Overview

overview

10

Static

static

1

551d998878...20.exe

windows7-x64

10

551d998878...20.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    186s
  • max time network
    190s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/11/2022, 08:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    551d998878f975d5076d699415c567422671a4183540a5efe1c6d0226fc59320.exe

  • Size

    956KB

  • MD5

    23917db901c6f4fe26b881f826c795ae

  • SHA1

    77685090030ccf8f6b1a507efa4b44b9a96aee41

  • SHA256

    551d998878f975d5076d699415c567422671a4183540a5efe1c6d0226fc59320

  • SHA512

    66d13cbf5f051c824323d03471fe1d965b844d549cf836782af71587016ea2133e3a6bc083eb77b81b9ada5eb7ef19aa6392b7444b7eb15a84124b03c4c28523

  • SSDEEP

    24576:ZZN1jV7yjsjHkEPnJG09PwuecT8atiCtiXl1ryyW:Z3JV70sbm09PwyiaiXex

Score
10/10
ponydiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 7 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 58 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry class 45 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of FindShellTrayWindow 53 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\551d998878f975d5076d699415c567422671a4183540a5efe1c6d0226fc59320.exe
    "C:\Users\Admin\AppData\Local\Temp\551d998878f975d5076d699415c567422671a4183540a5efe1c6d0226fc59320.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4476
    • C:\Users\Admin\AppData\Local\Temp\nsy2A2.tmp\C. J. Cherryh - Merovingen 01 - Angel with the Sword.exe
      "C:\Users\Admin\AppData\Local\Temp\nsy2A2.tmp\C. J. Cherryh - Merovingen 01 - Angel with the Sword.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:748
    • C:\Users\Admin\AppData\Local\Temp\nsy2A2.tmp\ic5.exe
      "C:\Users\Admin\AppData\Local\Temp\nsy2A2.tmp\ic5.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3896
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
          PID:2836
      • C:\Users\Admin\AppData\Local\Temp\nsy2A2.tmp\2 Gansta.exe
        "C:\Users\Admin\AppData\Local\Temp\nsy2A2.tmp\2 Gansta.exe"
        2⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1852
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\nsy2A2.tmp\2GANST~1.EXE > nul
          3⤵
            PID:3848
        • C:\Users\Admin\AppData\Local\Temp\nsy2A2.tmp\3R2R.exe
          "C:\Users\Admin\AppData\Local\Temp\nsy2A2.tmp\3R2R.exe"
          2⤵
          • Modifies security service
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:4628
          • C:\Users\Admin\AppData\Local\Temp\nsy2A2.tmp\3R2R.exe
            C:\Users\Admin\AppData\Local\Temp\nsy2A2.tmp\3R2R.exe startC:\Users\Admin\AppData\Roaming\7B896\57041.exe%C:\Users\Admin\AppData\Roaming\7B896
            3⤵
            • Executes dropped EXE
            PID:4416
          • C:\Program Files (x86)\LP\41D7\82DC.tmp
            "C:\Program Files (x86)\LP\41D7\82DC.tmp"
            3⤵
            • Executes dropped EXE
            PID:3416
          • C:\Users\Admin\AppData\Local\Temp\nsy2A2.tmp\3R2R.exe
            C:\Users\Admin\AppData\Local\Temp\nsy2A2.tmp\3R2R.exe startC:\Program Files (x86)\967AA\lvvm.exe%C:\Program Files (x86)\967AA
            3⤵
            • Executes dropped EXE
            PID:3448
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4468
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:768
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4668
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Enumerates system info in registry
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4872

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\LP\41D7\82DC.tmp
        Filesize

        96KB

        MD5

        ba4818120b8c3c87a4437450f5968ea5

        SHA1

        d6e47a0c2b2bd8abef58f8d17d1883fc712e4301

        SHA256

        59d73ca73fa8bbec1bbcd19299ed082eb7a1f8f2c5343a498420a08f25bb8be9

        SHA512

        0c5e85d700f097a4dd299fc18019037bce4abcace311420bcc8011fc94ff247680112ce59fd0a1b9095aa988262c0ef5b1c903686fb864bd85e162a473599558

