Analysis
-
max time kernel
148s -
max time network
161s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
05-05-2023 23:11
Static task
static1
Behavioral task
behavioral1
Sample
a81cf5af7a5c1929ef6dea8cf11961cc.exe
Resource
win7-20230220-en
General
-
Target
a81cf5af7a5c1929ef6dea8cf11961cc.exe
-
Size
2.5MB
-
MD5
a81cf5af7a5c1929ef6dea8cf11961cc
-
SHA1
dc360a9605efd32c676d931745f600745ac3579f
-
SHA256
243036edddff8d25f6997bb6cba8cc784adb92229e149f41420962ed17523c75
-
SHA512
29fcb5ed083ce5ff92bc01cc8b49249b589311d4b41bf0615efa8837e81224b660d7c912496f875a886af20d495175326907e71a8c3d7ec46efbd1eb54ceeedf
-
SSDEEP
24576:F2OTeFxvKLuoucZybHXMDg2cQV09aoz25OVn3GuQ5Y3h3js9sy:bTux6ZT0sozGK3Ns9sy
Malware Config
Extracted
pony
http://98.158.129.17:8080/pony/gate.php
http://50.116.9.68/pony/gate.php
-
payload_url
http://www.longingtech.com/14jJyU.exe
http://ghanaleakplus.com/KVvCk7B.exe
http://arvina.cz/PpBCye.exe
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Child.exepid process 1440 Child.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 940 cmd.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
Child.exedescription pid process Token: SeImpersonatePrivilege 1440 Child.exe Token: SeTcbPrivilege 1440 Child.exe Token: SeChangeNotifyPrivilege 1440 Child.exe Token: SeCreateTokenPrivilege 1440 Child.exe Token: SeBackupPrivilege 1440 Child.exe Token: SeRestorePrivilege 1440 Child.exe Token: SeIncreaseQuotaPrivilege 1440 Child.exe Token: SeAssignPrimaryTokenPrivilege 1440 Child.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Child.exepid process 1440 Child.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
a81cf5af7a5c1929ef6dea8cf11961cc.execmd.exedescription pid process target process PID 1204 wrote to memory of 940 1204 a81cf5af7a5c1929ef6dea8cf11961cc.exe cmd.exe PID 1204 wrote to memory of 940 1204 a81cf5af7a5c1929ef6dea8cf11961cc.exe cmd.exe PID 1204 wrote to memory of 940 1204 a81cf5af7a5c1929ef6dea8cf11961cc.exe cmd.exe PID 1204 wrote to memory of 940 1204 a81cf5af7a5c1929ef6dea8cf11961cc.exe cmd.exe PID 940 wrote to memory of 1440 940 cmd.exe Child.exe PID 940 wrote to memory of 1440 940 cmd.exe Child.exe PID 940 wrote to memory of 1440 940 cmd.exe Child.exe PID 940 wrote to memory of 1440 940 cmd.exe Child.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a81cf5af7a5c1929ef6dea8cf11961cc.exe"C:\Users\Admin\AppData\Local\Temp\a81cf5af7a5c1929ef6dea8cf11961cc.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c .\Child.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Child.exe.\Child.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Child.exeFilesize
178KB
MD563df17fb0b2d7b936d41ab6696a1e163
SHA13ff44a657ce599e2d828c8bbaa148895c2933ea5
SHA256cf9e7f28868b657569cbf18bf47228d06635e742f78316c5a0f14b2bba20044d
SHA512132347b6e06347eab5347c2076c63d9efced5e9030842036e0cca8ef73552f00586e83dec4d1b4f7ab0b8b69611fa83ffd0cb0ccef98d8c23c81dc9a90e5395a
-
C:\Users\Admin\AppData\Local\Temp\Child.exeFilesize
178KB
MD563df17fb0b2d7b936d41ab6696a1e163
SHA13ff44a657ce599e2d828c8bbaa148895c2933ea5
SHA256cf9e7f28868b657569cbf18bf47228d06635e742f78316c5a0f14b2bba20044d
SHA512132347b6e06347eab5347c2076c63d9efced5e9030842036e0cca8ef73552f00586e83dec4d1b4f7ab0b8b69611fa83ffd0cb0ccef98d8c23c81dc9a90e5395a
-
\Users\Admin\AppData\Local\Temp\Child.exeFilesize
178KB
MD563df17fb0b2d7b936d41ab6696a1e163
SHA13ff44a657ce599e2d828c8bbaa148895c2933ea5
SHA256cf9e7f28868b657569cbf18bf47228d06635e742f78316c5a0f14b2bba20044d
SHA512132347b6e06347eab5347c2076c63d9efced5e9030842036e0cca8ef73552f00586e83dec4d1b4f7ab0b8b69611fa83ffd0cb0ccef98d8c23c81dc9a90e5395a
-
memory/1204-61-0x0000000000400000-0x0000000000525000-memory.dmpFilesize
1.1MB
-
memory/1440-58-0x00000000002F0000-0x0000000000307000-memory.dmpFilesize
92KB
-
memory/1440-59-0x0000000000310000-0x0000000000340000-memory.dmpFilesize
192KB
-
memory/1440-60-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/1440-62-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB