Overview

overview

10

Static

static

500c316ca9...2d.exe

windows7-x64

10

500c316ca9...2d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    162s
  • max time network
    168s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    05/12/2022, 18:54

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    500c316ca9f08d10e6228630adaed9de7db7b5e34c0ce351ffa5086b41c52d2d.exe

  • Size

    286KB

  • MD5

    19a7cc1c7df73ef6a82b05f1d7df30f0

  • SHA1

    871880b63c0c9f19c63552344d26e2053e534bb8

  • SHA256

    500c316ca9f08d10e6228630adaed9de7db7b5e34c0ce351ffa5086b41c52d2d

  • SHA512

    bff8a44fdda621c523438f2923638b79249f5db20f5b13c6f8da2bb6df8768c17239dba9b3c526316a78c2d59365da90eba078fc94b61868b90d28a271035a0d

  • SSDEEP

    6144:/s3RgIaGI/JeI9hWf8ze9fEXiTLPYBTDU08he2SkrfI4g1:CRvI/JeV8S96obYB808hVSt

Score
10/10
ponydiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 3 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\500c316ca9f08d10e6228630adaed9de7db7b5e34c0ce351ffa5086b41c52d2d.exe
    "C:\Users\Admin\AppData\Local\Temp\500c316ca9f08d10e6228630adaed9de7db7b5e34c0ce351ffa5086b41c52d2d.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:960
    • C:\Users\Admin\AppData\Local\Temp\500c316ca9f08d10e6228630adaed9de7db7b5e34c0ce351ffa5086b41c52d2d.exe
      C:\Users\Admin\AppData\Local\Temp\500c316ca9f08d10e6228630adaed9de7db7b5e34c0ce351ffa5086b41c52d2d.exe startC:\Users\Admin\AppData\Roaming\8B143\5FB9F.exe%C:\Users\Admin\AppData\Roaming\8B143
      2⤵
        PID:1080
      • C:\Program Files (x86)\LP\9F28\B896.tmp
        "C:\Program Files (x86)\LP\9F28\B896.tmp"
        2⤵
        • Executes dropped EXE
        PID:1808
      • C:\Users\Admin\AppData\Local\Temp\500c316ca9f08d10e6228630adaed9de7db7b5e34c0ce351ffa5086b41c52d2d.exe
        C:\Users\Admin\AppData\Local\Temp\500c316ca9f08d10e6228630adaed9de7db7b5e34c0ce351ffa5086b41c52d2d.exe startC:\Program Files (x86)\4307A\lvvm.exe%C:\Program Files (x86)\4307A
        2⤵
          PID:696
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:560
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1488
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x588
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:652

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\LP\9F28\B896.tmp
              Filesize

              101KB

              MD5

              bade879866519356dfbcd83d542a6412

              SHA1

              31e08efddce3b594648f0a106c8d137b82c15759

              SHA256

              55fcaaaa7d7f33b7329957c3203eb5d9f607e9742d34fb055de84e5264bb75fc

              SHA512

              4c914acd148c1ba5113900d294cc28f1ebaf0ce08c0d914ed5efebb227241df5decdbc6e9fe4180e6ff18ac2e8692da203edac2d1f6d7a1bd90357b0f214a1aa

              Download Submit

            • \Program Files (x86)\LP\9F28\B896.tmp
              Filesize

              101KB

              MD5

              bade879866519356dfbcd83d542a6412

              SHA1

              31e08efddce3b594648f0a106c8d137b82c15759

              SHA256

              55fcaaaa7d7f33b7329957c3203eb5d9f607e9742d34fb055de84e5264bb75fc

              SHA512

              4c914acd148c1ba5113900d294cc28f1ebaf0ce08c0d914ed5efebb227241df5decdbc6e9fe4180e6ff18ac2e8692da203edac2d1f6d7a1bd90357b0f214a1aa

              Download Submit

            • \Program Files (x86)\LP\9F28\B896.tmp
              Filesize

              101KB

              MD5

              bade879866519356dfbcd83d542a6412

              SHA1

              31e08efddce3b594648f0a106c8d137b82c15759

              SHA256

              55fcaaaa7d7f33b7329957c3203eb5d9f607e9742d34fb055de84e5264bb75fc

              SHA512

              4c914acd148c1ba5113900d294cc28f1ebaf0ce08c0d914ed5efebb227241df5decdbc6e9fe4180e6ff18ac2e8692da203edac2d1f6d7a1bd90357b0f214a1aa

              Download Submit

            • memory/560-58-0x000007FEFBAC1000-0x000007FEFBAC3000-memory.dmp

              Filesize

              8KB

              Download

            • memory/696-76-0x0000000000400000-0x000000000046C000-memory.dmp

              Filesize

              432KB

              Download

            • memory/696-77-0x00000000006E7000-0x000000000072F000-memory.dmp

              Filesize

              288KB

              Download

            • memory/696-75-0x00000000006E7000-0x000000000072F000-memory.dmp

              Filesize

              288KB

              Download

            • memory/960-55-0x0000000000637000-0x000000000067F000-memory.dmp

              Filesize

              288KB

              Download

            • memory/960-54-0x0000000075591000-0x0000000075593000-memory.dmp

              Filesize

              8KB

              Download

            • memory/960-57-0x0000000000637000-0x000000000067F000-memory.dmp

              Filesize

              288KB

              Download

            • memory/960-56-0x0000000000400000-0x000000000046C000-memory.dmp

              Filesize

              432KB

              Download

            • memory/1080-65-0x0000000000400000-0x000000000046C000-memory.dmp

              Filesize

              432KB

              Download

            • memory/1080-62-0x0000000000677000-0x00000000006BF000-memory.dmp

              Filesize

              288KB

              Download

            • memory/1080-64-0x0000000000677000-0x00000000006BF000-memory.dmp

              Filesize

              288KB

              Download

            • memory/1080-63-0x0000000000400000-0x000000000046C000-memory.dmp

              Filesize

              432KB

              Download

            • memory/1808-71-0x0000000000400000-0x000000000041D000-memory.dmp

              Filesize

              116KB

              Download

            • memory/1808-72-0x0000000000316000-0x0000000000326000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1808-78-0x0000000000400000-0x000000000041D000-memory.dmp

              Filesize

              116KB

              Download

            • memory/1808-79-0x0000000000316000-0x0000000000326000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1808-80-0x0000000000400000-0x000000000041D000-memory.dmp

              Filesize

              116KB

              Download

            • memory/1808-81-0x0000000000316000-0x0000000000326000-memory.dmp

              Filesize

              64KB

              Download