Overview

overview

10

Static

static

c7d6ddc3ff...ff.exe

windows7-x64

10

c7d6ddc3ff...ff.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    98s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03-12-2022 13:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c7d6ddc3ff9d41d85a708410394b3823e3ef7849767ae321c38b79c1b38350ff.exe

  • Size

    314KB

  • MD5

    5bd5425e6e471cc102050fb4158cfed4

  • SHA1

    684132b4b8711b475a3dcf44fb97eb7a1c2d95ef

  • SHA256

    c7d6ddc3ff9d41d85a708410394b3823e3ef7849767ae321c38b79c1b38350ff

  • SHA512

    060ec3e6aa10be42eaf23922b52620f683627008692b7b012f676a3bcf6c03bef56b9f21aa434819ebc5ae7cf09f4239397518724cb77c9899730ec7e08db72f

  • SSDEEP

    6144:ATOW9JzJa8imtQywYZ1NQSoXo7tA/13X4zC9h6molt8YcFdWbiVkuWZRfT:Kla8dtQyDfoXo7ti13IzC2Pj8YQoiVnW

Score
10/10
ponydiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 3 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 16 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\c7d6ddc3ff9d41d85a708410394b3823e3ef7849767ae321c38b79c1b38350ff.exe
    "C:\Users\Admin\AppData\Local\Temp\c7d6ddc3ff9d41d85a708410394b3823e3ef7849767ae321c38b79c1b38350ff.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1488
    • C:\Users\Admin\AppData\Local\Temp\c7d6ddc3ff9d41d85a708410394b3823e3ef7849767ae321c38b79c1b38350ff.exe
      C:\Users\Admin\AppData\Local\Temp\c7d6ddc3ff9d41d85a708410394b3823e3ef7849767ae321c38b79c1b38350ff.exe startC:\Users\Admin\AppData\Roaming\C3A77\C7EA5.exe%C:\Users\Admin\AppData\Roaming\C3A77
      2⤵
        PID:1076
      • C:\Program Files (x86)\LP\A51C\D7CA.tmp
        "C:\Program Files (x86)\LP\A51C\D7CA.tmp"
        2⤵
        • Executes dropped EXE
        PID:1856
      • C:\Users\Admin\AppData\Local\Temp\c7d6ddc3ff9d41d85a708410394b3823e3ef7849767ae321c38b79c1b38350ff.exe
        C:\Users\Admin\AppData\Local\Temp\c7d6ddc3ff9d41d85a708410394b3823e3ef7849767ae321c38b79c1b38350ff.exe startC:\Program Files (x86)\771CD\lvvm.exe%C:\Program Files (x86)\771CD
        2⤵
          PID:1448
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1816
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:580
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x5a0
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1084

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\LP\A51C\D7CA.tmp
        Filesize

        107KB

        MD5

        e7cab4aa4304bfbc54b9723fca9bd57a

        SHA1

        19d2cc42fd30ab58a8e03569777f4a9ef8fd531d

        SHA256

        0624d004147b8549387ff54f23f50b84096b94671caa471bae5fb138ee23daff

        SHA512

        518e32b0cbbe185fdc284195c44559fff73ab0b013efcf8f413ef63cc653f7fcba839d29edcb6034c63b6c7204d2bce3329a7146b6a0b013b063852d4b2a10c2

        Download Submit

      • \Program Files (x86)\LP\A51C\D7CA.tmp
        Filesize

        107KB

        MD5

        e7cab4aa4304bfbc54b9723fca9bd57a

        SHA1

        19d2cc42fd30ab58a8e03569777f4a9ef8fd531d

        SHA256

        0624d004147b8549387ff54f23f50b84096b94671caa471bae5fb138ee23daff

        SHA512

        518e32b0cbbe185fdc284195c44559fff73ab0b013efcf8f413ef63cc653f7fcba839d29edcb6034c63b6c7204d2bce3329a7146b6a0b013b063852d4b2a10c2

        Download Submit

      • \Program Files (x86)\LP\A51C\D7CA.tmp
        Filesize

        107KB

        MD5

        e7cab4aa4304bfbc54b9723fca9bd57a

        SHA1

        19d2cc42fd30ab58a8e03569777f4a9ef8fd531d

        SHA256

        0624d004147b8549387ff54f23f50b84096b94671caa471bae5fb138ee23daff

        SHA512

        518e32b0cbbe185fdc284195c44559fff73ab0b013efcf8f413ef63cc653f7fcba839d29edcb6034c63b6c7204d2bce3329a7146b6a0b013b063852d4b2a10c2

        Download Submit

      • memory/1076-67-0x0000000000400000-0x000000000046C000-memory.dmp

        Filesize

        432KB

        Download

      • memory/1076-66-0x0000000000521000-0x000000000053A000-memory.dmp

        Filesize

        100KB

        Download

      • memory/1448-79-0x0000000000531000-0x000000000054A000-memory.dmp

        Filesize

        100KB

        Download

      • memory/1448-80-0x0000000000400000-0x000000000046C000-memory.dmp

        Filesize

        432KB

        Download

      • memory/1488-57-0x0000000000400000-0x000000000046C000-memory.dmp

        Filesize

        432KB

        Download

      • memory/1488-63-0x0000000000400000-0x000000000046C000-memory.dmp

        Filesize

        432KB

        Download

      • memory/1488-56-0x0000000000911000-0x000000000092A000-memory.dmp

        Filesize

        100KB

        Download

      • memory/1488-58-0x0000000000911000-0x000000000092A000-memory.dmp

        Filesize

        100KB

        Download

      • memory/1488-55-0x0000000000400000-0x000000000046C000-memory.dmp

        Filesize

        432KB

        Download

      • memory/1488-54-0x0000000076681000-0x0000000076683000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1488-64-0x0000000000911000-0x000000000092A000-memory.dmp

        Filesize

        100KB

        Download

      • memory/1816-59-0x000007FEFC431000-0x000007FEFC433000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1856-78-0x0000000000571000-0x000000000057E000-memory.dmp

        Filesize

        52KB

        Download

      • memory/1856-77-0x0000000000400000-0x000000000041D000-memory.dmp

        Filesize

        116KB

        Download

      • memory/1856-76-0x0000000000571000-0x000000000057E000-memory.dmp

        Filesize

        52KB

        Download

      • memory/1856-81-0x0000000000400000-0x000000000041D000-memory.dmp

        Filesize

        116KB

        Download

      • memory/1856-82-0x0000000000571000-0x000000000057E000-memory.dmp

        Filesize

        52KB

        Download