Analysis
-
max time kernel
242s -
max time network
339s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
03-12-2022 04:55
General
-
Target
cafefec8ed6188e21296fce53d063f379c440bdc03bb42762201b4a59fddf7f7.exe
-
Size
261KB
-
MD5
778a6f4af0527cedc433b5eabbf7309e
-
SHA1
2e281d4acf954032382869d63f8a0423a79ace8d
-
SHA256
cafefec8ed6188e21296fce53d063f379c440bdc03bb42762201b4a59fddf7f7
-
SHA512
c591da7c09edff591bf831dff04850935fec2ccbec2392a01d7bc230f7f5c3a8a5719e0e5da1d9c2511fccaa08a58425954d8959382e58c9e5862a69f6d7a7f4
-
SSDEEP
6144:8Si2rwbHmDqJ09bq7RbrOVVvy+M4gVwoDW3HbiEwNGNT:8SzwSDqJgsRyvy+VOkwNGN
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 3 IoCs
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
-
Suspicious use of FindShellTrayWindow 28 IoCs
-
Suspicious use of SendNotifyMessage 22 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\cafefec8ed6188e21296fce53d063f379c440bdc03bb42762201b4a59fddf7f7.exe"C:\Users\Admin\AppData\Local\Temp\cafefec8ed6188e21296fce53d063f379c440bdc03bb42762201b4a59fddf7f7.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\LP\DCE5\931C.tmp"C:\Program Files (x86)\LP\DCE5\931C.tmp"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\cafefec8ed6188e21296fce53d063f379c440bdc03bb42762201b4a59fddf7f7.exeC:\Users\Admin\AppData\Local\Temp\cafefec8ed6188e21296fce53d063f379c440bdc03bb42762201b4a59fddf7f7.exe startC:\Users\Admin\AppData\Roaming\56360\1D6DC.exe%C:\Users\Admin\AppData\Roaming\563602⤵
-
C:\Users\Admin\AppData\Local\Temp\cafefec8ed6188e21296fce53d063f379c440bdc03bb42762201b4a59fddf7f7.exeC:\Users\Admin\AppData\Local\Temp\cafefec8ed6188e21296fce53d063f379c440bdc03bb42762201b4a59fddf7f7.exe startC:\Program Files (x86)\60C31\lvvm.exe%C:\Program Files (x86)\60C312⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5941⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\LP\DCE5\931C.tmpFilesize
94KB
MD5cfa7a6d662be5be703e426c1e849965f
SHA1aada98710adee405ef485dd2baf5bcceea1ca0ee
SHA25668144a7cd9379fcbf8872e7590903ea7b7054565792983e6728aeb18144f2cf3
SHA512233aadbfc65440c6fa2997a04c385200df16c97ff2d09c8b534f115b67834053e694d9b38e31fdb31ed7a4b84c1aac2795d7da107334467f2d310ab3e7571f9e
-
\Program Files (x86)\LP\DCE5\931C.tmpFilesize
94KB
MD5cfa7a6d662be5be703e426c1e849965f
SHA1aada98710adee405ef485dd2baf5bcceea1ca0ee
SHA25668144a7cd9379fcbf8872e7590903ea7b7054565792983e6728aeb18144f2cf3
SHA512233aadbfc65440c6fa2997a04c385200df16c97ff2d09c8b534f115b67834053e694d9b38e31fdb31ed7a4b84c1aac2795d7da107334467f2d310ab3e7571f9e
-
\Program Files (x86)\LP\DCE5\931C.tmpFilesize
94KB
MD5cfa7a6d662be5be703e426c1e849965f
SHA1aada98710adee405ef485dd2baf5bcceea1ca0ee
SHA25668144a7cd9379fcbf8872e7590903ea7b7054565792983e6728aeb18144f2cf3
SHA512233aadbfc65440c6fa2997a04c385200df16c97ff2d09c8b534f115b67834053e694d9b38e31fdb31ed7a4b84c1aac2795d7da107334467f2d310ab3e7571f9e
-
memory/576-55-0x00000000006AB000-0x00000000006F3000-memory.dmpFilesize
288KB
-
memory/576-56-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/576-57-0x00000000006AB000-0x00000000006F3000-memory.dmpFilesize
288KB
-
memory/576-54-0x00000000763A1000-0x00000000763A3000-memory.dmpFilesize
8KB
-
memory/576-59-0x00000000006AB000-0x00000000006F3000-memory.dmpFilesize
288KB
-
memory/1384-72-0x000000000064B000-0x0000000000693000-memory.dmpFilesize
288KB
-
memory/1384-70-0x0000000000000000-mapping.dmp
-
memory/1384-73-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/1384-74-0x000000000064B000-0x0000000000693000-memory.dmpFilesize
288KB
-
memory/1684-58-0x000007FEFC361000-0x000007FEFC363000-memory.dmpFilesize
8KB
-
memory/1780-75-0x0000000000000000-mapping.dmp
-
memory/1780-77-0x000000000060B000-0x0000000000653000-memory.dmpFilesize
288KB
-
memory/1780-78-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/2044-63-0x0000000000000000-mapping.dmp
-
memory/2044-66-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/2044-67-0x00000000004E1000-0x00000000004EF000-memory.dmpFilesize
56KB
-
memory/2044-68-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/2044-69-0x00000000004E1000-0x00000000004EF000-memory.dmpFilesize
56KB