Overview

overview

10

Static

static

3

05e7034160...62.exe

windows7-x64

10

05e7034160...62.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25/12/2023, 04:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    05e7034160522201de6324078818b562.exe

  • Size

    512KB

  • MD5

    05e7034160522201de6324078818b562

  • SHA1

    29d72e130ce958186446839139d25e0415cdc587

  • SHA256

    8679615f3852762d7dd71fcd657b86cdf0c4f56dcf3e6e991b65770752c57bfe

  • SHA512

    5d566113f3ed3df1a4baebc8ce80a300901a5ab8e20dafaabf33e824c26191f4281c64a783901743ebd71e69602b239f4158819a536e3d147d7e629c5efe4e9a

  • SSDEEP

    12288:WNge6O1X/GkpN4hpCHvmc+5zR2JqaAwUKPF2mqhScG:Q96SPGm4b06aqpwl2mqIc

Score
10/10
ponydiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Disables taskbar notifications via registry modification
    evasion
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 17 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 37 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 54 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 5 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\05e7034160522201de6324078818b562.exe
    "C:\Users\Admin\AppData\Local\Temp\05e7034160522201de6324078818b562.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2232
    • C:\Users\Admin\vrSlJ6C3.exe
      C:\Users\Admin\vrSlJ6C3.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2988
      • C:\Users\Admin\naoquo.exe
        "C:\Users\Admin\naoquo.exe"
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:2544
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del vrSlJ6C3.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1736
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:1172
    • C:\Users\Admin\2nob.exe
      C:\Users\Admin\2nob.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2844
      • C:\Users\Admin\2nob.exe
        "C:\Users\Admin\2nob.exe"
        3⤵
        • Executes dropped EXE
        PID:2432
      • C:\Users\Admin\2nob.exe
        "C:\Users\Admin\2nob.exe"
        3⤵
        • Executes dropped EXE
        • Maps connected drives based on registry
        • Suspicious behavior: EnumeratesProcesses
        PID:3024
      • C:\Users\Admin\2nob.exe
        "C:\Users\Admin\2nob.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1448
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1448 -s 100
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:1644
      • C:\Users\Admin\2nob.exe
        "C:\Users\Admin\2nob.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2700
      • C:\Users\Admin\2nob.exe
        "C:\Users\Admin\2nob.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1976
    • C:\Users\Admin\3nob.exe
      C:\Users\Admin\3nob.exe
      2⤵
      • Modifies security service
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • System policy modification
      PID:1460
      • C:\Users\Admin\3nob.exe
        C:\Users\Admin\3nob.exe startC:\Users\Admin\AppData\Roaming\A6A96\03EF3.exe%C:\Users\Admin\AppData\Roaming\A6A96
        3⤵
        • Executes dropped EXE
        PID:1376
      • C:\Program Files (x86)\LP\F37A\FEF8.tmp
        "C:\Program Files (x86)\LP\F37A\FEF8.tmp"
        3⤵
        • Executes dropped EXE
        PID:1160
      • C:\Users\Admin\3nob.exe
        C:\Users\Admin\3nob.exe startC:\Program Files (x86)\96F92\lvvm.exe%C:\Program Files (x86)\96F92
        3⤵
        • Executes dropped EXE
        PID:2272
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c tasklist&&del 05e7034160522201de6324078818b562.exe
      2⤵
      • Deletes itself
      PID:2804
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:2324
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1632
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Modify Registry

5
T1112

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Process Discovery

1
T1057

Query Registry

3
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\2nob.exe
    Filesize

    125KB

    MD5

    4e63eb49570bccc05858aa1b45dac020

    SHA1

    6e8c96b8a2607e4b54117355725e6c87d524cb56

    SHA256

    1f70aadf0951afa756d8f1f974a7c929d2bcee1d5b98fb449e707467146baeb4

    SHA512

    5323e5be565759592e84521af89807b1b52174b77363b7d2f8ca3f1348a4ab00df80e07fc82e71a185c0c6d9e7d318d91b9e3838055736ee691e8a6e271019d4

    Download Submit

  • C:\Users\Admin\2nob.exe
    Filesize

    1KB

    MD5

    3d570c210fb024b7cbf4b09e9633caa0

    SHA1

    25faced7d56d8eddbe7828c42f4dc5f585994f7a

    SHA256

    aad966dfa2ae28f8931dcf5391e83c07d54b68a4b0bd736d2ee14bf9c3cf3740

    SHA512

    a9a4622bd5a7a7ec275c9ad7e97772f4365f8cfac6b5e7e1f9e761b7d418d7ac1a52e1e6ab90c085babab9e143b974fcf44fba203e630d8d28bfcb1dd11f1935

    Download Submit

  • C:\Users\Admin\3nob.exe
    Filesize

    272KB

    MD5

    7ddee7ec4bd22ba0b43bc4105e5b7901

    SHA1

    9fb11a97faff55730d5f838db2bfd5dbcce9f0b6

    SHA256

    e765624ac2a2e40e95befcf847804345e74d3a35872f279c5d86f6a0dc51071f

    SHA512

    c1307d2851949d8809a71f3255cabfb18c2b9e5a41633bf09192ccf778026f894e0b6564502763bac440b1442e2b6fcff90e8b0090b9503290bd140875ea62fc

