Overview
overview
10Static
static
6DUMP_00A10...iR.exe
windows7-x64
7DgH5SjZFle...DI.exe
windows7-x64
10Dumped_.exe
windows7-x64
7EntrateSetup.exe
windows7-x64
9ErrorFileRemover.exe
windows7-x64
10ExtraTools.exe
windows7-x64
7F45F47EDCE...54.exe
windows7-x64
10decrypt_00...00.exe
windows7-x64
6dffde400ad...3d.exe
windows7-x64
10dircrypt.deobf.exe
windows7-x64
10dma locker 4.0.exe
windows7-x64
9downloader.js
windows7-x64
10dump.mem.exe
windows7-x64
6e0ff79cc94...ss.exe
windows7-x64
7e37dc428ec...ad.vbs
windows7-x64
1e5df2d114c...8a.exe
windows7-x64
10e6c4ae4709...ss.exe
windows7-x64
7e77df2ce34...2d.exe
windows7-x64
7e8e07496df...d2.exe
windows7-x64
ea8292721a...1e.exe
windows7-x64
5eaa857c95f...er.dll
windows7-x64
1ed3a685ca6...91.exe
windows7-x64
9edffa07d66...9d5.js
windows7-x64
10encrypter.exe
windows7-x64
10encryptor_...81.exe
windows7-x64
9f002618c01...35.apk
windows7-x64
3f213e54c85...ea.exe
windows7-x64
1f2c8eee2cd...3f.exe
windows7-x64
10f31bfe95e3...7_.exe
windows7-x64
9f6a8d7a429...da.exe
windows7-x64
10f915110765...da.exe
windows7-x64
7fb8823e949...-0.dll
windows7-x64
1Analysis
-
max time kernel
272s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 03:27
Behavioral task
behavioral1
Sample
DUMP_00A10000-00A1D000.exe.ViR.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe
Resource
win7-20240708-en
Behavioral task
behavioral3
Sample
Dumped_.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
EntrateSetup.exe
Resource
win7-20240903-en
Behavioral task
behavioral5
Sample
ErrorFileRemover.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
ExtraTools.exe
Resource
win7-20241023-en
Behavioral task
behavioral7
Sample
F45F47EDCED7FAC5A99C45AB4B8C2D54.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
decrypt_0000000000000020-000A0000.exe
Resource
win7-20241010-en
Behavioral task
behavioral9
Sample
dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
Resource
win7-20241010-en
Behavioral task
behavioral10
Sample
dircrypt.deobf.exe
Resource
win7-20240903-en
Behavioral task
behavioral11
Sample
dma locker 4.0.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
downloader.js
Resource
win7-20241023-en
Behavioral task
behavioral13
Sample
dump.mem.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe
Resource
win7-20240903-en
Behavioral task
behavioral15
Sample
e37dc428ec65a38707ad9e247950f3501a94e4abccb737a3562d69032c8505ad.vbs
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
Resource
win7-20240729-en
Behavioral task
behavioral17
Sample
e6c4ae470977aa78d1005746ae05deea0bf3b4260f88865662a35f99b2559dbc_not_packed_maybe_useless.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
e77df2ce34949eb11290445a411a47fb927e8871e2580897581981d17730032d.exe
Resource
win7-20240903-en
Behavioral task
behavioral19
Sample
e8e07496df5370d2e49ecce5a47c1fd2.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
ea8292721a34ca2f1831447868bbe91e.exe
Resource
win7-20241010-en
Behavioral task
behavioral21
Sample
eaa857c95fca38ca08411b757f4ad2a841cfb9782deca8abf64aada445923c0d_Stealer.dll
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791.exe
Resource
win7-20241010-en
Behavioral task
behavioral23
Sample
edffa07d667dbd224682639f56eb1b913e4ffeac874999e02c23e86eeb6489d5.js
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
encrypter.exe
Resource
win7-20240729-en
Behavioral task
behavioral25
Sample
encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
f002618c01fe652f7f00eabd0e890e4992ccce818dfb2863e82c43f793685635.apk
Resource
win7-20240708-en
Behavioral task
behavioral27
Sample
f213e54c8520e7458751020edf15a5ea.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
f2c8eee2cd88b834e9d4c0eb4930f03f.exe
Resource
win7-20240903-en
Behavioral task
behavioral29
Sample
f31bfe95e31d761459b885052d35ba5e25ab19333378fb72b12efd675f6018d7_.exe
Resource
win7-20241023-en
Behavioral task
behavioral30
Sample
f6a8d7a4291c55020101d046371a8bda.exe
Resource
win7-20240903-en
Behavioral task
behavioral31
Sample
f9151107655aaa6db995888a7cb69ada.exe
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
fb8823e9494016f59ab25ec6cc0961da_api-ms-win-system-softpub-l1-1-0.dll
Resource
win7-20241010-en
General
-
Target
edffa07d667dbd224682639f56eb1b913e4ffeac874999e02c23e86eeb6489d5.js
-
Size
559KB
-
MD5
535494aa6ce3ccef7346b548da5061a9
-
SHA1
2c0b5637701c83b7b2aeabdf3120a89db1dbaad7
