Analysis
-
max time kernel
21s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
06-11-2020 12:13
Static task
static1
Behavioral task
behavioral1
Sample
8b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648.exe
Resource
win7v20201028
General
-
Target
8b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648.exe
-
Size
783KB
-
MD5
18c9fa704c5ddcaa2f7760abf418847c
-
SHA1
ffdfdc5a23d760e22638e47f335e99f3d18db650
-
SHA256
8b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648
-
SHA512
be4ffd927633b4a9c18280fc0b01d48ee9865ca511749e3a9660b3945a391cc30625bf12edbd80c0bfa7d91e60e89e9d11882f2d41f430485c9df2e72d1b767a
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Pony.exeorder.exepid process 976 Pony.exe 640 order.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Pony.exe upx C:\Users\Admin\AppData\Local\Temp\Pony.exe upx -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Load = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\DwiDesk\\order.lnk" reg.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
order.exepid process 640 order.exe 640 order.exe 640 order.exe 640 order.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
Processes:
Pony.exeorder.exedescription pid process Token: SeImpersonatePrivilege 976 Pony.exe Token: SeTcbPrivilege 976 Pony.exe Token: SeChangeNotifyPrivilege 976 Pony.exe Token: SeCreateTokenPrivilege 976 Pony.exe Token: SeBackupPrivilege 976 Pony.exe Token: SeRestorePrivilege 976 Pony.exe Token: SeIncreaseQuotaPrivilege 976 Pony.exe Token: SeAssignPrimaryTokenPrivilege 976 Pony.exe Token: SeImpersonatePrivilege 976 Pony.exe Token: SeTcbPrivilege 976 Pony.exe Token: SeChangeNotifyPrivilege 976 Pony.exe Token: SeCreateTokenPrivilege 976 Pony.exe Token: SeBackupPrivilege 976 Pony.exe Token: SeRestorePrivilege 976 Pony.exe Token: SeIncreaseQuotaPrivilege 976 Pony.exe Token: SeAssignPrimaryTokenPrivilege 976 Pony.exe Token: SeImpersonatePrivilege 976 Pony.exe Token: SeTcbPrivilege 976 Pony.exe Token: SeChangeNotifyPrivilege 976 Pony.exe Token: SeCreateTokenPrivilege 976 Pony.exe Token: SeBackupPrivilege 976 Pony.exe Token: SeRestorePrivilege 976 Pony.exe Token: SeIncreaseQuotaPrivilege 976 Pony.exe Token: SeAssignPrimaryTokenPrivilege 976 Pony.exe Token: SeImpersonatePrivilege 976 Pony.exe Token: SeTcbPrivilege 976 Pony.exe Token: SeChangeNotifyPrivilege 976 Pony.exe Token: SeCreateTokenPrivilege 976 Pony.exe Token: SeBackupPrivilege 976 Pony.exe Token: SeRestorePrivilege 976 Pony.exe Token: SeIncreaseQuotaPrivilege 976 Pony.exe Token: SeAssignPrimaryTokenPrivilege 976 Pony.exe Token: SeImpersonatePrivilege 976 Pony.exe Token: SeTcbPrivilege 976 Pony.exe Token: SeChangeNotifyPrivilege 976 Pony.exe Token: SeCreateTokenPrivilege 976 Pony.exe Token: SeBackupPrivilege 976 Pony.exe Token: SeRestorePrivilege 976 Pony.exe Token: SeIncreaseQuotaPrivilege 976 Pony.exe Token: SeAssignPrimaryTokenPrivilege 976 Pony.exe Token: SeDebugPrivilege 640 order.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
8b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648.exePony.exeorder.execmd.exedescription pid process target process PID 816 wrote to memory of 976 816 8b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648.exe Pony.exe PID 816 wrote to memory of 976 816 8b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648.exe Pony.exe PID 816 wrote to memory of 976 816 8b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648.exe Pony.exe PID 816 wrote to memory of 640 816 8b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648.exe order.exe PID 816 wrote to memory of 640 816 8b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648.exe order.exe PID 816 wrote to memory of 640 816 8b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648.exe order.exe PID 976 wrote to memory of 1976 976 Pony.exe cmd.exe PID 976 wrote