Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

63c8627a6c...5e.exe

windows7-x64

10

63c8627a6c...5e.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    06/01/2024, 10:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    63c8627a6c976f688318f0525793cf5e.exe

  • Size

    272KB

  • MD5

    63c8627a6c976f688318f0525793cf5e

  • SHA1

    1043bb40a39e946f82bc8f5d0c572048bef8f716

  • SHA256

    e4c9e2f70abb3e8f02e91f3ed7846ab5283da5d19ca481e43e03ae1f4fdc3cae

  • SHA512

    c1573736307f1669a0e9730b6e8df2b537763f0208608cda64fce7e5b516663042490450213c0327b6245147e937101fc8d20d63f5b2c08f6cc62c579f11d58b

  • SSDEEP

    6144:iOBrgUg0ehFSoLMXUFZTT2PwXIZFge7whRySVVFh:i8c0eTMXUFZTewX4K8S9

Score
10/10
ponydiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Disables taskbar notifications via registry modification
    evasion
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 3 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 22 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\63c8627a6c976f688318f0525793cf5e.exe
    "C:\Users\Admin\AppData\Local\Temp\63c8627a6c976f688318f0525793cf5e.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2484
    • C:\Users\Admin\AppData\Local\Temp\63c8627a6c976f688318f0525793cf5e.exe
      C:\Users\Admin\AppData\Local\Temp\63c8627a6c976f688318f0525793cf5e.exe startC:\Users\Admin\AppData\Roaming\65357\558A2.exe%C:\Users\Admin\AppData\Roaming\65357
      2⤵
        PID:2972
      • C:\Users\Admin\AppData\Local\Temp\63c8627a6c976f688318f0525793cf5e.exe
        C:\Users\Admin\AppData\Local\Temp\63c8627a6c976f688318f0525793cf5e.exe startC:\Program Files (x86)\57608\lvvm.exe%C:\Program Files (x86)\57608
        2⤵
          PID:2800
        • C:\Program Files (x86)\LP\A226\F1AF.tmp
          "C:\Program Files (x86)\LP\A226\F1AF.tmp"
          2⤵
          • Executes dropped EXE
          PID:1744
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2828
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1488

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\65357\7608.535
        Filesize

        300B

        MD5

        7ddf563bf2e623aa9e6ad9c8372bf1eb

        SHA1

        1a9f5c7790502ccb819db4f043365e1af83ebf64

        SHA256

        92ba221272e5ed43952fb7d556b023611d94f4de8bf43ab5175ffb086c49171c

        SHA512

        835446dbb670bf5d85b49e01f0ca8db373943e04a23c27cd3fff20876e6105f1875c12dac5598dc1263011152000a7b53fcf8d989f42f70aeb4fb74bb864f9e1

        Download Submit

      • C:\Users\Admin\AppData\Roaming\65357\7608.535
        Filesize

        996B

        MD5

        2bf24de5da6303ff38f53ff38b66a6f6

        SHA1

        7e0cd22e13037d93b245ce34c2c925707b2a6354

        SHA256

        786c52304e39efc0d5099ae3ba1cf505036cc8d4390822925a15008eca33994e

        SHA512

        d8425c09619e4cae3e063938dfc0be440e9d7818c10a4d2f942bcff2bb45cb685e632b0728075af6a9622b4cdf431099af48f801750af320d82f7b526bbb2037

        Download Submit

      • C:\Users\Admin\AppData\Roaming\65357\7608.535
        Filesize

        1KB

        MD5

        589ed46c979089e22319d0298bcaeb55

        SHA1

        8062701c19884350ee3bf4190144f509905d7aea

        SHA256

        581310a50c1ee780b7900a2d9f342d4e6ddb7dcce8716890b18db1550ea41585

        SHA512

        d3bab07e2d00da815bfd9f13d7004fb6c885c23dca85ae5bbfa375a0cce140ae571c46bce1ec57efb39b08087086e1dc50f56dc9eef94e3d543efd685e7dc2ef

        Download Submit

      • C:\Users\Admin\AppData\Roaming\65357\7608.535
        Filesize

        600B

        MD5

        88196a2977531d6e2e0aef6edc23aa9d

        SHA1

        78bced5d661f1f94e9383f3e75f27328ab414d14

        SHA256

        287ccc2fa5aa560bc6a5bf959a6d66d636783dba49ed48491cc656814492de60

        SHA512

        9cd2842c8eca4a370a38360a271f9dcd6940f85b572afc7d01f01673fc68ef0efd9a0bac51ebf5b81b991e645e9d6949706c22657a62c78309dbdfabaaf96932

        Download Submit

      • \Program Files (x86)\LP\A226\F1AF.tmp
        Filesize

        96KB

        MD5

        741a474e68d21807209d21bb48e3b548

        SHA1

        7a1532e0612197de8eac689710ba62fe3f880f34

        SHA256

        db72043327449f366ed96882ea4dfbfa5d9fc16b2d804a0746753f71b38e1f52

        SHA512

        800c06cc898d8be33729573f6671b8887afc3dd26d9f1c89a9cf66cb7030d4950de885e632472c315ea8c9a712bb8cc4067dbf8501a993d961cd7990996948cd

        Download Submit

      • memory/1488-190-0x0000000004030000-0x0000000004031000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1488-335-0x0000000004030000-0x0000000004031000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1744-331-0x0000000000290000-0x0000000000390000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1744-330-0x0000000000400000-0x000000000041B000-memory.dmp

        Filesize

        108KB

        Download

      • memory/1744-333-0x0000000000400000-0x000000000041B000-memory.dmp

        Filesize

        108KB

        Download

      • memory/1744-336-0x0000000000400000-0x000000000041B000-memory.dmp

        Filesize

        108KB

        Download

      • memory/2484-14-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/2484-0-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/2484-189-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/2484-334-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/2484-18-0x00000000002B0000-0x00000000003B0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2484-338-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/2484-4-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/2484-328-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/2484-3-0x00000000002B0000-0x00000000003B0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2484-2-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/2800-192-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/2800-194-0x00000000005C0000-0x00000000006C0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2800-193-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/2800-337-0x00000000005C0000-0x00000000006C0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2972-17-0x0000000000665000-0x0000000000684000-memory.dmp

        Filesize

        124KB

        Download

      • memory/2972-16-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download