Resubmissions

12-11-2021 18:04

211112-wnzb8aahhm 10

19-11-2020 10:08

201119-rhwlt38jrx 10

18-11-2020 17:26

201118-htd4fq29va 10

Analysis

  • max time kernel
    1686s
  • max time network
    1693s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    18-11-2020 17:26

General

  • Target

    Lonelyscreen.1.2.9.keygen.by.Paradox/Lonelyscreen.1.2.9.keygen.by.Paradox.exe

Malware Config

Signatures

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

  • Nirsoft 6 IoCs
  • Executes dropped EXE 16 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • VMProtect packed file 2 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Lonelyscreen.1.2.9.keygen.by.Paradox\Lonelyscreen.1.2.9.keygen.by.Paradox.exe
    "C:\Users\Admin\AppData\Local\Temp\Lonelyscreen.1.2.9.keygen.by.Paradox\Lonelyscreen.1.2.9.keygen.by.Paradox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:644
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3584
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
        keygen-pr.exe -p83fsase3Ge
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4076
        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1004
          • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
            C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
            5⤵
            • Executes dropped EXE
            PID:8
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
        keygen-step-3.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2100
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2148
          • C:\Windows\SysWOW64\PING.EXE
            ping 1.1.1.1 -n 1 -w 3000
            5⤵
            • Runs ping.exe
            PID:3840
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
        keygen-step-4.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3276
        • C:\Users\Admin\AppData\Local\Temp\RarSFX2\whhw.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX2\whhw.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1828
          • C:\Users\Admin\AppData\Local\Temp\RarSFX3\setup.upx.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX3\setup.upx.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:1836
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX3\setup.upx.exe"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:912
              • C:\Windows\SysWOW64\PING.EXE
                ping 1.1.1.1 -n 1 -w 3000
                7⤵
                • Runs ping.exe
                PID:3860
        • C:\Users\Admin\AppData\Local\Temp\RarSFX2\id6.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX2\id6.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2236
        • C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1028
          • C:\Users\Admin\AppData\Local\Temp\is-U3I3J.tmp\Setup.tmp
            "C:\Users\Admin\AppData\Local\Temp\is-U3I3J.tmp\Setup.tmp" /SL5="$30242,1223153,733696,C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of WriteProcessMemory
            PID:3768
            • C:\Users\Admin\AppData\Local\Temp\RarSFX2\searzar\searzar.exe
              "C:\Users\Admin\AppData\Local\Temp\RarSFX2\searzar\searzar.exe"
              6⤵
              • Executes dropped EXE
              PID:2320
        • C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:1140
          • C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
            C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
            5⤵
            • Executes dropped EXE
            PID:2156
          • C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
            C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:3956
          • C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
            C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:908
          • C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
            C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:3552

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Collection

Data from Local System

3
T1005

Command and Control

Web Service

1
T1102

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\InetCookies\Q8HV4IM7.cookie
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat
  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\JOzWR.dat
  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\potato.dat
  • C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
  • C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
  • C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe
    MD5

    7016ff8fcb9d9451139d7a7541512597

    SHA1

    bf20fea9aa80a94531c4c3af8549b3e32bcada77

    SHA256

    97d21bc11812933a88c45cec4bef20e346952fc4a4144c93b19a205d20420a57

    SHA512

    b1ceab00b09c6feb716658e19b3021a8fe2d79ff06888b94376652907931aa67a451bb775ed0fc53fbd661f8b3ecaf98b8304604c1341df4ef21e9feac035e99

  • C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe
    MD5

    7016ff8fcb9d9451139d7a7541512597

    SHA1

    bf20fea9aa80a94531c4c3af8549b3e32bcada77

    SHA256

    97d21bc11812933a88c45cec4bef20e346952fc4a4144c93b19a205d20420a57

    SHA512

    b1ceab00b09c6feb716658e19b3021a8fe2d79ff06888b94376652907931aa67a451bb775ed0fc53fbd661f8b3ecaf98b8304604c1341df4ef21e9feac035e99

  • C:\Users\Admin\AppData\Local\Temp\RarSFX2\id6.exe
  • C:\Users\Admin\AppData\Local\Temp\RarSFX2\id6.exe
  • C:\Users\Admin\AppData\Local\Temp\RarSFX2\searzar\searzar.exe
    MD5

