Overview

overview

10

Static

static

c7c2fce021...1d.exe

windows7-x64

10

c7c2fce021...1d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    259s
  • max time network
    351s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    05/12/2022, 06:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c7c2fce0215829fccaa3ee7d7e0457c21d02e378e92bdf9fec34c667bdf5771d.exe

  • Size

    294KB

  • MD5

    8a3bb716b4a30d9b48d1af3d6b418565

  • SHA1

    84ee653b8af1d2afc9d6ee5490d08c6cbbbd304a

  • SHA256

    c7c2fce0215829fccaa3ee7d7e0457c21d02e378e92bdf9fec34c667bdf5771d

  • SHA512

    c7259e65bceefa243059ccc6315007497cf3777e61829b692eb34fb6860a8ee93f96982b6c92f6a83bd1ac2f4bc210318db5f71a9e325f92c5bfb940dbe2299c

  • SSDEEP

    6144:5vk4K4jlqYs5kSjEFmQdqXQuSy+Si9QCbR8hBKwJfX544V:5vkpMqr5VQFsXQuH+tQVvKIq

Score
10/10
ponydiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 3 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of FindShellTrayWindow 33 IoCs
  • Suspicious use of SendNotifyMessage 23 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\c7c2fce0215829fccaa3ee7d7e0457c21d02e378e92bdf9fec34c667bdf5771d.exe
    "C:\Users\Admin\AppData\Local\Temp\c7c2fce0215829fccaa3ee7d7e0457c21d02e378e92bdf9fec34c667bdf5771d.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1892
    • C:\Program Files (x86)\LP\42CB\FDC1.tmp
      "C:\Program Files (x86)\LP\42CB\FDC1.tmp"
      2⤵
      • Executes dropped EXE
      PID:1192
    • C:\Users\Admin\AppData\Local\Temp\c7c2fce0215829fccaa3ee7d7e0457c21d02e378e92bdf9fec34c667bdf5771d.exe
      C:\Users\Admin\AppData\Local\Temp\c7c2fce0215829fccaa3ee7d7e0457c21d02e378e92bdf9fec34c667bdf5771d.exe startC:\Users\Admin\AppData\Roaming\BF362\32E42.exe%C:\Users\Admin\AppData\Roaming\BF362
      2⤵
        PID:1936
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1560
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:580
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x588
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1420

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\LP\42CB\FDC1.tmp
      Filesize

      103KB

      MD5

      d4f353eec08a119eb764376e943c8d63

      SHA1

      c59560360592af2b5cb1bbafa6b297ac35d3f30f

      SHA256

      1d2435427faf13fcc868b72430c96377fd239a46bcf341c02d2f0510c83d7e1d

      SHA512

      ba5f1b67e6d142c7445ad5ba149b1de5237810a9c94a8431b790008548658766f0ec3d0d33c757b59311c2bfa000924c67bde3a12f18f11973c4585e2ada2f6d

      Download Submit

    • \Program Files (x86)\LP\42CB\FDC1.tmp
      Filesize

      103KB

      MD5

      d4f353eec08a119eb764376e943c8d63

      SHA1

      c59560360592af2b5cb1bbafa6b297ac35d3f30f

      SHA256

      1d2435427faf13fcc868b72430c96377fd239a46bcf341c02d2f0510c83d7e1d

      SHA512

      ba5f1b67e6d142c7445ad5ba149b1de5237810a9c94a8431b790008548658766f0ec3d0d33c757b59311c2bfa000924c67bde3a12f18f11973c4585e2ada2f6d

      Download Submit

    • \Program Files (x86)\LP\42CB\FDC1.tmp
      Filesize

      103KB

      MD5

      d4f353eec08a119eb764376e943c8d63

      SHA1

      c59560360592af2b5cb1bbafa6b297ac35d3f30f

      SHA256

      1d2435427faf13fcc868b72430c96377fd239a46bcf341c02d2f0510c83d7e1d

      SHA512

      ba5f1b67e6d142c7445ad5ba149b1de5237810a9c94a8431b790008548658766f0ec3d0d33c757b59311c2bfa000924c67bde3a12f18f11973c4585e2ada2f6d

      Download Submit

    • memory/1192-68-0x0000000000571000-0x0000000000580000-memory.dmp

      Filesize

      60KB

      Download

    • memory/1192-65-0x0000000000400000-0x000000000041D000-memory.dmp

      Filesize

      116KB

      Download

    • memory/1192-66-0x0000000000571000-0x0000000000580000-memory.dmp

      Filesize

      60KB

      Download

    • memory/1192-67-0x0000000000400000-0x000000000041D000-memory.dmp

      Filesize

      116KB

      Download

    • memory/1560-57-0x000007FEFB7F1000-0x000007FEFB7F3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1892-58-0x0000000000561000-0x00000000005A6000-memory.dmp

      Filesize

      276KB

      Download

    • memory/1892-56-0x0000000000561000-0x00000000005A6000-memory.dmp

      Filesize

      276KB

      Download

    • memory/1892-55-0x0000000000400000-0x000000000046C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/1892-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1936-71-0x0000000000400000-0x000000000046C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/1936-72-0x00000000005C2000-0x0000000000607000-memory.dmp

      Filesize

      276KB

      Download