Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

f1cf96c3d2...f2.exe

windows7-x64

10

f1cf96c3d2...f2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    05/12/2022, 18:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f1cf96c3d2f53053d6a4db5b3171fdd9a2651e114b5056f8ea8853e0ad91aef2.exe

  • Size

    283KB

  • MD5

    63fe64c62437e3c58b49c0524275dacc

  • SHA1

    30a0e544b79c11bb6a62bb0cfba9b0645dfff7ed

  • SHA256

    f1cf96c3d2f53053d6a4db5b3171fdd9a2651e114b5056f8ea8853e0ad91aef2

  • SHA512

    abc9039671148cdc7a2593134feb3e80d0b026292707cd3aa95ce46bca8c95d06fc96e1b42dbf99e0884ee1d377940c6eb1d181ac00c8ac16d8dc5a1fc2fb230

  • SSDEEP

    6144:w7vXDRS0wfOxqpBW8gto5ZsdZjJMQcYWqz9t/Qs/FvN5c1:ivdS9OxqpBDgOAZV11n9trvN5

Score
10/10
ponydiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 3 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 17 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\f1cf96c3d2f53053d6a4db5b3171fdd9a2651e114b5056f8ea8853e0ad91aef2.exe
    "C:\Users\Admin\AppData\Local\Temp\f1cf96c3d2f53053d6a4db5b3171fdd9a2651e114b5056f8ea8853e0ad91aef2.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1376
    • C:\Users\Admin\AppData\Local\Temp\f1cf96c3d2f53053d6a4db5b3171fdd9a2651e114b5056f8ea8853e0ad91aef2.exe
      C:\Users\Admin\AppData\Local\Temp\f1cf96c3d2f53053d6a4db5b3171fdd9a2651e114b5056f8ea8853e0ad91aef2.exe startC:\Users\Admin\AppData\Roaming\152E8\7186B.exe%C:\Users\Admin\AppData\Roaming\152E8
      2⤵
        PID:1644
      • C:\Users\Admin\AppData\Local\Temp\f1cf96c3d2f53053d6a4db5b3171fdd9a2651e114b5056f8ea8853e0ad91aef2.exe
        C:\Users\Admin\AppData\Local\Temp\f1cf96c3d2f53053d6a4db5b3171fdd9a2651e114b5056f8ea8853e0ad91aef2.exe startC:\Program Files (x86)\E86D2\lvvm.exe%C:\Program Files (x86)\E86D2
        2⤵
          PID:1292
        • C:\Program Files (x86)\LP\6BE1\25BA.tmp
          "C:\Program Files (x86)\LP\6BE1\25BA.tmp"
          2⤵
          • Executes dropped EXE
          PID:1564
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1968
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1828
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x5b0
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1820

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\LP\6BE1\25BA.tmp
        Filesize

        100KB

        MD5

        f845b0df3da3f24c382cd3031c1c9e3b

        SHA1

        0607975a1d3aa4ad8997946a69c907e4f7bcd636

        SHA256

        53dbfb4a4aca0f7b2fe0d1e46579f0f1e28bf0095c1418101e1ea70c3509581a

        SHA512

        bf44d1d6ede8b520f67b47939d422f7272998a9d5bd67ac7fc5ebd44c6971769a3cd83f9cfa15465b42fd8becef5751bc858d642f5e2b1ac36f337a95e9cbb43

        Download Submit

      • \Program Files (x86)\LP\6BE1\25BA.tmp
        Filesize

        100KB

        MD5

        f845b0df3da3f24c382cd3031c1c9e3b

        SHA1

        0607975a1d3aa4ad8997946a69c907e4f7bcd636

        SHA256

        53dbfb4a4aca0f7b2fe0d1e46579f0f1e28bf0095c1418101e1ea70c3509581a

        SHA512

        bf44d1d6ede8b520f67b47939d422f7272998a9d5bd67ac7fc5ebd44c6971769a3cd83f9cfa15465b42fd8becef5751bc858d642f5e2b1ac36f337a95e9cbb43

        Download Submit

      • \Program Files (x86)\LP\6BE1\25BA.tmp
        Filesize

        100KB

        MD5

        f845b0df3da3f24c382cd3031c1c9e3b

        SHA1

        0607975a1d3aa4ad8997946a69c907e4f7bcd636

        SHA256

        53dbfb4a4aca0f7b2fe0d1e46579f0f1e28bf0095c1418101e1ea70c3509581a

        SHA512

        bf44d1d6ede8b520f67b47939d422f7272998a9d5bd67ac7fc5ebd44c6971769a3cd83f9cfa15465b42fd8becef5751bc858d642f5e2b1ac36f337a95e9cbb43

        Download Submit

      • memory/1292-65-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/1376-61-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/1376-54-0x0000000075921000-0x0000000075923000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1376-56-0x00000000005C7000-0x000000000060A000-memory.dmp

        Filesize

        268KB

        Download

      • memory/1376-55-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/1564-72-0x0000000000400000-0x000000000041C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/1564-73-0x0000000000230000-0x0000000000330000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1564-74-0x0000000000400000-0x000000000041C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/1644-60-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/1968-57-0x000007FEFC371000-0x000007FEFC373000-memory.dmp

        Filesize

        8KB

        Download