Analysis
-
max time kernel
132s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-03-2024 01:51
Static task
static1
Behavioral task
behavioral1
Sample
e07c4eef138bfd24a0f082a9fd0fd11f.exe
Resource
win7-20240221-en
General
-
Target
e07c4eef138bfd24a0f082a9fd0fd11f.exe
-
Size
194KB
-
MD5
e07c4eef138bfd24a0f082a9fd0fd11f
-
SHA1
6c742601efb2dfbd7226f3897ba9b5133feebf7b
-
SHA256
6b10dad38bb45d2003d850e5c6d2ae5eda2ecff337719f44c8e32f1f634cfb0d
-
SHA512
483496e80a3521f3bf99c31d7de7a88cc102e0b04e47ca0f0a70993464f3a21c7810081a2aaa72aef546b1d0bd0e544938cb5bf00de355f481c7d90bccb54121
-
SSDEEP
3072:FkDHMwuH5OGVcDuDR4KZJpARUt6iSByWpWfY:F+swxDuF4KZJpbCByoWfY
Malware Config
Extracted
pony
http://node01.geoborders.net:8080/forum/viewtopic.php
http://91.121.1.54:8080/forum/viewtopic.php
http://72.243.190.162:8080/forum/viewtopic.php
http://sms.theliontel.com:8080/forum/viewtopic.php
-
payload_url
http://www.spec06.dircon.co.uk/oH5HG1X.exe
http://thevermontcup.com/K0KApXsj.exe
http://badzo.biz/ZYH.exe
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
e07c4eef138bfd24a0f082a9fd0fd11f.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts e07c4eef138bfd24a0f082a9fd0fd11f.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
e07c4eef138bfd24a0f082a9fd0fd11f.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook e07c4eef138bfd24a0f082a9fd0fd11f.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
e07c4eef138bfd24a0f082a9fd0fd11f.exedescription pid process Token: SeImpersonatePrivilege 2924 e07c4eef138bfd24a0f082a9fd0fd11f.exe Token: SeTcbPrivilege 2924 e07c4eef138bfd24a0f082a9fd0fd11f.exe Token: SeChangeNotifyPrivilege 2924 e07c4eef138bfd24a0f082a9fd0fd11f.exe Token: SeCreateTokenPrivilege 2924 e07c4eef138bfd24a0f082a9fd0fd11f.exe Token: SeBackupPrivilege 2924 e07c4eef138bfd24a0f082a9fd0fd11f.exe Token: SeRestorePrivilege 2924 e07c4eef138bfd24a0f082a9fd0fd11f.exe Token: SeIncreaseQuotaPrivilege 2924 e07c4eef138bfd24a0f082a9fd0fd11f.exe Token: SeAssignPrimaryTokenPrivilege 2924 e07c4eef138bfd24a0f082a9fd0fd11f.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
e07c4eef138bfd24a0f082a9fd0fd11f.exepid process 2924 e07c4eef138bfd24a0f082a9fd0fd11f.exe -
outlook_win_path 1 IoCs
Processes:
e07c4eef138bfd24a0f082a9fd0fd11f.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook e07c4eef138bfd24a0f082a9fd0fd11f.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e07c4eef138bfd24a0f082a9fd0fd11f.exe"C:\Users\Admin\AppData\Local\Temp\e07c4eef138bfd24a0f082a9fd0fd11f.exe"1⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2924-0-0x0000000000270000-0x0000000000289000-memory.dmpFilesize
100KB
-
memory/2924-1-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/2924-2-0x0000000000270000-0x0000000000289000-memory.dmpFilesize
100KB
-
memory/2924-3-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB