Analysis
-
max time kernel
133s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2023 23:24
Static task
static1
Behavioral task
behavioral1
Sample
5f697f9e967d6f2f01beb702cae01a5696444372545381315f68ce00c45902d0.exe
Resource
win7-20230621-en
General
-
Target
5f697f9e967d6f2f01beb702cae01a5696444372545381315f68ce00c45902d0.exe
-
Size
2.4MB
-
MD5
dd609583a5baf83eda150f9365e77067
-
SHA1
d449bd9634d29e429cc1378f171a00b018fd6b44
-
SHA256
5f697f9e967d6f2f01beb702cae01a5696444372545381315f68ce00c45902d0
-
SHA512
695259a378f7ed10cb1ffe7fe9e75f5af0fb6befe3d3333c9dcdb1ab8d2f8365639c033dda9d83738e28b37cf711b65e01395dcf853691ec7e41b1489a5fbcec
-
SSDEEP
24576:F2OTeFxvKLuoucZybHXMDg2cQV09aoz25OVn3GuQ5Y3h3js9shlieh:bTux6ZT0sozGK3Ns9shlFh
Malware Config
Extracted
pony
http://www.alberghi.com:8080/pony/gate.php
http://buyandsmile.atomclick.co:8080/pony/gate.php
-
payload_url
http://ftp.eburneenne.com/7zBY7xS.exe
http://www.spetter.com/mi19YgV.exe
http://photosfoto.com/uTM.exe
http://www.daginternacional.com/trXe.exe
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Child.exepid process 4248 Child.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 628 4248 WerFault.exe Child.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
5f697f9e967d6f2f01beb702cae01a5696444372545381315f68ce00c45902d0.execmd.exedescription pid process target process PID 5052 wrote to memory of 5072 5052 5f697f9e967d6f2f01beb702cae01a5696444372545381315f68ce00c45902d0.exe cmd.exe PID 5052 wrote to memory of 5072 5052 5f697f9e967d6f2f01beb702cae01a5696444372545381315f68ce00c45902d0.exe cmd.exe PID 5052 wrote to memory of 5072 5052 5f697f9e967d6f2f01beb702cae01a5696444372545381315f68ce00c45902d0.exe cmd.exe PID 5072 wrote to memory of 4248 5072 cmd.exe Child.exe PID 5072 wrote to memory of 4248 5072 cmd.exe Child.exe PID 5072 wrote to memory of 4248 5072 cmd.exe Child.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f697f9e967d6f2f01beb702cae01a5696444372545381315f68ce00c45902d0.exe"C:\Users\Admin\AppData\Local\Temp\5f697f9e967d6f2f01beb702cae01a5696444372545381315f68ce00c45902d0.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c .\Child.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Child.exe.\Child.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 5084⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4248 -ip 42481⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Child.exeFilesize
137KB
MD500f447529c6b07feaf76e7e00ec4b50a
SHA125bae6d02ff7c6d1a19e3ffc2936c650645d2265
SHA25681552d75d8021824d8e516357a306f38c25e904e83accbcf806e6a33fbc0d9ce
SHA51254a5bf50c9ba4293882f708bd6ba2ea44b93e17d23694153f1d6f9b0e84ea73674b076c793d6f582b6c6362367777dade2d1d372a2b437b2830a2356a4228664
-
C:\Users\Admin\AppData\Local\Temp\Child.exeFilesize
137KB
MD500f447529c6b07feaf76e7e00ec4b50a
SHA125bae6d02ff7c6d1a19e3ffc2936c650645d2265
SHA25681552d75d8021824d8e516357a306f38c25e904e83accbcf806e6a33fbc0d9ce
SHA51254a5bf50c9ba4293882f708bd6ba2ea44b93e17d23694153f1d6f9b0e84ea73674b076c793d6f582b6c6362367777dade2d1d372a2b437b2830a2356a4228664
-
memory/4248-137-0x00000000006C0000-0x00000000006D7000-memory.dmpFilesize
92KB
-
memory/4248-138-0x0000000002090000-0x00000000020B4000-memory.dmpFilesize
144KB
-
memory/4248-139-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/5052-141-0x0000000000400000-0x0000000000525000-memory.dmpFilesize
1.1MB