Analysis
-
max time kernel
31s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
31-05-2023 11:20
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
06573599.exe
Resource
win7-20230220-en
windows7-x64
5 signatures
150 seconds
General
-
Target
06573599.exe
-
Size
1.1MB
-
MD5
aaecf776a6f8850da8a1b4d63bc15e6c
-
SHA1
a17344b14cc9bf756d8b52666dfb665e19e8bb31
-
SHA256
7c4e0b95c73cc6c75ad1c74bc4bb7ea27444015c9934a000cf183eb5d4948a3b
-
SHA512
8f8a04540d5c3dde132dd876376dc1b0195cc911c0ca746f67a4761d5c00602c7cb1cf1958d03cbddf3736cfe46a22c7ae1ad634b5260db4c89cb3aae2950f8d
-
SSDEEP
24576:iu6J33O0c+JY5UZ+XC0kGsoTGcjr1I1lOq6sb8hTH7NWYu:Eu0c++OCvkGsEGcjr1i6skHUYu
Malware Config
Extracted
Family
pony
C2
http://185.79.156.18/bit/03/gate.php
Signatures
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/988-54-0x0000000000F40000-0x0000000001068000-memory.dmp autoit_exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
06573599.exepid process 988 06573599.exe 988 06573599.exe 988 06573599.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
06573599.exepid process 988 06573599.exe 988 06573599.exe 988 06573599.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
06573599.exedescription pid process target process PID 988 wrote to memory of 2012 988 06573599.exe RegAsm.exe PID 988 wrote to memory of 2012 988 06573599.exe RegAsm.exe PID 988 wrote to memory of 2012 988 06573599.exe RegAsm.exe PID 988 wrote to memory of 2012 988 06573599.exe RegAsm.exe PID 988 wrote to memory of 2012 988 06573599.exe RegAsm.exe PID 988 wrote to memory of 2012 988 06573599.exe RegAsm.exe PID 988 wrote to memory of 2012 988 06573599.exe RegAsm.exe PID 988 wrote to memory of 2012 988 06573599.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\06573599.exe"C:\Users\Admin\AppData\Local\Temp\06573599.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/988-54-0x0000000000F40000-0x0000000001068000-memory.dmpFilesize
1.2MB
-
memory/988-61-0x0000000000120000-0x0000000000121000-memory.dmpFilesize
4KB
-
memory/2012-58-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/2012-57-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB