Overview

overview

10

Static

static

ddbd836477...58.exe

windows7-x64

10

ddbd836477...58.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    99s
  • max time network
    106s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03/12/2022, 17:54

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    ddbd836477e90bee0cd2313f241982ab02cfb2532054d8ea1a047cb30d600958.exe

  • Size

    286KB

  • MD5

    53498dc18399969e72d822725a51de4f

  • SHA1

    66d13cb69a88262c70250a61cdff34efa9d97c92

  • SHA256

    ddbd836477e90bee0cd2313f241982ab02cfb2532054d8ea1a047cb30d600958

  • SHA512

    be6e5fc813b9a2af3cdc3fe08b4c77a96fff8b661a564ba7b06f64d3f7a4b3a009b2653492273c9b3a0e1ab0709f618578f0350279084982be6001192e3b2e14

  • SSDEEP

    6144:og1Ounb2ejB/7oTsjW6rN0Ubg67IlQOPscRueRnqn7:ljVBEAjWseTRnq

Score
10/10
ponydiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 3 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 17 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\ddbd836477e90bee0cd2313f241982ab02cfb2532054d8ea1a047cb30d600958.exe
    "C:\Users\Admin\AppData\Local\Temp\ddbd836477e90bee0cd2313f241982ab02cfb2532054d8ea1a047cb30d600958.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1416
    • C:\Users\Admin\AppData\Local\Temp\ddbd836477e90bee0cd2313f241982ab02cfb2532054d8ea1a047cb30d600958.exe
      C:\Users\Admin\AppData\Local\Temp\ddbd836477e90bee0cd2313f241982ab02cfb2532054d8ea1a047cb30d600958.exe startC:\Users\Admin\AppData\Roaming\E3E62\72B3C.exe%C:\Users\Admin\AppData\Roaming\E3E62
      2⤵
        PID:1852
      • C:\Program Files (x86)\LP\3C7E\ECA1.tmp
        "C:\Program Files (x86)\LP\3C7E\ECA1.tmp"
        2⤵
        • Executes dropped EXE
        PID:828
      • C:\Users\Admin\AppData\Local\Temp\ddbd836477e90bee0cd2313f241982ab02cfb2532054d8ea1a047cb30d600958.exe
        C:\Users\Admin\AppData\Local\Temp\ddbd836477e90bee0cd2313f241982ab02cfb2532054d8ea1a047cb30d600958.exe startC:\Program Files (x86)\62E93\lvvm.exe%C:\Program Files (x86)\62E93
        2⤵
          PID:1016
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:852
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1472
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x5a4
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1884

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\LP\3C7E\ECA1.tmp
              Filesize

              102KB

              MD5

              cb16a66b993b390f22b1d27172b1c6c4

              SHA1

              b1ca81cf610806db8c6b9c3e438bec6dbe322237

              SHA256

              313e3e8871c869a745b1d116e6b8361610690f209fb28498553bada6dac4010a

              SHA512

              a776c7ca7c1a58a5e10c6f926d470b0a725eac07a9e9281f3c6901d32eecc3a19105c7a463972613150d794c64bdef04da29cf0e573367f2c0a92938c36366f8

              Download Submit

            • \Program Files (x86)\LP\3C7E\ECA1.tmp
              Filesize

              102KB

              MD5

              cb16a66b993b390f22b1d27172b1c6c4

              SHA1

              b1ca81cf610806db8c6b9c3e438bec6dbe322237

              SHA256

              313e3e8871c869a745b1d116e6b8361610690f209fb28498553bada6dac4010a

              SHA512

              a776c7ca7c1a58a5e10c6f926d470b0a725eac07a9e9281f3c6901d32eecc3a19105c7a463972613150d794c64bdef04da29cf0e573367f2c0a92938c36366f8

              Download Submit

            • \Program Files (x86)\LP\3C7E\ECA1.tmp
              Filesize

              102KB

              MD5

              cb16a66b993b390f22b1d27172b1c6c4

              SHA1

              b1ca81cf610806db8c6b9c3e438bec6dbe322237

              SHA256

              313e3e8871c869a745b1d116e6b8361610690f209fb28498553bada6dac4010a

              SHA512

              a776c7ca7c1a58a5e10c6f926d470b0a725eac07a9e9281f3c6901d32eecc3a19105c7a463972613150d794c64bdef04da29cf0e573367f2c0a92938c36366f8

              Download Submit

            • memory/828-78-0x00000000002CF000-0x00000000002DF000-memory.dmp

              Filesize

              64KB

              Download

            • memory/828-77-0x0000000000400000-0x000000000041D000-memory.dmp

              Filesize

              116KB

              Download

            • memory/828-74-0x00000000002CF000-0x00000000002DF000-memory.dmp

              Filesize

              64KB

              Download

            • memory/828-73-0x0000000000400000-0x000000000041D000-memory.dmp

              Filesize

              116KB

              Download

            • memory/852-59-0x000007FEFB9F1000-0x000007FEFB9F3000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1016-80-0x000000000026F000-0x00000000002B6000-memory.dmp

              Filesize

              284KB

              Download

            • memory/1016-79-0x0000000000400000-0x000000000046C000-memory.dmp

              Filesize

              432KB

              Download

            • memory/1416-54-0x0000000075E81000-0x0000000075E83000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1416-58-0x00000000004FF000-0x0000000000546000-memory.dmp

              Filesize

              284KB

              Download

            • memory/1416-57-0x0000000000400000-0x000000000046C000-memory.dmp

              Filesize

              432KB

              Download

            • memory/1416-56-0x00000000004FF000-0x0000000000546000-memory.dmp

              Filesize

              284KB

              Download

            • memory/1416-55-0x0000000000400000-0x000000000046C000-memory.dmp

              Filesize

              432KB

              Download

            • memory/1472-63-0x000007FEF5770000-0x000007FEF58B3000-memory.dmp

              Filesize

              1.3MB

              Download

            • memory/1472-64-0x000007FEBA500000-0x000007FEBA50A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/1852-65-0x0000000000400000-0x000000000046C000-memory.dmp

              Filesize

              432KB

              Download

            • memory/1852-67-0x000000000059F000-0x00000000005E6000-memory.dmp

              Filesize

              284KB

              Download

            • memory/1852-66-0x000000000059F000-0x00000000005E6000-memory.dmp

              Filesize

              284KB

              Download