Analysis
-
max time kernel
151s -
max time network
98s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
03-12-2022 05:10
General
-
Target
8232986c3f067405c22d5d7261f1fa580b7f92318c80548f3ec1c45b81184c2e.exe
-
Size
281KB
-
MD5
b833a680dc92b5557636a11420260931
-
SHA1
58c331db46e482b363af563a86d33234f8262573
-
SHA256
8232986c3f067405c22d5d7261f1fa580b7f92318c80548f3ec1c45b81184c2e
-
SHA512
f77a7ff20eb81f3afc5952fc21b834144adba10094b2587dccd84259338545d287ba6aebbd0836873a416c24f553f929eb37b5b605ae03cabf733c1a8426b4a8
-
SSDEEP
6144:2rIt8COnuagl3h/KZVLi9adKAjgta1Bc2jA1TFdPYT:uNuaMcow1gKFyTP8
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 4 IoCs
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 17 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8232986c3f067405c22d5d7261f1fa580b7f92318c80548f3ec1c45b81184c2e.exe"C:\Users\Admin\AppData\Local\Temp\8232986c3f067405c22d5d7261f1fa580b7f92318c80548f3ec1c45b81184c2e.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\8232986c3f067405c22d5d7261f1fa580b7f92318c80548f3ec1c45b81184c2e.exeC:\Users\Admin\AppData\Local\Temp\8232986c3f067405c22d5d7261f1fa580b7f92318c80548f3ec1c45b81184c2e.exe startC:\Users\Admin\AppData\Roaming\58A3D\FCC7C.exe%C:\Users\Admin\AppData\Roaming\58A3D2⤵
-
C:\Program Files (x86)\LP\7C75\8B8E.tmp"C:\Program Files (x86)\LP\7C75\8B8E.tmp"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8232986c3f067405c22d5d7261f1fa580b7f92318c80548f3ec1c45b81184c2e.exeC:\Users\Admin\AppData\Local\Temp\8232986c3f067405c22d5d7261f1fa580b7f92318c80548f3ec1c45b81184c2e.exe startC:\Program Files (x86)\3D98E\lvvm.exe%C:\Program Files (x86)\3D98E2⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5581⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\LP\7C75\8B8E.tmpFilesize
100KB
MD5cebf9d7ad1c7bdf8bf16323c6407a8f6
SHA157b9394fb956f64edd375fd4a2a1a744e3d0fe60
SHA256a66bc0c217371b5b06cbc8bd4acc115412a55661a8ef477ae65da84b5c3dbcb0
SHA512ca386c52e28353c72b410477607c43c95a0e484f748bb792aa4fe25e011fcb4e8c2a141039845223d0ad6ce6c2e0d24f6977076816eb5572eb222324d9c62461
-
\Program Files (x86)\LP\7C75\8B8E.tmpFilesize
100KB
MD5cebf9d7ad1c7bdf8bf16323c6407a8f6
SHA157b9394fb956f64edd375fd4a2a1a744e3d0fe60
SHA256a66bc0c217371b5b06cbc8bd4acc115412a55661a8ef477ae65da84b5c3dbcb0
SHA512ca386c52e28353c72b410477607c43c95a0e484f748bb792aa4fe25e011fcb4e8c2a141039845223d0ad6ce6c2e0d24f6977076816eb5572eb222324d9c62461
-
\Program Files (x86)\LP\7C75\8B8E.tmpFilesize
100KB
MD5cebf9d7ad1c7bdf8bf16323c6407a8f6
SHA157b9394fb956f64edd375fd4a2a1a744e3d0fe60
SHA256a66bc0c217371b5b06cbc8bd4acc115412a55661a8ef477ae65da84b5c3dbcb0
SHA512ca386c52e28353c72b410477607c43c95a0e484f748bb792aa4fe25e011fcb4e8c2a141039845223d0ad6ce6c2e0d24f6977076816eb5572eb222324d9c62461
-
memory/928-62-0x00000000006A0000-0x00000000006E7000-memory.dmpFilesize
284KB
-
memory/928-63-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/928-60-0x0000000000000000-mapping.dmp
-
memory/1196-58-0x0000000000970000-0x00000000009B7000-memory.dmpFilesize
284KB
-
memory/1196-54-0x0000000075D01000-0x0000000075D03000-memory.dmpFilesize
8KB
-
memory/1196-56-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/1196-55-0x0000000000970000-0x00000000009B7000-memory.dmpFilesize
284KB
-
memory/1568-66-0x0000000000000000-mapping.dmp
-
memory/1568-69-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1568-70-0x00000000002B1000-0x00000000002C0000-memory.dmpFilesize
60KB
-
memory/1568-73-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1568-74-0x00000000002B1000-0x00000000002C0000-memory.dmpFilesize
60KB
-
memory/1596-71-0x0000000000000000-mapping.dmp
-
memory/1596-76-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/1596-75-0x0000000000630000-0x0000000000677000-memory.dmpFilesize
284KB
-
memory/2000-57-0x000007FEFC161000-0x000007FEFC163000-memory.dmpFilesize
8KB