Overview

overview

10

Static

static

dd4b45c1b0...2c.exe

windows7-x64

10

dd4b45c1b0...2c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    107s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    05/12/2022, 06:27

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    dd4b45c1b0ee3f206d51af2126c969898d4de0e1b26c48fe806f029fb240222c.exe

  • Size

    271KB

  • MD5

    bc4ff72f3d2b0b4e32f5e8bb6edd7d48

  • SHA1

    3ce85a9c9b54f457453c5c6941ffb119ee32a27b

  • SHA256

    dd4b45c1b0ee3f206d51af2126c969898d4de0e1b26c48fe806f029fb240222c

  • SHA512

    9af3c6cee8d69b4e086246c6718e6d4168623aca57110b40ea4bc5406ecbe0a05289ed4d8010b9652ee067ed557dde4e3ff23452a7a32125c2571da06fe9bad2

  • SSDEEP

    6144:6l9V4vSvJKYM6qCs91Se9LiCOb9Id1Sn:6loaRKYZqwIERp

Score
10/10
ponydiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 17 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\dd4b45c1b0ee3f206d51af2126c969898d4de0e1b26c48fe806f029fb240222c.exe
    "C:\Users\Admin\AppData\Local\Temp\dd4b45c1b0ee3f206d51af2126c969898d4de0e1b26c48fe806f029fb240222c.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:784
    • C:\Users\Admin\AppData\Local\Temp\dd4b45c1b0ee3f206d51af2126c969898d4de0e1b26c48fe806f029fb240222c.exe
      C:\Users\Admin\AppData\Local\Temp\dd4b45c1b0ee3f206d51af2126c969898d4de0e1b26c48fe806f029fb240222c.exe startC:\Users\Admin\AppData\Roaming\65398\CBF3C.exe%C:\Users\Admin\AppData\Roaming\65398
      2⤵
        PID:1484
      • C:\Users\Admin\AppData\Local\Temp\dd4b45c1b0ee3f206d51af2126c969898d4de0e1b26c48fe806f029fb240222c.exe
        C:\Users\Admin\AppData\Local\Temp\dd4b45c1b0ee3f206d51af2126c969898d4de0e1b26c48fe806f029fb240222c.exe startC:\Program Files (x86)\98F22\lvvm.exe%C:\Program Files (x86)\98F22
        2⤵
          PID:1744
        • C:\Program Files (x86)\LP\3CF6\FDE0.tmp
          "C:\Program Files (x86)\LP\3CF6\FDE0.tmp"
          2⤵
          • Executes dropped EXE
          PID:2024
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1356
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1380
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x58c
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1012

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\LP\3CF6\FDE0.tmp
              Filesize

              96KB

              MD5

              58ff5b332ac0006c022219df86121b00

              SHA1

              4e38c1fc1522a5f3076cd29caf35c232bd276ca2

              SHA256

              de3486aae23915536017d3c51f2d32faa7e15012a0e6ee72cfdd4dfa95e9bcdc

              SHA512

              5ce4013b1116f9983955ea9215ea38f75cebac08cde42b243e3b1ed19ebf814e5b4be63c6dca476af25315d794203384ce849c76d1fbcc112e58a1b11b3a75e2

              Download Submit

            • \Program Files (x86)\LP\3CF6\FDE0.tmp
              Filesize

              96KB

              MD5

              58ff5b332ac0006c022219df86121b00

              SHA1

              4e38c1fc1522a5f3076cd29caf35c232bd276ca2

              SHA256

              de3486aae23915536017d3c51f2d32faa7e15012a0e6ee72cfdd4dfa95e9bcdc

              SHA512

              5ce4013b1116f9983955ea9215ea38f75cebac08cde42b243e3b1ed19ebf814e5b4be63c6dca476af25315d794203384ce849c76d1fbcc112e58a1b11b3a75e2

              Download Submit

            • \Program Files (x86)\LP\3CF6\FDE0.tmp
              Filesize

              96KB

              MD5

              58ff5b332ac0006c022219df86121b00

              SHA1

              4e38c1fc1522a5f3076cd29caf35c232bd276ca2

              SHA256

              de3486aae23915536017d3c51f2d32faa7e15012a0e6ee72cfdd4dfa95e9bcdc

              SHA512

              5ce4013b1116f9983955ea9215ea38f75cebac08cde42b243e3b1ed19ebf814e5b4be63c6dca476af25315d794203384ce849c76d1fbcc112e58a1b11b3a75e2

              Download Submit

            • memory/784-65-0x0000000000510000-0x000000000052B000-memory.dmp

              Filesize

              108KB

              Download

            • memory/784-64-0x0000000000400000-0x000000000046A000-memory.dmp

              Filesize

              424KB

              Download

            • memory/784-57-0x0000000000510000-0x000000000052B000-memory.dmp

              Filesize

              108KB

              Download

            • memory/784-54-0x0000000000400000-0x000000000046A000-memory.dmp

              Filesize

              424KB

              Download

            • memory/784-56-0x0000000000400000-0x000000000046A000-memory.dmp

              Filesize

              424KB

              Download

            • memory/784-55-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1356-58-0x000007FEFB871000-0x000007FEFB873000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1484-62-0x0000000000400000-0x000000000046A000-memory.dmp

              Filesize

              424KB

              Download

            • memory/1484-63-0x0000000000640000-0x000000000065B000-memory.dmp

              Filesize

              108KB

              Download

            • memory/1744-74-0x0000000000400000-0x000000000046A000-memory.dmp

              Filesize

              424KB

              Download

            • memory/1744-75-0x00000000002D0000-0x00000000002EB000-memory.dmp

              Filesize

              108KB

              Download

            • memory/2024-77-0x0000000000400000-0x000000000041B000-memory.dmp

              Filesize

              108KB

              Download

            • memory/2024-78-0x000000000055F000-0x000000000056A000-memory.dmp

              Filesize

              44KB

              Download

            • memory/2024-79-0x0000000000400000-0x000000000041B000-memory.dmp

              Filesize

              108KB

              Download

            • memory/2024-80-0x000000000055F000-0x000000000056A000-memory.dmp

              Filesize

              44KB

              Download