Overview

overview

10

Static

static

3

33839378c2...b6.exe

windows7-x64

10

33839378c2...b6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25/12/2023, 18:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    33839378c2e7d9d7389f59b4ec7259b6.exe

  • Size

    270KB

  • MD5

    33839378c2e7d9d7389f59b4ec7259b6

  • SHA1

    4f09a1d7c231ed9e4500e6ae47664331d35a6f91

  • SHA256

    f0e7b3877666f3bbfdac4dc42d4bf7507a90d88bfdec1b47cb04151ce55dc029

  • SHA512

    a69a3d4319e58f6071bd02e2066fc6d8d3e7334f63e285b83dc8a3213087398f014741a1fcb8104c9106e258a98aee347a5996c94fe425912a5c7d5dea84a88f

  • SSDEEP

    6144:q7chyTTTWcvX2WcN7E1PrLEc1js20n7tIs2MS8TYoCh:q7zTKMX2Wk7mrDsh7tIs2KMoC

Score
10/10
ponydiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Disables taskbar notifications via registry modification
    evasion
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 3 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\33839378c2e7d9d7389f59b4ec7259b6.exe
    "C:\Users\Admin\AppData\Local\Temp\33839378c2e7d9d7389f59b4ec7259b6.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1732
    • C:\Users\Admin\AppData\Local\Temp\33839378c2e7d9d7389f59b4ec7259b6.exe
      C:\Users\Admin\AppData\Local\Temp\33839378c2e7d9d7389f59b4ec7259b6.exe startC:\Users\Admin\AppData\Roaming\7FB5B\27024.exe%C:\Users\Admin\AppData\Roaming\7FB5B
      2⤵
        PID:2852
      • C:\Users\Admin\AppData\Local\Temp\33839378c2e7d9d7389f59b4ec7259b6.exe
        C:\Users\Admin\AppData\Local\Temp\33839378c2e7d9d7389f59b4ec7259b6.exe startC:\Program Files (x86)\5BA21\lvvm.exe%C:\Program Files (x86)\5BA21
        2⤵
          PID:1148
        • C:\Program Files (x86)\LP\24C7\9859.tmp
          "C:\Program Files (x86)\LP\24C7\9859.tmp"
          2⤵
          • Executes dropped EXE
          PID:2152
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2756
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:908

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\7FB5B\BA21.FB5
        Filesize

        996B

        MD5

        b517585d622472d667edb1b107270a57

        SHA1

        fde0e6043492c99152b8cf087f0a2b57bfcdf7b1

        SHA256

        a9b9b31ea9a7af01d7b99b75941c00c1b1e999f3347a06dde428e336982b0a99

        SHA512

        c83b583c94c9a033cb8af3744de1d06c8875ac85c189ef2c3b31821939eec11eb6f539989972d456f3a213c14a6505df0b5cb7e1affeffa1c6868eb626b8f321

        Download Submit

      • C:\Users\Admin\AppData\Roaming\7FB5B\BA21.FB5
        Filesize

        1KB

        MD5

        301ddb8999c38b36c5f6765a3eca284f

        SHA1

        fce68a5e90381fae3f42ecbba48665bc28c5306d

        SHA256

        4d61321d994fbc275ae9dde482e684d0217d1f5e1d75c768fc629056983c5075

        SHA512

        e09f247420a611e050c354ecfe78e1df55433335dd302ddc8d02c760488e746866c66a5fd6f5ad2e23cc1c02e3c03895c46920cdbbb2f0bc05188d6080d40fb9

        Download Submit

      • C:\Users\Admin\AppData\Roaming\7FB5B\BA21.FB5
        Filesize

        600B

        MD5

        c6ac82f62f000183b1d81bdb74877485

        SHA1

        4531a558f013cd351f3e6a389391739750ca54d2

        SHA256

        75314e54187d236230432e3c6b7a2214ec952af1adc3bbda70846774d061c10b

        SHA512

        d4f0467ba3b3da861ec2806c610d635cae019e06436e93d6d0be3c42e9bc4fbaac1aade42700beb648135b283afbc8b43e9e08afb5c7e83a2c748f7139a2afd9

        Download Submit

      • C:\Users\Admin\AppData\Roaming\7FB5B\BA21.FB5
        Filesize

        300B

        MD5

        3b592ea145183e01f106ae410598979a

        SHA1

        2058f36fe05ad0eac1997eb39b09de537903053a

        SHA256

        5df3dd54cd674a4f20db844496be8ff97f1ad46dcd52bbb5e1fd70a614f7ba5d

        SHA512

        ba8b93c36c3c8b3df6277d2bdca2d0993aa651ed1d3ed14647f33d904e8bc18b8b633758aa009caf3c804e1191001eda53153cf6827281d7b9fa4d513331d5ea

        Download Submit

      • \Program Files (x86)\LP\24C7\9859.tmp
        Filesize

        96KB

        MD5

        c7fd5af753f98f1417ae0231c6020ea8

        SHA1

        5500fb4e4f2f45bdfca8f30eb87ca2bc9f943484

        SHA256

        afd67533c3e1be97290f16074059ec0a21a23c8c62c21e96e21e1572cd559b68

        SHA512

        44bfc2eb76ceba244a0912d5970f0ec04162268c2af293b89d0c4d51b3a6502e1349e7089a1138b31c51775d1b71adedc48f40425ed5d9f6e7062348ad06bab9

        Download Submit

      • memory/908-235-0x0000000004220000-0x0000000004221000-memory.dmp

        Filesize

        4KB

        Download

      • memory/908-147-0x0000000004220000-0x0000000004221000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1148-145-0x0000000002340000-0x0000000002387000-memory.dmp

        Filesize

        284KB

        Download

      • memory/1148-144-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/1732-42-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/1732-103-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/1732-146-0x0000000002230000-0x0000000002330000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1732-1-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/1732-237-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/1732-205-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/1732-143-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/1732-231-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/1732-2-0x0000000002230000-0x0000000002330000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1732-234-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/2152-229-0x0000000000400000-0x000000000041B000-memory.dmp

        Filesize

        108KB

        Download

      • memory/2152-233-0x0000000000400000-0x000000000041B000-memory.dmp

        Filesize

        108KB

        Download

      • memory/2152-230-0x00000000004D0000-0x00000000005D0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2852-44-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/2852-45-0x0000000002280000-0x00000000022C7000-memory.dmp

        Filesize

        284KB

        Download