        Download Submit

      • C:\Program Files (x86)\LP\41D7\82DC.tmp
        Filesize

        96KB

        MD5

        ba4818120b8c3c87a4437450f5968ea5

        SHA1

        d6e47a0c2b2bd8abef58f8d17d1883fc712e4301

        SHA256

        59d73ca73fa8bbec1bbcd19299ed082eb7a1f8f2c5343a498420a08f25bb8be9

        SHA512

        0c5e85d700f097a4dd299fc18019037bce4abcace311420bcc8011fc94ff247680112ce59fd0a1b9095aa988262c0ef5b1c903686fb864bd85e162a473599558

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsy2A2.tmp\2 Gansta.exe
        Filesize

        6KB

        MD5

        bee76c79e2e63e198038e01f0d571038

        SHA1

        fcffdd6bb030f516a46e9d303ebae2ab33af222e

        SHA256

        50a3c7134460bfe5f2840bd8dc957edfaa76da5beaaff70f8da5e0fef80ae876

        SHA512

        dd2e9488ad365c02722e1a2466acffb8beaf4dbb68d7093e01c50cd915418ca0642cb6bdd43f2f2b014455803f3c69dec24ca9dfee11bdf7790379181cd2f6f9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsy2A2.tmp\2 Gansta.exe
        Filesize

        6KB

        MD5

        bee76c79e2e63e198038e01f0d571038

        SHA1

        fcffdd6bb030f516a46e9d303ebae2ab33af222e

        SHA256

        50a3c7134460bfe5f2840bd8dc957edfaa76da5beaaff70f8da5e0fef80ae876

        SHA512

        dd2e9488ad365c02722e1a2466acffb8beaf4dbb68d7093e01c50cd915418ca0642cb6bdd43f2f2b014455803f3c69dec24ca9dfee11bdf7790379181cd2f6f9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsy2A2.tmp\3R2R.exe
        Filesize

        268KB

        MD5

        8950bca822967c72154e56665ba6f7f2

        SHA1

        27b8fa27459b32d3e7036a12dfa491ed08830ae7

        SHA256

        7bd9c2658c5bbc607001260297b4af162867658ffd5193852f06cf0129f7b2fb

        SHA512

        3d0dbe3eaa770fc9f94d88d6c7086cb5c7c12265f8d24751d320c53ad60bf3ebaf339d4bd70bd35c8db6edfaf803a6dda575348029e3e30f8cc3d96944d2b400

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsy2A2.tmp\3R2R.exe
        Filesize

        268KB

        MD5

        8950bca822967c72154e56665ba6f7f2

        SHA1

        27b8fa27459b32d3e7036a12dfa491ed08830ae7

        SHA256

        7bd9c2658c5bbc607001260297b4af162867658ffd5193852f06cf0129f7b2fb

        SHA512

        3d0dbe3eaa770fc9f94d88d6c7086cb5c7c12265f8d24751d320c53ad60bf3ebaf339d4bd70bd35c8db6edfaf803a6dda575348029e3e30f8cc3d96944d2b400

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsy2A2.tmp\3R2R.exe
        Filesize

        268KB

        MD5

        8950bca822967c72154e56665ba6f7f2

        SHA1

        27b8fa27459b32d3e7036a12dfa491ed08830ae7

        SHA256

        7bd9c2658c5bbc607001260297b4af162867658ffd5193852f06cf0129f7b2fb

        SHA512

        3d0dbe3eaa770fc9f94d88d6c7086cb5c7c12265f8d24751d320c53ad60bf3ebaf339d4bd70bd35c8db6edfaf803a6dda575348029e3e30f8cc3d96944d2b400

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsy2A2.tmp\3R2R.exe
        Filesize

        268KB

        MD5

        8950bca822967c72154e56665ba6f7f2

        SHA1

        27b8fa27459b32d3e7036a12dfa491ed08830ae7

        SHA256

        7bd9c2658c5bbc607001260297b4af162867658ffd5193852f06cf0129f7b2fb

        SHA512

        3d0dbe3eaa770fc9f94d88d6c7086cb5c7c12265f8d24751d320c53ad60bf3ebaf339d4bd70bd35c8db6edfaf803a6dda575348029e3e30f8cc3d96944d2b400

