGHi6mw2uRP5oNRw6BxqzF4tKzLoxqDHyJVPhwcj:+Ru74Rw6B3tKz0qDHyfPhf
Malware Config
Extracted
pony
http://67.215.225.205:8080/forum/viewtopic.php
http://69.194.193.134/forum/viewtopic.php
-
payload_url
http://jenisegreggcouture.com/i3AnbAV.exe
http://gelerter.com/x1AZobA.exe
http://www.northeasttreeremoval.com/VDYHGMfH.exe
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
da689860f1cda970dc761ec35abe58b1.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts da689860f1cda970dc761ec35abe58b1.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
da689860f1cda970dc761ec35abe58b1.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook da689860f1cda970dc761ec35abe58b1.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
da689860f1cda970dc761ec35abe58b1.exedescription pid process target process PID 2336 set thread context of 3068 2336 da689860f1cda970dc761ec35abe58b1.exe da689860f1cda970dc761ec35abe58b1.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
da689860f1cda970dc761ec35abe58b1.exedescription pid process Token: SeImpersonatePrivilege 3068 da689860f1cda970dc761ec35abe58b1.exe Token: SeTcbPrivilege 3068 da689860f1cda970dc761ec35abe58b1.exe Token: SeChangeNotifyPrivilege 3068 da689860f1cda970dc761ec35abe58b1.exe Token: SeCreateTokenPrivilege 3068 da689860f1cda970dc761ec35abe58b1.exe Token: SeBackupPrivilege 3068 da689860f1cda970dc761ec35abe58b1.exe Token: SeRestorePrivilege 3068 da689860f1cda970dc761ec35abe58b1.exe Token: SeIncreaseQuotaPrivilege 3068 da689860f1cda970dc761ec35abe58b1.exe Token: SeAssignPrimaryTokenPrivilege 3068 da689860f1cda970dc761ec35abe58b1.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
da689860f1cda970dc761ec35abe58b1.exedescription pid process target process PID 2336 wrote to memory of 3068 2336 da689860f1cda970dc761ec35abe58b1.exe da689860f1cda970dc761ec35abe58b1.exe PID 2336 wrote to memory of 3068 2336 da689860f1cda970dc761ec35abe58b1.exe da689860f1cda970dc761ec35abe58b1.exe PID 2336 wrote to memory of 3068 2336 da689860f1cda970dc761ec35abe58b1.exe da689860f1cda970dc761ec35abe58b1.exe PID 2336 wrote to memory of 3068 2336 da689860f1cda970dc761ec35abe58b1.exe da689860f1cda970dc761ec35abe58b1.exe PID 2336 wrote to memory of 3068 2336 da689860f1cda970dc761ec35abe58b1.exe da689860f1cda970dc761ec35abe58b1.exe PID 2336 wrote to memory of 3068 2336 da689860f1cda970dc761ec35abe58b1.exe da689860f1cda970dc761ec35abe58b1.exe PID 2336 wrote to memory of 3068 2336 da689860f1cda970dc761ec35abe58b1.exe da689860f1cda970dc761ec35abe58b1.exe PID 2336 wrote to memory of 3068 2336 da689860f1cda970dc761ec35abe58b1.exe da689860f1cda970dc761ec35abe58b1.exe PID 2336 wrote to memory of 3068 2336 da689860f1cda970dc761ec35abe58b1.exe da689860f1cda970dc761ec35abe58b1.exe -
outlook_win_path 1 IoCs
Processes:
da689860f1cda970dc761ec35abe58b1.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook da689860f1cda970dc761ec35abe58b1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\da689860f1cda970dc761ec35abe58b1.exe"C:\Users\Admin\AppData\Local\Temp\da689860f1cda970dc761ec35abe58b1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\da689860f1cda970dc761ec35abe58b1.exe"C:\Users\Admin\AppData\Local\Temp\da689860f1cda970dc761ec35abe58b1.exe"2⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2336-0-0x0000000000870000-0x0000000000894000-memory.dmpFilesize
144KB
-
memory/2336-4-0x0000000000080000-0x00000000000A4000-memory.dmpFilesize
144KB
-
memory/2336-9-0x0000000000870000-0x0000000000894000-memory.dmpFilesize
144KB
-
memory/3068-1-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/3068-2-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/3068-3-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/3068-5-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/3068-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/3068-8-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/3068-11-0x0000000000870000-0x0000000000894000-memory.dmpFilesize
144KB
-
memory/3068-12-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/3068-13-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB