Overview

overview

10

Static

static

02b316fe5d...ad.exe

windows7-x64

10

02b316fe5d...ad.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    116s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    11/10/2022, 08:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    02b316fe5ddc0694c25e19d20965ac6b628220e157e5d991f323d5375cafb1ad.exe

  • Size

    280KB

  • MD5

    6299c9384311ae7e821778b412d3f034

  • SHA1

    41f42df825d791c9d31399c38b905a7efd9a1c3f

  • SHA256

    02b316fe5ddc0694c25e19d20965ac6b628220e157e5d991f323d5375cafb1ad

  • SHA512

    948d448fc5a8d1c416981b0e2ff55d295160b255a06c6cc769eed6de2113cefdfb62ca27d6fbd61a5b1307a895bd6f74758f58fb58fe2611942461c297ff3d22

  • SSDEEP

    6144:FUqlft6xu7cfp2z2Psiuwp2tDEo0hK1fz/+pj9hBjExO:FUqNtNwf+i+DEfK1zcDBjE8

Score
10/10
ponydiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 3 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 17 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\02b316fe5ddc0694c25e19d20965ac6b628220e157e5d991f323d5375cafb1ad.exe
    "C:\Users\Admin\AppData\Local\Temp\02b316fe5ddc0694c25e19d20965ac6b628220e157e5d991f323d5375cafb1ad.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1916
    • C:\Users\Admin\AppData\Local\Temp\02b316fe5ddc0694c25e19d20965ac6b628220e157e5d991f323d5375cafb1ad.exe
      C:\Users\Admin\AppData\Local\Temp\02b316fe5ddc0694c25e19d20965ac6b628220e157e5d991f323d5375cafb1ad.exe startC:\Users\Admin\AppData\Roaming\9B7C9\E8D01.exe%C:\Users\Admin\AppData\Roaming\9B7C9
      2⤵
        PID:1092
      • C:\Program Files (x86)\LP\0159\AB0F.tmp
        "C:\Program Files (x86)\LP\0159\AB0F.tmp"
        2⤵
        • Executes dropped EXE
        PID:1108
      • C:\Users\Admin\AppData\Local\Temp\02b316fe5ddc0694c25e19d20965ac6b628220e157e5d991f323d5375cafb1ad.exe
        C:\Users\Admin\AppData\Local\Temp\02b316fe5ddc0694c25e19d20965ac6b628220e157e5d991f323d5375cafb1ad.exe startC:\Program Files (x86)\C9B1B\lvvm.exe%C:\Program Files (x86)\C9B1B
        2⤵
          PID:1604
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1596
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1592
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x550
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1772

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\LP\0159\AB0F.tmp
        Filesize

        99KB

        MD5

        ed2bad1e6970c4aede88be76b11c9250

        SHA1

        74a9b54a7b24414b3035c5e7cdb3d89393e785d3

        SHA256

        8d766352dd398f94f5e3ead77d5b5ffffb8e605b066c47086020f8f8400ccdae

        SHA512

        ffbf62a08a1112be48d39d36abee306b7ac17186177842a8d7b1253ecadc0827d2d8541b7e35e037c13c6e247670f83a7d73bf5f09ff7f20815678694236bc8f

        Download Submit

      • \Program Files (x86)\LP\0159\AB0F.tmp
        Filesize

        99KB

        MD5

        ed2bad1e6970c4aede88be76b11c9250

        SHA1

        74a9b54a7b24414b3035c5e7cdb3d89393e785d3

        SHA256

        8d766352dd398f94f5e3ead77d5b5ffffb8e605b066c47086020f8f8400ccdae

        SHA512

        ffbf62a08a1112be48d39d36abee306b7ac17186177842a8d7b1253ecadc0827d2d8541b7e35e037c13c6e247670f83a7d73bf5f09ff7f20815678694236bc8f

        Download Submit

      • \Program Files (x86)\LP\0159\AB0F.tmp
        Filesize

        99KB

        MD5

        ed2bad1e6970c4aede88be76b11c9250

        SHA1

        74a9b54a7b24414b3035c5e7cdb3d89393e785d3

        SHA256

        8d766352dd398f94f5e3ead77d5b5ffffb8e605b066c47086020f8f8400ccdae

        SHA512

        ffbf62a08a1112be48d39d36abee306b7ac17186177842a8d7b1253ecadc0827d2d8541b7e35e037c13c6e247670f83a7d73bf5f09ff7f20815678694236bc8f

        Download Submit

      • memory/1092-62-0x00000000006A5000-0x00000000006EC000-memory.dmp

        Filesize

        284KB

        Download

      • memory/1092-64-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/1108-74-0x0000000000886000-0x0000000000895000-memory.dmp

        Filesize

        60KB

        Download

      • memory/1108-73-0x0000000000400000-0x000000000041C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/1108-71-0x0000000000886000-0x0000000000895000-memory.dmp

        Filesize

        60KB

        Download

      • memory/1108-70-0x0000000000400000-0x000000000041C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/1596-58-0x000007FEFB901000-0x000007FEFB903000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1604-75-0x00000000005E5000-0x000000000062C000-memory.dmp

        Filesize

        284KB

        Download

      • memory/1604-77-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/1916-59-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/1916-57-0x00000000006E5000-0x000000000072C000-memory.dmp

        Filesize

        284KB

        Download

      • memory/1916-54-0x00000000006E5000-0x000000000072C000-memory.dmp

        Filesize

        284KB

        Download

      • memory/1916-56-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/1916-55-0x0000000075C51000-0x0000000075C53000-memory.dmp

        Filesize

        8KB

        Download