Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
22-10-2024 07:46
Static task
static1
Behavioral task
behavioral1
Sample
f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2cN.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2cN.exe
Resource
win10v2004-20241007-en
General
-
Target
f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2cN.exe
-
Size
98KB
-
MD5
3b7237ed9bdce16968e780834aff6eb0
-
SHA1
76defab13b32b2f36e0ec1e0acd54ae88f17f82f
-
SHA256
f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2c
-
SHA512
2e0fd04083ba1ac49fe87a9a2848e802f06e04b5a3ed7849ec4102ef6803612d99779cd922ce99fff3561f052b6aacdb4d77bf888fedc4721063aca5ea74fd2c
-
SSDEEP
1536:AxEXmX8ZhFpNGLsmYTQsnNpD2gt12g7QX/xaTD7+LGY9dD/zxcmuXZFuxorD999r:A6XdhzYYnQkpD2gtcg733+asF/qfp
Malware Config
Extracted
pony
http://zkhmeps.pw:4915/doc/black.php
http://zkhmeps.pw:888/doc/black.php
-
payload_url
http://ckirmpu.pw:888/pic/Flash.exe
Signatures
-
Drops file in Drivers directory 3 IoCs
description ioc Process File created C:\Windows\system32\drivers\etc\tmp.tmp f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2cN.exe File created C:\Windows\system32\drivers\etc\hosts.sam cmd.exe File opened for modification C:\Windows\system32\drivers\etc\hosts.sam cmd.exe -
Deletes itself 1 IoCs
pid Process 2844 cmd.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2cN.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2cN.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs
pid Process 3008 cmd.exe 332 at.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2cN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2844 cmd.exe 776 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 776 PING.EXE -
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeImpersonatePrivilege 2312 f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2cN.exe Token: SeTcbPrivilege 2312 f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2cN.exe Token: SeChangeNotifyPrivilege 2312 f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2cN.exe Token: SeCreateTokenPrivilege 2312 f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2cN.exe Token: SeBackupPrivilege 2312 f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2cN.exe Token: SeRestorePrivilege 2312 f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2cN.exe Token: SeIncreaseQuotaPrivilege 2312 f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2cN.exe Token: SeAssignPrimaryTokenPrivilege 2312 f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2cN.exe Token: SeImpersonatePrivilege 2312 f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2cN.exe Token: SeTcbPrivilege 2312 f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2cN.exe Token: SeChangeNotifyPrivilege 2312 f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2cN.exe Token: SeCreateTokenPrivilege 2312 f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2cN.exe Token: SeBackupPrivilege 2312 f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2cN.exe Token: SeRestorePrivilege 2312 f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2cN.exe Token: SeIncreaseQuotaPrivilege 2312 f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2cN.exe Token: SeAssignPrimaryTokenPrivilege 2312 f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2cN.exe Token: SeImpersonatePrivilege 2312 f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2cN.exe Token: SeTcbPrivilege 2312 f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2cN.exe Token: SeChangeNotifyPrivilege 2312 f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2cN.exe Token: SeCreateTokenPrivilege 2312 f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2cN.exe Token: SeBackupPrivilege 2312 f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2cN.exe Token: SeRestorePrivilege 2312 f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2cN.exe Token: SeIncreaseQuotaPrivilege 2312 f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2cN.exe Token: SeAssignPrimaryTokenPrivilege 2312 f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2cN.exe Token: SeImpersonatePrivilege 2312 f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2cN.exe Token: SeTcbPrivilege 2312 f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2cN.exe Token: SeChangeNotifyPrivilege 2312 f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2cN.exe Token: SeCreateTokenPrivilege 2312 f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2cN.exe Token: SeBackupPrivilege 2312 f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2cN.exe Token: SeRestorePrivilege 2312 f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2cN.exe Token: SeIncreaseQuotaPrivilege 2312 f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2cN.exe Token: SeAssignPrimaryTokenPrivilege 2312 f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2cN.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2312 wrote to memory of 3008 2312 f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2cN.exe 31 PID 2312 wrote to memory of 3008 2312 f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2cN.exe 31 PID 2312 wrote to memory of 3008 2312 f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2cN.exe 31 PID 2312 wrote to memory of 3008 2312 f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2cN.exe 31 PID 2312 wrote to memory of 2844 2312 f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2cN.exe 32 PID 2312 wrote to memory of 2844 2312 f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2cN.exe 32 PID 2312 wrote to memory of 2844 2312 f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2cN.exe 32 PID 2312 wrote to memory of 2844 2312 f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2cN.exe 32 PID 3008 wrote to memory of 332 3008 cmd.exe 35 PID 3008 wrote to memory of 332 3008 cmd.exe 35 PID 3008 wrote to memory of 332 3008 cmd.exe 35 PID 3008 wrote to memory of 332 3008 cmd.exe 35 PID 2844 wrote to memory of 776 2844 cmd.exe 36 PID 2844 wrote to memory of 776 2844 cmd.exe 36 PID 2844 wrote to memory of 776 2844 cmd.exe 36 PID 2844 wrote to memory of 776 2844 cmd.exe 36 -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2cN.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2cN.exe"C:\Users\Admin\AppData\Local\Temp\f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2cN.exe"1⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:2312 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy C:\Windows\system32\drivers\etc\hosts C:\Windows\system32\drivers\etc\hosts.sam /Y && at 07:50:00 /every:M,T,W,Th,F,S,Su cmd.exe "/c attrib -H C:\Windows\system32\drivers\etc\hosts && copy C:\Users\Admin\AppData\Local\Temp\259459224aq C:\Windows\system32\drivers\etc\hosts /Y && attrib +H C:\Windows\system32\drivers\etc\hosts"2⤵
- Drops file in Drivers directory
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\at.exeat 07:50:00 /every:M,T,W,Th,F,S,Su cmd.exe "/c attrib -H C:\Windows\system32\drivers\etc\hosts && copy C:\Users\Admin\AppData\Local\Temp\259459224aq C:\Windows\system32\drivers\etc\hosts /Y && attrib +H C:\Windows\system32\drivers\etc\hosts"3⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
PID:332
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping -n 6 localhost && erase "C:\Users\Admin\AppData\Local\Temp\f7194a29e8b3a3ffb9ab19349b1f9f367a53256a95b47d493f05d6a692728f2cN.exe"2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\PING.EXEping -n 6 localhost3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:776
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3