Analysis
-
max time kernel
142s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05-05-2023 23:11
Static task
static1
Behavioral task
behavioral1
Sample
a81cf5af7a5c1929ef6dea8cf11961cc.exe
Resource
win7-20230220-en
General
-
Target
a81cf5af7a5c1929ef6dea8cf11961cc.exe
-
Size
2.5MB
-
MD5
a81cf5af7a5c1929ef6dea8cf11961cc
-
SHA1
dc360a9605efd32c676d931745f600745ac3579f
-
SHA256
243036edddff8d25f6997bb6cba8cc784adb92229e149f41420962ed17523c75
-
SHA512
29fcb5ed083ce5ff92bc01cc8b49249b589311d4b41bf0615efa8837e81224b660d7c912496f875a886af20d495175326907e71a8c3d7ec46efbd1eb54ceeedf
-
SSDEEP
24576:F2OTeFxvKLuoucZybHXMDg2cQV09aoz25OVn3GuQ5Y3h3js9sy:bTux6ZT0sozGK3Ns9sy
Malware Config
Extracted
pony
http://98.158.129.17:8080/pony/gate.php
http://50.116.9.68/pony/gate.php
-
payload_url
http://www.longingtech.com/14jJyU.exe
http://ghanaleakplus.com/KVvCk7B.exe
http://arvina.cz/PpBCye.exe
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Child.exepid process 1936 Child.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
Child.exedescription pid process Token: SeImpersonatePrivilege 1936 Child.exe Token: SeTcbPrivilege 1936 Child.exe Token: SeChangeNotifyPrivilege 1936 Child.exe Token: SeCreateTokenPrivilege 1936 Child.exe Token: SeBackupPrivilege 1936 Child.exe Token: SeRestorePrivilege 1936 Child.exe Token: SeIncreaseQuotaPrivilege 1936 Child.exe Token: SeAssignPrimaryTokenPrivilege 1936 Child.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
a81cf5af7a5c1929ef6dea8cf11961cc.execmd.exedescription pid process target process PID 3240 wrote to memory of 1812 3240 a81cf5af7a5c1929ef6dea8cf11961cc.exe cmd.exe PID 3240 wrote to memory of 1812 3240 a81cf5af7a5c1929ef6dea8cf11961cc.exe cmd.exe PID 3240 wrote to memory of 1812 3240 a81cf5af7a5c1929ef6dea8cf11961cc.exe cmd.exe PID 1812 wrote to memory of 1936 1812 cmd.exe Child.exe PID 1812 wrote to memory of 1936 1812 cmd.exe Child.exe PID 1812 wrote to memory of 1936 1812 cmd.exe Child.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a81cf5af7a5c1929ef6dea8cf11961cc.exe"C:\Users\Admin\AppData\Local\Temp\a81cf5af7a5c1929ef6dea8cf11961cc.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c .\Child.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Child.exe.\Child.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Child.exeFilesize
178KB
MD563df17fb0b2d7b936d41ab6696a1e163
SHA13ff44a657ce599e2d828c8bbaa148895c2933ea5
SHA256cf9e7f28868b657569cbf18bf47228d06635e742f78316c5a0f14b2bba20044d
SHA512132347b6e06347eab5347c2076c63d9efced5e9030842036e0cca8ef73552f00586e83dec4d1b4f7ab0b8b69611fa83ffd0cb0ccef98d8c23c81dc9a90e5395a
-
C:\Users\Admin\AppData\Local\Temp\Child.exeFilesize
178KB
MD563df17fb0b2d7b936d41ab6696a1e163
SHA13ff44a657ce599e2d828c8bbaa148895c2933ea5
SHA256cf9e7f28868b657569cbf18bf47228d06635e742f78316c5a0f14b2bba20044d
SHA512132347b6e06347eab5347c2076c63d9efced5e9030842036e0cca8ef73552f00586e83dec4d1b4f7ab0b8b69611fa83ffd0cb0ccef98d8c23c81dc9a90e5395a
-
memory/1936-137-0x0000000000700000-0x0000000000717000-memory.dmpFilesize
92KB
-
memory/1936-138-0x0000000000720000-0x0000000000750000-memory.dmpFilesize
192KB
-
memory/1936-139-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/1936-142-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/3240-140-0x0000000000400000-0x0000000000525000-memory.dmpFilesize
1.1MB