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsy2A2.tmp\C. J. Cherryh - Merovingen 01 - Angel with the Sword.exe
        Filesize

        556KB

        MD5

        6b3199b62fe5bc52b6242b2cbbb8bac7

        SHA1

        0523ec8ef1e31124b5e08548a7bbd1c5688f26d7

        SHA256

        319e45e7490d0d7902ae19bb2f7a631f37acb44a3b7ed628e45b20a58fa33dec

        SHA512

        093e16c4b672764e3a05fd6fc623cfc58038d13c917a3de75dcbe17738c8bf497e7de42e9305588f6dd407d102e3d448eeafd5839450db294278cc44225d317e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsy2A2.tmp\C. J. Cherryh - Merovingen 01 - Angel with the Sword.exe
        Filesize

        556KB

        MD5

        6b3199b62fe5bc52b6242b2cbbb8bac7

        SHA1

        0523ec8ef1e31124b5e08548a7bbd1c5688f26d7

        SHA256

        319e45e7490d0d7902ae19bb2f7a631f37acb44a3b7ed628e45b20a58fa33dec

        SHA512

        093e16c4b672764e3a05fd6fc623cfc58038d13c917a3de75dcbe17738c8bf497e7de42e9305588f6dd407d102e3d448eeafd5839450db294278cc44225d317e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsy2A2.tmp\ic5.exe
        Filesize

        173KB

        MD5

        980766e1e89558b2436426afb9003b8c

        SHA1

        32f6d2f732017c229cc6e4fa7e0283be12121e48

        SHA256

        08e520a04bc207235d74ea6d39b76cda6b3b909d34f6ba29f914fc5eec03d83e

        SHA512

        e1ef2fb334171db6044d2a290f7c4d6feb71d1a4cb9ee7211d740311187507987b9926e8180f17806497a6ff744ff4bad898efb6ea3085fd8a08c9f8f422bd40

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsy2A2.tmp\ic5.exe
        Filesize

        173KB

        MD5

        980766e1e89558b2436426afb9003b8c

        SHA1

        32f6d2f732017c229cc6e4fa7e0283be12121e48

        SHA256

        08e520a04bc207235d74ea6d39b76cda6b3b909d34f6ba29f914fc5eec03d83e

        SHA512

        e1ef2fb334171db6044d2a290f7c4d6feb71d1a4cb9ee7211d740311187507987b9926e8180f17806497a6ff744ff4bad898efb6ea3085fd8a08c9f8f422bd40

        Download Submit

      • memory/1852-147-0x0000000000400000-0x000000000040A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3416-163-0x0000000000761000-0x0000000000770000-memory.dmp

        Filesize

        60KB

        Download

      • memory/3416-162-0x0000000000761000-0x0000000000770000-memory.dmp

        Filesize

        60KB

        Download

      • memory/3416-161-0x0000000000400000-0x000000000041B000-memory.dmp

        Filesize

        108KB

        Download

      • memory/3448-175-0x00000000006B1000-0x00000000006F8000-memory.dmp

        Filesize

        284KB

        Download

      • memory/3448-176-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/3896-146-0x0000000002160000-0x0000000002189000-memory.dmp

        Filesize

        164KB

        Download

      • memory/3896-152-0x0000000000400000-0x000000000042D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/3896-145-0x0000000000400000-0x000000000042D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/4416-157-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/4416-156-0x0000000000511000-0x0000000000558000-memory.dmp

        Filesize

        284KB

        Download

      • memory/4628-148-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/4628-149-0x000000000076B000-0x00000000007B2000-memory.dmp

        Filesize

        284KB

        Download

      • memory/4628-144-0x000000000076B000-0x00000000007B2000-memory.dmp

        Filesize

        284KB

        Download

      • memory/4628-153-0x000000000076B000-0x00000000007B2000-memory.dmp

        Filesize

        284KB

        Download

      • memory/4872-177-0x000001FDD7288000-0x000001FDD7290000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4872-179-0x000001FDDB9E0000-0x000001FDDBA00000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4872-181-0x000001FDDB940000-0x000001FDDB960000-memory.dmp

        Filesize

        128KB

        Download