Overview

overview

10

Static

static

fa65e91f0a...5b.exe

windows7-x64

10

fa65e91f0a...5b.exe

windows10-2004-x64

Analysis

  • max time kernel
    114s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    05-12-2022 18:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fa65e91f0a5f117e4da666eda74c7dbf9ff7fe70ea4477bcd0089060b6687e5b.exe

  • Size

    291KB

  • MD5

    2e112395a64b710c83b4fbcf5d53cf52

  • SHA1

    e6930f33beadce15b76f10c47d226a1acb622ba0

  • SHA256

    fa65e91f0a5f117e4da666eda74c7dbf9ff7fe70ea4477bcd0089060b6687e5b

  • SHA512

    a03d2e5cbddd04636e8476d96be24ce482a4557e322f03ae0a3e63fe06f76f03e1578277c37d38d2c20e2250e724a042cb2beba0c0eac6661608c43c1af9c161

  • SSDEEP

    6144:9/KudswtwoZVJ+pr2uGwbUr5YrfwMDcIIYC:9FdT/VJ0rzGwb2irIMDcIIYC

Score
10/10
ponydiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 3 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of SendNotifyMessage 23 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\fa65e91f0a5f117e4da666eda74c7dbf9ff7fe70ea4477bcd0089060b6687e5b.exe
    "C:\Users\Admin\AppData\Local\Temp\fa65e91f0a5f117e4da666eda74c7dbf9ff7fe70ea4477bcd0089060b6687e5b.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1880
    • C:\Program Files (x86)\LP\A51B\B38.tmp
      "C:\Program Files (x86)\LP\A51B\B38.tmp"
      2⤵
      • Executes dropped EXE
      PID:892
    • C:\Users\Admin\AppData\Local\Temp\fa65e91f0a5f117e4da666eda74c7dbf9ff7fe70ea4477bcd0089060b6687e5b.exe
      C:\Users\Admin\AppData\Local\Temp\fa65e91f0a5f117e4da666eda74c7dbf9ff7fe70ea4477bcd0089060b6687e5b.exe startC:\Users\Admin\AppData\Roaming\B2F65\C7EA5.exe%C:\Users\Admin\AppData\Roaming\B2F65
      2⤵
        PID:1796
      • C:\Users\Admin\AppData\Local\Temp\fa65e91f0a5f117e4da666eda74c7dbf9ff7fe70ea4477bcd0089060b6687e5b.exe
        C:\Users\Admin\AppData\Local\Temp\fa65e91f0a5f117e4da666eda74c7dbf9ff7fe70ea4477bcd0089060b6687e5b.exe startC:\Program Files (x86)\658B4\lvvm.exe%C:\Program Files (x86)\658B4
        2⤵
          PID:1532
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:944
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:928
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x484
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:452

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\LP\A51B\B38.tmp
        Filesize

        103KB

        MD5

        d4f353eec08a119eb764376e943c8d63

        SHA1

        c59560360592af2b5cb1bbafa6b297ac35d3f30f

        SHA256

        1d2435427faf13fcc868b72430c96377fd239a46bcf341c02d2f0510c83d7e1d

        SHA512

        ba5f1b67e6d142c7445ad5ba149b1de5237810a9c94a8431b790008548658766f0ec3d0d33c757b59311c2bfa000924c67bde3a12f18f11973c4585e2ada2f6d

        Download Submit

      • \Program Files (x86)\LP\A51B\B38.tmp
        Filesize

        103KB

        MD5

        d4f353eec08a119eb764376e943c8d63

        SHA1

        c59560360592af2b5cb1bbafa6b297ac35d3f30f

        SHA256

        1d2435427faf13fcc868b72430c96377fd239a46bcf341c02d2f0510c83d7e1d

        SHA512

        ba5f1b67e6d142c7445ad5ba149b1de5237810a9c94a8431b790008548658766f0ec3d0d33c757b59311c2bfa000924c67bde3a12f18f11973c4585e2ada2f6d

        Download Submit

      • \Program Files (x86)\LP\A51B\B38.tmp
        Filesize

        103KB

        MD5

        d4f353eec08a119eb764376e943c8d63

        SHA1

        c59560360592af2b5cb1bbafa6b297ac35d3f30f

        SHA256

        1d2435427faf13fcc868b72430c96377fd239a46bcf341c02d2f0510c83d7e1d

        SHA512

        ba5f1b67e6d142c7445ad5ba149b1de5237810a9c94a8431b790008548658766f0ec3d0d33c757b59311c2bfa000924c67bde3a12f18f11973c4585e2ada2f6d

        Download Submit

      • memory/892-72-0x0000000000311000-0x0000000000320000-memory.dmp

        Filesize

        60KB

        Download

      • memory/892-71-0x0000000000400000-0x000000000041D000-memory.dmp

        Filesize

        116KB

        Download

      • memory/892-68-0x0000000000311000-0x0000000000320000-memory.dmp

        Filesize

        60KB

        Download

      • memory/892-67-0x0000000000400000-0x000000000041D000-memory.dmp

        Filesize

        116KB

        Download

      • memory/944-58-0x000007FEFBDB1000-0x000007FEFBDB3000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1532-75-0x0000000000400000-0x000000000046C000-memory.dmp

        Filesize

        432KB

        Download

      • memory/1532-76-0x0000000000501000-0x0000000000544000-memory.dmp

        Filesize

        268KB

        Download

      • memory/1796-69-0x0000000000400000-0x000000000046C000-memory.dmp

        Filesize

        432KB

        Download

      • memory/1796-70-0x0000000000611000-0x0000000000654000-memory.dmp

        Filesize

        268KB

        Download

      • memory/1880-54-0x0000000075201000-0x0000000075203000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1880-57-0x0000000000622000-0x0000000000665000-memory.dmp

        Filesize

        268KB

        Download

      • memory/1880-56-0x0000000000622000-0x0000000000665000-memory.dmp

        Filesize

        268KB

        Download

      • memory/1880-55-0x0000000000400000-0x000000000046C000-memory.dmp

        Filesize

        432KB

        Download