Overview

overview

10

Static

static

3

1d44e3a2c1...a0.exe

windows7-x64

10

1d44e3a2c1...a0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    131s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-01-2024 15:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1d44e3a2c13c11d8657db2981d3cafa0.exe

  • Size

    276KB

  • MD5

    1d44e3a2c13c11d8657db2981d3cafa0

  • SHA1

    9319d4f39dcc8ff8756c5c72417d00384308b1fb

  • SHA256

    9336fb8902065b2e50f365ef2f9e6fa2fa894e3d931ea2da1c187e326cdf2630

  • SHA512

    00fee93220a15c4d225cfc33454ea818355021168c63a0b075ee08ab3abcff541caa7a003a8cfa7291bd3a4de9f30c3b6639399812e5fce9f498cfa31c9c9a7a

  • SSDEEP

    6144:NI4N1tJsKnwnZ+hlKfQQ2AF52aFzWSyhRf4xyi4Co1W9UeRvXgAT:NbHIfQQ2ArpWJh9ic1iU6ws

Score
10/10
ponydiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Disables taskbar notifications via registry modification
    evasion
  • Modifies Installed Components in the registry 2 TTPs 6 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 12 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\1d44e3a2c13c11d8657db2981d3cafa0.exe
    "C:\Users\Admin\AppData\Local\Temp\1d44e3a2c13c11d8657db2981d3cafa0.exe"
    1⤵
    • Modifies security service
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2064
    • C:\Users\Admin\AppData\Local\Temp\1d44e3a2c13c11d8657db2981d3cafa0.exe
      C:\Users\Admin\AppData\Local\Temp\1d44e3a2c13c11d8657db2981d3cafa0.exe startC:\Users\Admin\AppData\Roaming\53B1A\6B34A.exe%C:\Users\Admin\AppData\Roaming\53B1A
      2⤵
        PID:4836
      • C:\Users\Admin\AppData\Local\Temp\1d44e3a2c13c11d8657db2981d3cafa0.exe
        C:\Users\Admin\AppData\Local\Temp\1d44e3a2c13c11d8657db2981d3cafa0.exe startC:\Program Files (x86)\1A31F\lvvm.exe%C:\Program Files (x86)\1A31F
        2⤵
          PID:4916
        • C:\Program Files (x86)\LP\4AD5\5985.tmp
          "C:\Program Files (x86)\LP\4AD5\5985.tmp"
          2⤵
          • Executes dropped EXE
          PID:4008
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4004
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3152
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:2964
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4696
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3132
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4872
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:804
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:3512
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:3468
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of SendNotifyMessage
        PID:4528
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4740
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of SendNotifyMessage
        PID:1564
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4672
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        PID:2152
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:2536
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
          PID:4616

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\LP\4AD5\5985.tmp
          Filesize

          97KB

          MD5

          b0ddb668bf2c3bd23a65e4bcfb6c03d4

          SHA1

          7d07d6f63e4a9be1b00a6d57ddac5a8f7d70e094

          SHA256

          c871bd1447ef492e8f1247eff4fb659770f3d42e93d879f0539597a2a7ffd8e2

          SHA512

          ede99c39a65740e721bcc3c75dbb2117b0bb1d2f01688c2db0a9b26f2d153c93704f5eb797121c0f4550f528a6b6cbadbf3d46a10071b2bc77987c52a4831259

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
          Filesize

          471B

          MD5

          fcff0230b5d2518aa5bcb53e5cb6bd95

          SHA1

          84e02eab4dc8e963711ad054dda8073192c66f04

          SHA256

          8c0fad7b8bd59ddefd60d837653fae5bc4010ab28cbf658b4c3fe7092fc392c0

          SHA512

          a334311a9c0ec08264731a82e8f55b47cb3a21e3e95b0cda4881de5a523a81cc783ebfaedeb002a653f1cef71bcc0a3f6abc3e875cfc9b5db3a4ce637b29bc5b

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
          Filesize

          412B

          MD5

          6f84f8db963a8f469f8f809e48945bde

          SHA1

          f965a369286e5b1944a3672fd5e6dd1a169b651d

          SHA256

          f6e51758d7dccadaa8fa730310d713d77061e0f40ec4f51a57c3d6d1eb81e28c

          SHA512

          a2740122e59a68673d0ddba5a9be67bfbf8e3d26c6d8c907ed44cb6c2c9dfe5e952733b143b86918be2267920807fe7c36e373b4b8ab4e1282b7eb75a6865625