    Download Submit

  • C:\Users\Admin\AppData\Roaming\A6A96\6F92.6A9
    Filesize

    600B

    MD5

    06271584bb50ffba5efbaeb14a25252c

    SHA1

    cb7806d89b23562e9ecac2456c8838de6f1c9a7d

    SHA256

    9a3407de338956cc51426d1322ef3081c8f64f386a300ad6f9351de3bb0b8717

    SHA512

    581517e0ad4f56532ce27fb51421c20a7a88be801bf24d51d2bdf8802f6b6351a6fa215033eb80b181b4b8cad5f47552a7bcad46a331b7c2819af55c3ef8c5fb

    Download Submit

  • C:\Users\Admin\AppData\Roaming\A6A96\6F92.6A9
    Filesize

    897B

    MD5

    0536693024e452c275bd239e1ac52085

    SHA1

    0628804cd88e0896bd781443ca3d779f9205412a

    SHA256

    e4c80362fa69c0611e79f76ad19c923a1db1b8a82d5f842f440b7fe6a67dc4c4

    SHA512

    5cbacca89d0ac9ec329a180be9ebacd2178287afaf9b05b5d9f11a0d69797b584e6f0b97b7152288fe5b569058927e2261798294a36c3c46001337aa53cfa159

    Download Submit

  • C:\Users\Admin\AppData\Roaming\A6A96\6F92.6A9
    Filesize

    1KB

    MD5

    b6f6788bd284e192dd1882d14333f3b7

    SHA1

    36c380087613f808c604b93e406ad67a45ad163c

    SHA256

    13d0fbb28de36e98bded8c9f4df5b791a7bdc4253647beff1ba09340df579dac

    SHA512

    a6d175b46ea9e100706730ffd13ce1b3b5380ed383b31a479c56489968c5e2bb72b2c9b6d0314cc5cd3be918e27b90534c83c5dcd6c65ad455335da2095da8e5

    Download Submit

  • \Program Files (x86)\LP\F37A\FEF8.tmp
    Filesize

    96KB

    MD5

    74a1e9547eb8c42e9ca482c5c8bdd261

    SHA1

    c56c60e84b4ef45065289636cfdfab21654acdb3

    SHA256

    f4ac8ead1ff2f95c2b50405531d433d7af912b8f848095d3cb00401576ee90fb

    SHA512

    ae90627a5f1485383b6de178aea4b36f9e44891d78fe5a274d1632727dd71906061323725a7c3c106b039cb65e10ea7e9c7d277ce35fb0ac6458fdc3e346ecb9

    Download Submit

  • \Users\Admin\2nob.exe
    Filesize

    148KB

    MD5

    b7146cf0b0ce852ffb2edc1b43499d36

    SHA1

    7a65b2d9a243f0a9d5e1d22e19619c9b057cfdf7

    SHA256

    3c553adafe4adc74c390d9190aca168b822a902bbab695988de7efe30b2c3f4d

    SHA512

    d182fb2afe61832da56b7446de87ca8f65965b7a0cc284dd4d51df0453d304c157e2dea302239f038e71f73f7dd662d138903366367601b42aa3c4b03416a711

    Download Submit

  • \Users\Admin\naoquo.exe
    Filesize

    180KB

    MD5

    790652deb064b56f35df2755aa75d836

    SHA1

    43c010ef7aab7696383888d394ac85bfda57866d

    SHA256

    c658fe61eff83aa4fba88ab5925b3b4488ef4350163e638d65e5deba84cc7ff9

    SHA512

    359657ac9a740a7bf4e14c5ca0f7c15436860db7548ddbdf8c602e2d95a6cf1d4bc3e1203ab2128c61f913aeb8fd5cc031d7b0ad3e9b7a61609b65fd6d87d7d5

    Download Submit

  • \Users\Admin\vrSlJ6C3.exe
    Filesize

    180KB

    MD5

    7401ba7763fe55ddc93dd8bac9ec9879

    SHA1

    0dcdcf981aa98b878e311626478bf71545051ecd

    SHA256

    4cba3615f537b6273a7fa8be2f96942b27dc858fa1cd217f8db1ab1a5ffb21ab

    SHA512

    57b744717249d6e97b90a09c2a5e5636df6ebc0f6c1a48fac27ce536391b3bc31b1554e1ac252aa26d40f15b7f039d6c9b25df782db0ab55155284fc9d601d8c

    Download Submit

  • memory/1160-354-0x0000000000880000-0x0000000000980000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1160-492-0x0000000000880000-0x0000000000980000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1160-491-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1160-499-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1160-353-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1376-217-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/1376-216-0x0000000000530000-0x0000000000630000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1448-64-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB

    Download

  • memory/1448-76-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB

    Download

  • memory/1448-74-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB

    Download

  • memory/1448-57-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB

    Download

  • memory/1448-59-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB

    Download

  • memory/1448-69-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB

    Download

  • memory/1448-53-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB

    Download

  • memory/1460-142-0x00000000005E0000-0x00000000006E0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1460-141-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/1460-134-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/1460-130-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/1460-129-0x00000000005E0000-0x00000000006E0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1460-128-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/1976-113-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1976-82-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1976-109-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1976-108-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1976-112-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1976-88-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1976-98-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1976-102-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1976-107-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1976-106-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2272-362-0x0000000000916000-0x0000000000936000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2272-361-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2432-38-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2460-209-0x0000000004000000-0x0000000004001000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2460-485-0x0000000004000000-0x0000000004001000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2700-86-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2700-87-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2700-126-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2700-84-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2700-70-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2700-65-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2700-79-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2700-72-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/3024-55-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/3024-61-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/3024-48-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/3024-56-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/3024-123-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/3024-45-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/3024-52-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/3024-43-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/3024-41-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/3024-51-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download