to memory of 1976 976 Pony.exe cmd.exe PID 976 wrote to memory of 1976 976 Pony.exe cmd.exe PID 640 wrote to memory of 3508 640 order.exe cmd.exe PID 640 wrote to memory of 3508 640 order.exe cmd.exe PID 640 wrote to memory of 3508 640 order.exe cmd.exe PID 3508 wrote to memory of 1520 3508 cmd.exe reg.exe PID 3508 wrote to memory of 1520 3508 cmd.exe reg.exe PID 3508 wrote to memory of 1520 3508 cmd.exe reg.exe PID 640 wrote to memory of 3768 640 order.exe order.exe PID 640 wrote to memory of 3768 640 order.exe order.exe PID 640 wrote to memory of 3768 640 order.exe order.exe PID 640 wrote to memory of 2108 640 order.exe MSBuild.exe PID 640 wrote to memory of 2108 640 order.exe MSBuild.exe PID 640 wrote to memory of 2108 640 order.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648.exe"C:\Users\Admin\AppData\Local\Temp\8b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Pony.exe"C:\Users\Admin\AppData\Local\Temp\Pony.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\259296390.bat" "C:\Users\Admin\AppData\Local\Temp\Pony.exe" "3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\order.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\order.exe" -n2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v "Load" /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\order.lnk" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v "Load" /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\order.lnk" /f4⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\order.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\order.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\259296390.batMD5
3880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
C:\Users\Admin\AppData\Local\Temp\Pony.exeMD5
e30be32379449d1df8c722f446588ea7
SHA131259d9c383acd64725d4ca3193fa6fac2aece0e
SHA2567e261813997c6166847a966533d33650415ee6d9b6af8b9f64debbb2633cab50
SHA512a1026c67fed1a5103d424e1554d9ce40d79561574661cbfe2a61f90f5aeb629fa2040e92863370309c222a78f9bfb224738feedaeb899e867fae56f74b5de2b9
-
C:\Users\Admin\AppData\Local\Temp\Pony.exeMD5
e30be32379449d1df8c722f446588ea7
SHA131259d9c383acd64725d4ca3193fa6fac2aece0e
SHA2567e261813997c6166847a966533d33650415ee6d9b6af8b9f64debbb2633cab50
SHA512a1026c67fed1a5103d424e1554d9ce40d79561574661cbfe2a61f90f5aeb629fa2040e92863370309c222a78f9bfb224738feedaeb899e867fae56f74b5de2b9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\order.exeMD5
18c9fa704c5ddcaa2f7760abf418847c
SHA1ffdfdc5a23d760e22638e47f335e99f3d18db650
SHA2568b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648
SHA512be4ffd927633b4a9c18280fc0b01d48ee9865ca511749e3a9660b3945a391cc30625bf12edbd80c0bfa7d91e60e89e9d11882f2d41f430485c9df2e72d1b767a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\order.exeMD5
18c9fa704c5ddcaa2f7760abf418847c
SHA1ffdfdc5a23d760e22638e47f335e99f3d18db650
SHA2568b7059f28e99b14fb924b26e03e210053a9162b91407f043162bb8067046d648
SHA512be4ffd927633b4a9c18280fc0b01d48ee9865ca511749e3a9660b3945a391cc30625bf12edbd80c0bfa7d91e60e89e9d11882f2d41f430485c9df2e72d1b767a
-
memory/640-13-0x0000000074070000-0x000000007475E000-memory.dmpFilesize
6.9MB
-
memory/640-10-0x0000000000000000-mapping.dmp
-
memory/816-6-0x0000000006330000-0x0000000006331000-memory.dmpFilesize
4KB
-
memory/816-5-0x0000000005D60000-0x0000000005E27000-memory.dmpFilesize
796KB
-
memory/816-4-0x0000000005CC0000-0x0000000005CC1000-memory.dmpFilesize
4KB
-
memory/816-3-0x0000000005720000-0x0000000005721000-memory.dmpFilesize
4KB
-
memory/816-0-0x0000000074070000-0x000000007475E000-memory.dmpFilesize
6.9MB
-
memory/816-1-0x0000000000D10000-0x0000000000D11000-memory.dmpFilesize
4KB
-
memory/976-7-0x0000000000000000-mapping.dmp
-
memory/1520-23-0x0000000000000000-mapping.dmp
-
memory/1976-20-0x0000000000000000-mapping.dmp
-
memory/3508-22-0x0000000000000000-mapping.dmp