Overview

overview

10

Static

static

3

015e068194...fc.exe

windows7-x64

10

015e068194...fc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    29/12/2023, 19:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    015e06819449a0aba6b2aa3a5c05e4fc.exe

  • Size

    277KB

  • MD5

    015e06819449a0aba6b2aa3a5c05e4fc

  • SHA1

    1a9cfd1445d5e220b15afc1b3cc87c692306bd4d

  • SHA256

    1b3176504812227a816d0905092ecc6d9703b9bd677d159669bcd090df2cac83

  • SHA512

    0e4fda2845e0f120a4ca78545fb33807f4b44b5b9e3916a62c3554275050114de41e2d9871d54a7b9adaddc273ab212c24d7da6b8cb291b80cea47a82ffe0daf

  • SSDEEP

    6144:4t0XPlWWZwrjVNVa4pKpo5YuKMQEWBe1t186ctjqr:4WXJZwfVNwTuYuTkEW4

Score
10/10
ponydiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Disables taskbar notifications via registry modification
    evasion
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 3 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 17 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\015e06819449a0aba6b2aa3a5c05e4fc.exe
    "C:\Users\Admin\AppData\Local\Temp\015e06819449a0aba6b2aa3a5c05e4fc.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2240
    • C:\Users\Admin\AppData\Local\Temp\015e06819449a0aba6b2aa3a5c05e4fc.exe
      C:\Users\Admin\AppData\Local\Temp\015e06819449a0aba6b2aa3a5c05e4fc.exe startC:\Users\Admin\AppData\Roaming\9F15B\B52A4.exe%C:\Users\Admin\AppData\Roaming\9F15B
      2⤵
        PID:1968
      • C:\Users\Admin\AppData\Local\Temp\015e06819449a0aba6b2aa3a5c05e4fc.exe
        C:\Users\Admin\AppData\Local\Temp\015e06819449a0aba6b2aa3a5c05e4fc.exe startC:\Program Files (x86)\5B598\lvvm.exe%C:\Program Files (x86)\5B598
        2⤵
          PID:804
        • C:\Program Files (x86)\LP\A459\9000.tmp
          "C:\Program Files (x86)\LP\A459\9000.tmp"
          2⤵
          • Executes dropped EXE
          PID:2352
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2764
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2444

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\9F15B\B598.F15
        Filesize

        600B

        MD5

        8eb96edb32a5c6fe1d793e4b84b639f0

        SHA1

        7cf8bdef0a624317cdb8d33e6eb2faf41d965198

        SHA256

        ebbbe5a151f71fcab37db115961c070ef973a41edfcfdaf55462c27a3d6a47f7

        SHA512

        94008397c16b2f0cc314bff20e765f7fff3b135c32d70eafb401134532178fcc1d6fe9441f57da60b922e3bcf188b7a41e524314724058814becd5bbf9563d82

        Download Submit

      • C:\Users\Admin\AppData\Roaming\9F15B\B598.F15
        Filesize

        996B

        MD5

        728ed8474ba31aef985311711a04397a

        SHA1

        2f8ca1d6f090027744d7c082c98c714052658271

        SHA256

        c643b1143f6662ae9f543e93b3806d04acc29283e62a375e7288a878e30a3a96

        SHA512

        a18aaf1feb5b65fcaf866ea8b83975043199901c1ac6ad9a81f2b0320642582ed058fd4254284f65ee847143f7493b6c79a42005f6417540efe202054f4002d4

        Download Submit

      • \Program Files (x86)\LP\A459\9000.tmp
        Filesize

        98KB

        MD5

        452ca0be44887092384b55fbb84d79c7

        SHA1

        c51135c52fdff98dacc66b1bbb5dd215b90d3a8b

        SHA256

        fe1aa7fbb7f031ee7e5213dd6656d1502f127f6ddbd5b9aab8f6d880031ea688

        SHA512

        9fb18a250f93fba63cf40e8efe58ef687ad197f764f1f16b23a9cbf6efc64fe60a75b523ff1c8876fa70f597f8149139410396c03db58294fce5019ea627ff07

        Download Submit

      • memory/804-83-0x00000000005D9000-0x000000000061E000-memory.dmp

        Filesize

        276KB

        Download

      • memory/804-82-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/1968-13-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/1968-14-0x0000000000609000-0x000000000064E000-memory.dmp

        Filesize

        276KB

        Download

      • memory/2240-173-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/2240-2-0x0000000000610000-0x0000000000710000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2240-84-0x0000000000610000-0x0000000000710000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2240-11-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/2240-80-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/2240-1-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/2240-191-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/2352-189-0x0000000000400000-0x000000000041C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2352-190-0x0000000000230000-0x0000000000330000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2352-193-0x0000000000400000-0x000000000041C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2444-172-0x0000000004510000-0x0000000004511000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2444-195-0x0000000004510000-0x0000000004511000-memory.dmp

        Filesize

        4KB

        Download