Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

26f18e04a1...30.exe

windows7-x64

10

26f18e04a1...30.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    158s
  • max time network
    159s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    31/12/2023, 03:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    26f18e04a196e2e85d8297086b338e30.exe

  • Size

    288KB

  • MD5

    26f18e04a196e2e85d8297086b338e30

  • SHA1

    245e479278a7ca0356c9888e246f9e506739768b

  • SHA256

    b136434e8995180965964fa8b46b50173b6a6f500c80fc5a2b548a008d749493

  • SHA512

    ddde4d05a0b45249784af0aa68892a453b3f7cea46097ced149967702facc34047e6975f661a734a115b946f66b0705d929ecab64b3b4f690ba07660eaa6815c

  • SSDEEP

    6144:xX8JXgMQUXu+9qjCTWeqKas8hiAHlkyvbhA5qLXtE8VZP6lnrlZdgpP:uGM7u+xWEAyeAGy8V168P

Score
10/10
ponydiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Disables taskbar notifications via registry modification
    evasion
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 3 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 29 IoCs
  • Suspicious use of SendNotifyMessage 23 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\26f18e04a196e2e85d8297086b338e30.exe
    "C:\Users\Admin\AppData\Local\Temp\26f18e04a196e2e85d8297086b338e30.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2948
    • C:\Users\Admin\AppData\Local\Temp\26f18e04a196e2e85d8297086b338e30.exe
      C:\Users\Admin\AppData\Local\Temp\26f18e04a196e2e85d8297086b338e30.exe startC:\Users\Admin\AppData\Roaming\41708\E5071.exe%C:\Users\Admin\AppData\Roaming\41708
      2⤵
        PID:432
      • C:\Users\Admin\AppData\Local\Temp\26f18e04a196e2e85d8297086b338e30.exe
        C:\Users\Admin\AppData\Local\Temp\26f18e04a196e2e85d8297086b338e30.exe startC:\Program Files (x86)\08E64\lvvm.exe%C:\Program Files (x86)\08E64
        2⤵
          PID:1572
        • C:\Program Files (x86)\LP\7174\2C4E.tmp
          "C:\Program Files (x86)\LP\7174\2C4E.tmp"
          2⤵
          • Executes dropped EXE
          PID:756
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2580
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2792

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\LP\7174\2C4E.tmp
        Filesize

        95KB

        MD5

        317d18bbaa3e87436cfb31d41048fc32

        SHA1

        fe5b525d724089e00af06e26145aaa3eec45b8a8

        SHA256

        8a0296fe3e827f00688e463022975f7cb7dbaa9b1978ee68f6282a2de279c1c3

        SHA512

        e007f02cb8ff8f3a4b42452cd8fd53007e3f42cf97f5835b2497b822b5557394d140a7e655263f0a3c2a69665b6ef0cd19990d88d123c479f23b733aff98b7af

        Download Submit

      • C:\Users\Admin\AppData\Roaming\41708\8E64.170
        Filesize

        1KB

        MD5

        f14db577d78839155185a2b5ffeeab0c

        SHA1

        a54df2919960c5f245692a1613c2e264c33d55fb

        SHA256

        7e50d2cd98be62112e5b423fac43766f73959cabb3576fa257348d79008faa75

        SHA512

        c5c8eab989f31fddab4896aedfe86dde0942e3c2fdc90f167945eb7d24ccdc43809580a627772eb1ec430ebca1af2555fc0c5a4f0bfcdb78de4a88a72a3488f4

        Download Submit

      • C:\Users\Admin\AppData\Roaming\41708\8E64.170
        Filesize

        600B

        MD5

        2eba2819ae33da19179fbd4e8c163c71

        SHA1

        4e884bf0876c3f33e6e35bb825c535fd0ac5d731

        SHA256

        cca2634cb494e264dcf1ecea90fec2ddf50c3c2d396fe1f195222301133daf43

        SHA512

        dec49f9d41c69d6471b3b7b0944ce8ec5ca93cbcf2cbab69c069268df4857c2bc2be3d768e3d90aa63ddaadc64d5c13fff1f310758236b897c1683dfa056feb1

        Download Submit

      • C:\Users\Admin\AppData\Roaming\41708\8E64.170
        Filesize

        300B

        MD5

        7a5bbeb0323e02b068ffd8ae35c6c6cf

        SHA1

        19bc88ea2d9334587a6acd2a8b3d128e56a843c0

        SHA256

        788952f323183e72e7e642bab203668081bb5e45c16b8e967adc83c424ff312e

        SHA512

        ef422ebe9ba9ac594e42dabecb5473aead8153d535658203372ca9f0044cf6ccd3a8717f71f3f500128261a4f0e1934ffa4862c019d70abe38fe9fc44597a48e

        Download Submit

      • \Program Files (x86)\LP\7174\2C4E.tmp
        Filesize

        102KB

        MD5

        3dd4e5cd0cb32f735268a740c647065a

        SHA1

        5e88431137152bf76f61d06b1c2086ecd5082a76

        SHA256

        a1cb303db454c3faa73fa6705c9a7ce126110615879047fbd579d2c813fba535

        SHA512

        37463297b6e127dc2689f2b998b14042189baa26727ab1770fc482035b09df2cd3f349fb11038fabde84d0b4a5a07bfc6b5c619001ddc70c9c37c0aa87b3fe04

        Download Submit

      • memory/432-49-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/432-50-0x0000000000635000-0x000000000067C000-memory.dmp

        Filesize

        284KB

        Download

      • memory/756-330-0x0000000000400000-0x000000000041D000-memory.dmp

        Filesize

        116KB

        Download

      • memory/756-328-0x00000000002B0000-0x00000000003B0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/756-327-0x0000000000400000-0x000000000041D000-memory.dmp

        Filesize

        116KB

        Download

      • memory/1572-211-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/1572-213-0x0000000000510000-0x0000000000610000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1572-212-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/2792-206-0x0000000004040000-0x0000000004041000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2792-331-0x0000000004040000-0x0000000004041000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2948-225-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/2948-48-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/2948-102-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/2948-51-0x0000000000580000-0x0000000000680000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2948-42-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/2948-3-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/2948-329-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/2948-2-0x0000000000580000-0x0000000000680000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2948-1-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/2948-334-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download