    5af346c85e6a347401ebd8798035df35

    SHA1

    036e6513eccaee195ba637e85683744a8dce09c0

    SHA256

    e7129b9545ead3dc009bcf40b5368eac467705889478cfac339cfa129631b87d

    SHA512

    117338b32f8610facf930748b4d916bb9cc90dba1c72f2059e52219726d19f8dc6314c46505e80e492104ac7b4e5222419036c8ceb9477da12fc9ce32fbdda77

  • C:\Users\Admin\AppData\Local\Temp\RarSFX2\searzar\searzar.exe
    MD5

    5af346c85e6a347401ebd8798035df35

    SHA1

    036e6513eccaee195ba637e85683744a8dce09c0

    SHA256

    e7129b9545ead3dc009bcf40b5368eac467705889478cfac339cfa129631b87d

    SHA512

    117338b32f8610facf930748b4d916bb9cc90dba1c72f2059e52219726d19f8dc6314c46505e80e492104ac7b4e5222419036c8ceb9477da12fc9ce32fbdda77

  • C:\Users\Admin\AppData\Local\Temp\RarSFX2\whhw.exe
  • C:\Users\Admin\AppData\Local\Temp\RarSFX2\whhw.exe
  • C:\Users\Admin\AppData\Local\Temp\RarSFX3\setup.upx.exe
    MD5

    7d72db8aaceccd5cab82e0f618ce9d81

    SHA1

    c690d1e3a90499ce1b63ee9388dfaec786751e1e

    SHA256

    a8374f4efacd0d4ace4f78a781baf7a1e0913edaceb8feddcb82d07b68a1bcab

    SHA512

    88ff9256d7bfe8d724e42f59be08e51e70244d546ac8ef6466864d2466e52aac5d84acb0ea552168701e5e1d1eceee0696a0e3a40de2d83ab720e0e69de0d6d2

  • C:\Users\Admin\AppData\Local\Temp\RarSFX3\setup.upx.exe
    MD5

    7d72db8aaceccd5cab82e0f618ce9d81

    SHA1

    c690d1e3a90499ce1b63ee9388dfaec786751e1e

    SHA256

    a8374f4efacd0d4ace4f78a781baf7a1e0913edaceb8feddcb82d07b68a1bcab

    SHA512

    88ff9256d7bfe8d724e42f59be08e51e70244d546ac8ef6466864d2466e52aac5d84acb0ea552168701e5e1d1eceee0696a0e3a40de2d83ab720e0e69de0d6d2

  • C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
  • C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
  • C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
  • C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
  • C:\Users\Admin\AppData\Local\Temp\is-U3I3J.tmp\Setup.tmp
  • C:\Users\Admin\AppData\Local\Temp\is-U3I3J.tmp\Setup.tmp
  • C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
    MD5

    7fee8223d6e4f82d6cd115a28f0b6d58

    SHA1

    1b89c25f25253df23426bd9ff6c9208f1202f58b

    SHA256

    a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

    SHA512

    3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

  • C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
    MD5

    7fee8223d6e4f82d6cd115a28f0b6d58

    SHA1

    1b89c25f25253df23426bd9ff6c9208f1202f58b

    SHA256

    a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

    SHA512

    3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

  • C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
    MD5

    4d4c98eca32b14aeb074db34cd0881e4

    SHA1

    92f213d609bba05d41d6941652a88c44936663a4

    SHA256

    4182172a01bdfc08c5cf7e8652f7d9d81858345a770e2b6b507840e4c1c7764f

    SHA512

    959da8bbf6084e802ed366de8d240382b8a5ab2f18bc58881f42ecb7a8ed082d0e078b3ad18dbf90ac0a14cd491b5ac8b00cf1f0a266bdb7ebb8d95c5c71cacf

  • C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
    MD5

    4d4c98eca32b14aeb074db34cd0881e4

    SHA1

    92f213d609bba05d41d6941652a88c44936663a4

    SHA256

    4182172a01bdfc08c5cf7e8652f7d9d81858345a770e2b6b507840e4c1c7764f

    SHA512

    959da8bbf6084e802ed366de8d240382b8a5ab2f18bc58881f42ecb7a8ed082d0e078b3ad18dbf90ac0a14cd491b5ac8b00cf1f0a266bdb7ebb8d95c5c71cacf