          Download Submit

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133486841263918952.txt
          Filesize

          74KB

          MD5

          c09e63e4b960a163934b3c29f3bd2cc9

          SHA1

          d3a43b35c14ae2e353a1a15c518ab2595f6a0399

          SHA256

          308deca5e1ef4d875fbe0aff3ce4b0b575b28e643dffda819d4390ec77faf157

          SHA512

          5ca3321034dff47e3afe0b0bdfaffc08782991660910a29375a8e0363794b78247282aba65dbd882ae225aa140ae63927dfd0946a441ee6fa64a1d8c146777b9

          Download Submit

        • C:\Users\Admin\AppData\Roaming\53B1A\A31F.3B1
          Filesize

          1KB

          MD5

          2230979fcc040b2b75ac6194d233f033

          SHA1

          fe0fe2017e86d3e5b04b8f9e2d1e9788e5f76060

          SHA256

          93e03897056c1e40fc1dd774f19aef3c11b232f5c0a7c7eb257dcb560ace1690

          SHA512

          052494dc6ce91c665d36ea3be5d64907fb7010be33bb672a0790df0b1f864dd82d0b05786f5249ee572ce57a3875cb3051597170561b49d3db39b373a029025a

          Download Submit

        • C:\Users\Admin\AppData\Roaming\53B1A\A31F.3B1
          Filesize

          600B

          MD5

          54688383615e43184912f1a1c4ed7dad

          SHA1

          5bda4f15b9cb2770392d6fef61041c1e5958296d

          SHA256

          588c52ba9bbd55e2d86f5c10f2a8b9fbd994a23be9b93a7f2aac22bc9202638c

          SHA512

          1675c0ed198773f25230ca28d1104839501b2271f3874e6b3755b00f07139de65250207ef7738e780692ac38f40d1994751bf5df04aa2cb188dc70fe298484f6

          Download Submit

        • C:\Users\Admin\AppData\Roaming\53B1A\A31F.3B1
          Filesize

          1KB

          MD5

          b61260d695a2fbdcb1bdb2fe8040a203

          SHA1

          dae9eca33b387ff1270408ff501b298939a6cf47

          SHA256

          0a2cefa34bfc0e0c55eb2b38f0567c577c968d769bd3164ae9e8106b2c87ca61

          SHA512

          43f32e593230034c28d7c587c842d1ecc865567392c65e11ef99e6a4b72760fdd63c4de60b5280f8ea3d9f5d69caaf13d539265bbf61a6962b4c33bacddbb497

          Download Submit

        • memory/2064-15-0x0000000000400000-0x000000000046A000-memory.dmp

          Filesize

          424KB

          Download

        • memory/2064-184-0x0000000000400000-0x000000000046A000-memory.dmp

          Filesize

          424KB

          Download

        • memory/2064-331-0x0000000000400000-0x000000000046A000-memory.dmp

          Filesize

          424KB

          Download

        • memory/2064-365-0x0000000000400000-0x000000000046A000-memory.dmp

          Filesize

          424KB

          Download

        • memory/2064-0-0x0000000000400000-0x000000000046A000-memory.dmp

          Filesize

          424KB

          Download

        • memory/2064-14-0x0000000000570000-0x0000000000670000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2064-3-0x0000000000400000-0x000000000046A000-memory.dmp

          Filesize

          424KB

          Download

        • memory/2064-2-0x0000000000570000-0x0000000000670000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/3468-353-0x000001AD5ED20000-0x000001AD5ED40000-memory.dmp

          Filesize

          128KB

          Download

        • memory/3468-355-0x000001AD5F3C0000-0x000001AD5F3E0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/3468-351-0x000001AD5EDD0000-0x000001AD5EDF0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/4008-190-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/4008-192-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/4008-191-0x0000000000760000-0x0000000000860000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/4528-344-0x0000000002F90000-0x0000000002F91000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4836-19-0x0000000000400000-0x000000000046A000-memory.dmp

          Filesize

          424KB

          Download

        • memory/4836-18-0x00000000006D0000-0x00000000007D0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/4836-17-0x0000000000400000-0x000000000046A000-memory.dmp

          Filesize

          424KB

          Download

        • memory/4916-188-0x0000000000682000-0x00000000006A5000-memory.dmp

          Filesize

          140KB

          Download

        • memory/4916-186-0x0000000000400000-0x000000000046A000-memory.dmp

          Filesize

          424KB

          Download

        • memory/4916-187-0x0000000000400000-0x000000000046A000-memory.dmp

          Filesize

          424KB

          Download