-
SHA256
edffa07d667dbd224682639f56eb1b913e4ffeac874999e02c23e86eeb6489d5
-
SHA512
f02464b3563b4552246b86e2c6ec377b8b0734576647bbc69ca8f4dd775d59f54ffbf3dd7f6433990ec187f1116891426f0e70a7524c9b793df9bc78e087f6dc
-
SSDEEP
12288:ZVJ/hB+eGkeURqNvA0msxNxgnr/V4ZhiKjUkE6PofKhs:R/r47iKjUBIs
Malware Config
Extracted
pony
http://startwavenow.com/gate.php
Signatures
-
Pony family
-
Executes dropped EXE 1 IoCs
Processes:
st.exepid process 764 st.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
st.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts st.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
st.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook st.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
wscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\edffa07d667dbd224682639f56eb1b913e4ffeac874999e02c23e86eeb6489d5.js argument" wscript.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
st.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language st.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
st.exedescription pid process Token: 33 764 st.exe Token: SeIncBasePriorityPrivilege 764 st.exe Token: SeImpersonatePrivilege 764 st.exe Token: SeTcbPrivilege 764 st.exe Token: SeChangeNotifyPrivilege 764 st.exe Token: SeCreateTokenPrivilege 764 st.exe Token: SeBackupPrivilege 764 st.exe Token: SeRestorePrivilege 764 st.exe Token: SeIncreaseQuotaPrivilege 764 st.exe Token: SeAssignPrimaryTokenPrivilege 764 st.exe Token: SeImpersonatePrivilege 764 st.exe Token: SeTcbPrivilege 764 st.exe Token: SeChangeNotifyPrivilege 764 st.exe Token: SeCreateTokenPrivilege 764 st.exe Token: SeBackupPrivilege 764 st.exe Token: SeRestorePrivilege 764 st.exe Token: SeIncreaseQuotaPrivilege 764 st.exe Token: SeAssignPrimaryTokenPrivilege 764 st.exe Token: SeImpersonatePrivilege 764 st.exe Token: SeTcbPrivilege 764 st.exe Token: SeChangeNotifyPrivilege 764 st.exe Token: SeCreateTokenPrivilege 764 st.exe Token: SeBackupPrivilege 764 st.exe Token: SeRestorePrivilege 764 st.exe Token: SeIncreaseQuotaPrivilege 764 st.exe Token: SeAssignPrimaryTokenPrivilege 764 st.exe Token: SeImpersonatePrivilege 764 st.exe Token: SeTcbPrivilege 764 st.exe Token: SeChangeNotifyPrivilege 764 st.exe Token: SeCreateTokenPrivilege 764 st.exe Token: SeBackupPrivilege 764 st.exe Token: SeRestorePrivilege 764 st.exe Token: SeIncreaseQuotaPrivilege 764 st.exe Token: SeAssignPrimaryTokenPrivilege 764 st.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
wordpad.exepid process 2892 wordpad.exe 2892 wordpad.exe 2892 wordpad.exe 2892 wordpad.exe 2892 wordpad.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
wscript.exedescription pid process target process PID 2904 wrote to memory of 2892 2904 wscript.exe wordpad.exe PID 2904 wrote to memory of 2892 2904 wscript.exe wordpad.exe PID 2904 wrote to memory of 2892 2904 wscript.exe wordpad.exe PID 2904 wrote to memory of 764 2904 wscript.exe st.exe PID 2904 wrote to memory of 764 2904 wscript.exe st.exe PID 2904 wrote to memory of 764 2904 wscript.exe st.exe PID 2904 wrote to memory of 764 2904 wscript.exe st.exe -
outlook_win_path 1 IoCs
Processes:
st.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook st.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\edffa07d667dbd224682639f56eb1b913e4ffeac874999e02c23e86eeb6489d5.js1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Program Files\Windows NT\Accessories\wordpad.exe"C:\Program Files\Windows NT\Accessories\wordpad.exe" "C:\Users\Admin\Documents\doc_attached_6AyM9"2⤵
- Suspicious use of SetWindowsHookEx
PID:2892
-
-
C:\Users\Admin\Documents\st.exe"C:\Users\Admin\Documents\st.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
PID:764
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD5a1fa80f75ad4003549d27fc726e40b14
SHA15fda8ead11d5bdcc51c29f9eb72aed29f2065d31
SHA25637ab62998175d3dc70763e2fcbfe1e5b38660ae59a1c21c0306f2470ea487364
SHA51234817bda5cbcb2e0a909d8652b2b82c3471696f4e4d533e8a1e3583811a60aa0365e4ceabd3d2ded506a577decf907bc6bead917ffef1317e758ea2f82c1c554
-
Filesize
135KB
MD539c27aec900d0613e02b78df2333657c
SHA1822bf6d0eb04df65c072b51100c5c852761e7c9e
SHA256dabee7680e09565154e7807c1ed362838ad6ee4e373ee97069e3b33db1ec10f7
SHA512316497a6973ea6c7883b3112b1d5a7f042f654f807ac8b2919e42719f384469cc5d7d39112982bee0d18900ee6f76dd00664d206f5f13d6448dd27a3c84c1880