  • C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
    MD5

    4d4c98eca32b14aeb074db34cd0881e4

    SHA1

    92f213d609bba05d41d6941652a88c44936663a4

    SHA256

    4182172a01bdfc08c5cf7e8652f7d9d81858345a770e2b6b507840e4c1c7764f

    SHA512

    959da8bbf6084e802ed366de8d240382b8a5ab2f18bc58881f42ecb7a8ed082d0e078b3ad18dbf90ac0a14cd491b5ac8b00cf1f0a266bdb7ebb8d95c5c71cacf

  • C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
    MD5

    4d4c98eca32b14aeb074db34cd0881e4

    SHA1

    92f213d609bba05d41d6941652a88c44936663a4

    SHA256

    4182172a01bdfc08c5cf7e8652f7d9d81858345a770e2b6b507840e4c1c7764f

    SHA512

    959da8bbf6084e802ed366de8d240382b8a5ab2f18bc58881f42ecb7a8ed082d0e078b3ad18dbf90ac0a14cd491b5ac8b00cf1f0a266bdb7ebb8d95c5c71cacf

  • C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
    MD5

    4d4c98eca32b14aeb074db34cd0881e4

    SHA1

    92f213d609bba05d41d6941652a88c44936663a4

    SHA256

    4182172a01bdfc08c5cf7e8652f7d9d81858345a770e2b6b507840e4c1c7764f

    SHA512

    959da8bbf6084e802ed366de8d240382b8a5ab2f18bc58881f42ecb7a8ed082d0e078b3ad18dbf90ac0a14cd491b5ac8b00cf1f0a266bdb7ebb8d95c5c71cacf

  • C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
    MD5

    4d4c98eca32b14aeb074db34cd0881e4

    SHA1

    92f213d609bba05d41d6941652a88c44936663a4

    SHA256

    4182172a01bdfc08c5cf7e8652f7d9d81858345a770e2b6b507840e4c1c7764f

    SHA512

    959da8bbf6084e802ed366de8d240382b8a5ab2f18bc58881f42ecb7a8ed082d0e078b3ad18dbf90ac0a14cd491b5ac8b00cf1f0a266bdb7ebb8d95c5c71cacf

  • memory/8-23-0x0000000000400000-0x0000000000983000-memory.dmp
    Filesize

    5.5MB

  • memory/8-29-0x0000000000400000-0x0000000000983000-memory.dmp
    Filesize

    5.5MB

  • memory/8-24-0x000000000066C0BC-mapping.dmp
  • memory/908-58-0x0000000000000000-mapping.dmp
  • memory/912-30-0x0000000000000000-mapping.dmp
  • memory/1004-16-0x0000000000000000-mapping.dmp
  • memory/1028-38-0x0000000000000000-mapping.dmp
  • memory/1140-47-0x0000000000000000-mapping.dmp
  • memory/1828-20-0x0000000000000000-mapping.dmp
  • memory/1836-26-0x0000000000000000-mapping.dmp
  • memory/2100-6-0x0000000000000000-mapping.dmp
  • memory/2100-7-0x0000000000000000-mapping.dmp
  • memory/2148-10-0x0000000000000000-mapping.dmp
  • memory/2156-50-0x0000000000000000-mapping.dmp
  • memory/2236-36-0x0000000010000000-0x00000000100E3000-memory.dmp
    Filesize

    908KB

  • memory/2236-32-0x0000000000000000-mapping.dmp
  • memory/2320-44-0x0000000000000000-mapping.dmp
  • memory/3276-11-0x0000000000000000-mapping.dmp
  • memory/3276-12-0x0000000000000000-mapping.dmp
  • memory/3552-62-0x0000000000000000-mapping.dmp
  • memory/3584-0-0x0000000000000000-mapping.dmp
  • memory/3768-41-0x0000000000000000-mapping.dmp
  • memory/3840-15-0x0000000000000000-mapping.dmp
  • memory/3860-31-0x0000000000000000-mapping.dmp
  • memory/3956-54-0x0000000000000000-mapping.dmp
  • memory/4076-4-0x0000000000000000-mapping.dmp
  • memory/4076-2-0x0000000000000000-mapping.dmp