Overview

overview

10

Static

static

3

1558f2eaa2...7d.exe

windows7-x64

10

1558f2eaa2...7d.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    149s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    30-12-2023 10:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1558f2eaa2baa9e5082ccdb9f723fa7d.exe

  • Size

    282KB

  • MD5

    1558f2eaa2baa9e5082ccdb9f723fa7d

  • SHA1

    2593e882e0abf4e1dcb2a6140d20516d00857033

  • SHA256

    6f4dfc4f923e53bb1449136b508429332461eb1a082ae3ed6d9630b6e38bc060

  • SHA512

    86f42935d2d0b01562a93173357b7af793b7e1ba8b50d8ad353a4b978401261fc3a8b0bfee8391df0c1040793f660a0cc2e1cbc6a04c526c2eca1361dbdd2206

  • SSDEEP

    6144:crPraEYF57R69Um+nEY0kqk4PXzCPamiHtRNCI6X:2aXF9R6ym+skK07mKX

Score
10/10
ponydiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Disables taskbar notifications via registry modification
    evasion
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 3 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 22 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\1558f2eaa2baa9e5082ccdb9f723fa7d.exe
    "C:\Users\Admin\AppData\Local\Temp\1558f2eaa2baa9e5082ccdb9f723fa7d.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1276
    • C:\Users\Admin\AppData\Local\Temp\1558f2eaa2baa9e5082ccdb9f723fa7d.exe
      C:\Users\Admin\AppData\Local\Temp\1558f2eaa2baa9e5082ccdb9f723fa7d.exe startC:\Users\Admin\AppData\Roaming\AB7EF\B52A4.exe%C:\Users\Admin\AppData\Roaming\AB7EF
      2⤵
        PID:1844
      • C:\Program Files (x86)\LP\A45A\E080.tmp
        "C:\Program Files (x86)\LP\A45A\E080.tmp"
        2⤵
        • Executes dropped EXE
        PID:2572
      • C:\Users\Admin\AppData\Local\Temp\1558f2eaa2baa9e5082ccdb9f723fa7d.exe
        C:\Users\Admin\AppData\Local\Temp\1558f2eaa2baa9e5082ccdb9f723fa7d.exe startC:\Program Files (x86)\EFDE9\lvvm.exe%C:\Program Files (x86)\EFDE9
        2⤵
          PID:2536
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3040
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2780

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\AB7EF\FDE9.B7E
        Filesize

        1KB

        MD5

        4dd42b868444207ad8503625cc0f904c

        SHA1

        8ab1880b1e8f724b38943095c4885a1a2bcc30d2

        SHA256

        982900b504c7f3f0508d2b16eacbd95da47514269499b549dcd1ade0eabd7f55

        SHA512

        4f93bbc2eebebe49b3c062fb7d6a41cb6dc8cf4ce4ac0d74917cfb9dc47264f402c29b8949ec3229efcf9ee61a518c460929bf284be3afd5d4a6d4a54cf5b74f

        Download Submit

      • C:\Users\Admin\AppData\Roaming\AB7EF\FDE9.B7E
        Filesize

        600B

        MD5

        ff14fa828fc01102547264fed96cf8f3

        SHA1

        a1bb5bf7a7285cf4f3f0e3449561464e69f45b2e

        SHA256

        5789da84891be215e55dcafcd3a7d2f1f4338571ac6393129f7c66bea5e2e63f

        SHA512

        4ca1c9fc932e24153b715b4bc2a32ac8ce1c6ccd0faec079aa36aabd8720d5541c280e7a3a9c7b35a76bca68733c981099c69367075395448357f69b2ed8b85e

        Download Submit

      • C:\Users\Admin\AppData\Roaming\AB7EF\FDE9.B7E
        Filesize

        1KB

        MD5

        ac401fd972204383791bdac49258f445

        SHA1

        73291f305a8c142c333d42b60a93e955c28fcf93

        SHA256

        c02527a80f777a4e474479a6eb2b695da95ff112c3680a52e81a0ba552e08fa6

        SHA512

        01568ac6ebf60b4f1893ae03b8aa1496b149802233e999da845e0efc969865048a1f4e48733765d584d1263ad88698d4fcb60b12d8790f552e422706babd115c

        Download Submit

      • C:\Users\Admin\AppData\Roaming\AB7EF\FDE9.B7E
        Filesize

        897B

        MD5

        3932981bf77b2cf16d525eecb5ab13fa

        SHA1

        7e57dbc093836c0028570a9586d606461f896ef3

        SHA256

        213f3875c96631ccd1d52724dbbdc6acc9a32453076f5ecb7de41ddf93d11c80

        SHA512

        f5f70abff35134beb4aebdd0a036dbc630f39c0995367837e6dc1c9fa7a4be119085874e93e4ac492cbe6618f9ee8f0726b3a867a7baef3b211c984ec4ced281

        Download Submit

      • \Program Files (x86)\LP\A45A\E080.tmp
        Filesize

        99KB

        MD5

        9d83b6d4629b9d0e96bbdb171b0dc5db

        SHA1

        e9bed14c44fe554e0e8385096bbacca494da30b1

        SHA256

        d3a6060ff059a7724a483d82025a9231a61143839b633a6d3842a58ccb5a7d7d

        SHA512

        301187bdcab5ca9942b2c7b7114e37e53e58b5661eef50c389622950d7691993a29f5a825132cf499ca73cdb6637d3f58afdc024cb04fac2b8e01f752209572c

        Download Submit

      • memory/1276-49-0x0000000000400000-0x000000000046C000-memory.dmp

        Filesize

        432KB

        Download

      • memory/1276-51-0x0000000000400000-0x000000000046C000-memory.dmp

        Filesize

        432KB

        Download

      • memory/1276-214-0x0000000000400000-0x000000000046C000-memory.dmp

        Filesize

        432KB

        Download

      • memory/1276-50-0x0000000001CA0000-0x0000000001DA0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1276-3-0x0000000000400000-0x000000000046C000-memory.dmp

        Filesize

        432KB

        Download

      • memory/1276-2-0x0000000001CA0000-0x0000000001DA0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1276-1-0x0000000000400000-0x000000000046C000-memory.dmp

        Filesize

        432KB

        Download

      • memory/1276-140-0x0000000000400000-0x000000000046C000-memory.dmp

        Filesize

        432KB

        Download

      • memory/1844-53-0x0000000000400000-0x000000000046C000-memory.dmp

        Filesize

        432KB

        Download

      • memory/1844-55-0x0000000001C60000-0x0000000001D60000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1844-54-0x0000000000400000-0x000000000046C000-memory.dmp

        Filesize

        432KB

        Download

      • memory/2536-142-0x0000000001CF0000-0x0000000001D37000-memory.dmp

        Filesize

        284KB

        Download

      • memory/2536-141-0x0000000000400000-0x000000000046C000-memory.dmp

        Filesize

        432KB

        Download

      • memory/2572-138-0x0000000000400000-0x000000000041C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2572-73-0x0000000000400000-0x000000000041C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2572-74-0x00000000005B0000-0x00000000006B0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2780-207-0x0000000003FF0000-0x0000000003FF1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2780-56-0x0000000003FF0000-0x0000000003FF1000-memory.dmp

        Filesize

        4KB

        Download