Overview

overview

10

Static

static

3

59ee303584...f5.exe

windows7-x64

10

59ee303584...f5.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    141s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    14/01/2024, 01:34

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    59ee303584514aa309735860746b30f5.exe

  • Size

    272KB

  • MD5

    59ee303584514aa309735860746b30f5

  • SHA1

    383d386798d40dd90ca75cda536cdf3396b42259

  • SHA256

    aca4ce110862cdd755a533c1dbb0f5a94c99c34ed169a76cd76d16d3abac92ba

  • SHA512

    83dabcaf9f9bd3fc89b1e2622a5240f172c7a1d5970611f717e50d2aa7df74a2f6ff283e89720120082fa2130e33f66bf4161f1d906cc8cbdc5948500acec1d6

  • SSDEEP

    6144:SWpq4/uTcvUGcnkVzSK21an/rOxuXwHgo4B2+Tu:S6z/ZvPc22WrFAHo2+q

Score
10/10
ponydiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Disables taskbar notifications via registry modification
    evasion
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 3 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\59ee303584514aa309735860746b30f5.exe
    "C:\Users\Admin\AppData\Local\Temp\59ee303584514aa309735860746b30f5.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2024
    • C:\Users\Admin\AppData\Local\Temp\59ee303584514aa309735860746b30f5.exe
      C:\Users\Admin\AppData\Local\Temp\59ee303584514aa309735860746b30f5.exe startC:\Users\Admin\AppData\Roaming\0993B\4CED3.exe%C:\Users\Admin\AppData\Roaming\0993B
      2⤵
        PID:1704
      • C:\Users\Admin\AppData\Local\Temp\59ee303584514aa309735860746b30f5.exe
        C:\Users\Admin\AppData\Local\Temp\59ee303584514aa309735860746b30f5.exe startC:\Program Files (x86)\3BAA5\lvvm.exe%C:\Program Files (x86)\3BAA5
        2⤵
          PID:2324
        • C:\Program Files (x86)\LP\D3A0\91E3.tmp
          "C:\Program Files (x86)\LP\D3A0\91E3.tmp"
          2⤵
          • Executes dropped EXE
          PID:1108
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:384

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Roaming\0993B\BAA5.993
              Filesize

              996B

              MD5

              f53c35ef112336ab9dc01094716ec34a

              SHA1

              f30c895397cd14e54c0de12c3dd67b8ae5862005

              SHA256

              4fb3248340b4ad9110b25410058497ede6cf4e6d13e68118052f2e8d14ba08e8

              SHA512

              ca5534380ce0101feeb6c0d4f0444369057d61c118737e4d354bb2603da54f12b56cc1a8c93e59a1030519e979f8bfeb18cf42309705aa3311f168990e5e16c1

              Download Submit

            • C:\Users\Admin\AppData\Roaming\0993B\BAA5.993
              Filesize

              1KB

              MD5

              52849c207a44f69904ae0f2eb09e5f6d

              SHA1

              14f20413c2682b459f029a477f8db5973ac603e8

              SHA256

              b8c216d8414f9512ad04cdda68ab33d57448c9c9b39fef087ecb22707de99f99

              SHA512

              a405ce12880ba6d770edd396976b956716cd9b9ffdabb7c260ca491bef3f4eef4a669c3b14b311448e9353d9f17ac3a547a589cb8e8bf9be2e6dac6ab8e00170

              Download Submit

            • C:\Users\Admin\AppData\Roaming\0993B\BAA5.993
              Filesize

              600B

              MD5

              61884fc33adfe8e02cb11e3f7170afb2

              SHA1

              8163ca68f2160ba63a925cfd51b0447a1686ac5f

              SHA256

              74c8e5661544cc88432fde70faf9d7b5be5db2b1aa9772741af37fd111507365

              SHA512

              abd939ad9574c755eebab9d9197c2a94108bc8f1a0b5ee25cd318a3ed3b887b086c62c9588a29be9e178f6b4259dd3d617a5fabe23e093cd4d3a336531232dfb

              Download Submit

            • C:\Users\Admin\AppData\Roaming\0993B\BAA5.993
              Filesize

              300B

              MD5

              bb40e2d474cca1801c618fc99a947b63

              SHA1

              f3ecc0c42914f79eb70c4db88ba0e8089fce66ab

              SHA256

              5ccf3d3f5d84ed8e90da7bc580245ddd6a8e93147cb61575cde00cd393a914bd

              SHA512

              6370dcdacdb0b02ef5ff6d88fc9fb7c92401b1e7403c4a83e8cfe4e85a130e9091158a579f6a8168a832de80ce37639cb5e74fcd1473ebc172e887d5b8961955

              Download Submit

            • \Program Files (x86)\LP\D3A0\91E3.tmp
              Filesize

              103KB

              MD5

              1b8013e3242c22443b376a7e20f59fc2

              SHA1

              a1b2506288776baa4ad1c84bbed785ecd74d65b9

              SHA256

              c207bf949a5785e284bd028eb6c39edd96bf33d40aeeeccffa06a15a19c030c5

              SHA512

              5e70ac9cb23ece429a6716115ea89031fc6bbee677a217078de6108f68062aa6efa331654bb614f2f8b49953bf88ff3b6512d76dbc31e3bbfa47d23779e69594

              Download Submit

            • memory/384-190-0x0000000004280000-0x0000000004281000-memory.dmp

              Filesize

              4KB

              Download

            • memory/384-193-0x0000000004280000-0x0000000004281000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1108-188-0x00000000005D0000-0x00000000006D0000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/1108-189-0x0000000000400000-0x000000000041D000-memory.dmp

              Filesize

              116KB

              Download

            • memory/1108-187-0x0000000000400000-0x000000000041D000-memory.dmp

              Filesize

              116KB

              Download

            • memory/1704-35-0x0000000000470000-0x0000000000570000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/1704-103-0x0000000000470000-0x0000000000570000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/1704-34-0x0000000000400000-0x0000000000469000-memory.dmp

              Filesize

              420KB

              Download

            • memory/2024-36-0x0000000000400000-0x0000000000469000-memory.dmp

              Filesize

              420KB

              Download

            • memory/2024-186-0x0000000000400000-0x0000000000469000-memory.dmp

              Filesize

              420KB

              Download

            • memory/2024-102-0x0000000000250000-0x0000000000350000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/2024-100-0x0000000000400000-0x0000000000469000-memory.dmp

              Filesize

              420KB

              Download

            • memory/2024-1-0x0000000000400000-0x0000000000469000-memory.dmp

              Filesize

              420KB

              Download

            • memory/2024-194-0x0000000000400000-0x0000000000469000-memory.dmp

              Filesize

              420KB

              Download

            • memory/2024-2-0x0000000000250000-0x0000000000350000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/2324-99-0x00000000020D0000-0x00000000021D0000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/2324-98-0x0000000000400000-0x0000000000469000-memory.dmp

              Filesize

              420KB

              Download