Overview

overview

10

Static

static

3

bce28a08a8...46.exe

windows7-x64

10

bce28a08a8...46.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    11/03/2024, 02:38

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    bce28a08a8618439499f76ccc330a446.exe

  • Size

    283KB

  • MD5

    bce28a08a8618439499f76ccc330a446

  • SHA1

    dd9b619e30214f571170b85c2341b93852ffd4a5

  • SHA256

    e14ad1076c0e76c3396592c01b3ba3e51f89a76743444aaf8d1efef13c61065a

  • SHA512

    2a843854711ac008c0d677027d68e282830cf571063c1aadb54bbb81e02067136170f3de4de72679cd036917285996aa096a37aeb6bf18078149eb3dbb5a29cb

  • SSDEEP

    6144:y/LIitjKYKKiYkuKcuuiRahdoZ1oiAcYS+U7MyXP2R0:yzIitGPuKcniYhdoZ1gRSL7dP2

Score
10/10
ponydiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Disables taskbar notifications via registry modification
    evasion
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\bce28a08a8618439499f76ccc330a446.exe
    "C:\Users\Admin\AppData\Local\Temp\bce28a08a8618439499f76ccc330a446.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2128
    • C:\Users\Admin\AppData\Local\Temp\bce28a08a8618439499f76ccc330a446.exe
      C:\Users\Admin\AppData\Local\Temp\bce28a08a8618439499f76ccc330a446.exe startC:\Users\Admin\AppData\Roaming\35C3A\7EBCA.exe%C:\Users\Admin\AppData\Roaming\35C3A
      2⤵
        PID:1676
      • C:\Users\Admin\AppData\Local\Temp\bce28a08a8618439499f76ccc330a446.exe
        C:\Users\Admin\AppData\Local\Temp\bce28a08a8618439499f76ccc330a446.exe startC:\Program Files (x86)\3A08D\lvvm.exe%C:\Program Files (x86)\3A08D
        2⤵
          PID:2352
        • C:\Program Files (x86)\LP\CA63\CC25.tmp
          "C:\Program Files (x86)\LP\CA63\CC25.tmp"
          2⤵
          • Executes dropped EXE
          PID:1292
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2668
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:804

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Roaming\35C3A\A08D.5C3
              Filesize

              1KB

              MD5

              09703bfc2a2caeec3f4cbbc448d4e0f0

              SHA1

              82956fbda030c7d249fd9e102c5c4fae19d11e86

              SHA256

              e2c5a379434fbbdf3edca19cbfb76af242ff5ae846917f155c3ea29514c988c0

              SHA512

              00cf17a967bdd74bb9054513cd91d4a0f6ce968bd36ee4334b70317aa396ffe3d9c7afeeb905380d01708c812e47a9ee684c29204071b6af016926c1cec2dfe7

              Download Submit

            • C:\Users\Admin\AppData\Roaming\35C3A\A08D.5C3
              Filesize

              600B

              MD5

              a23c5e36934f3b236ed8dd23633079e9

              SHA1

              914b8c2799494bee98931ab4e3bff4fb87c777a3

              SHA256

              5a95b426ef9e404349a585d36965d6e7677618ea07859ae255bd50d0e6448167

              SHA512

              c20d06b0543c2a2f6422ee37f95b0978daeb6fc782e9bef4b7759d811702507e4aa4977745414e6690c0c53eb31c604891c2256c06a357bc1e75a0f2a705a36b

              Download Submit

            • C:\Users\Admin\AppData\Roaming\35C3A\A08D.5C3
              Filesize

              300B

              MD5

              111583edba764998c3872ba02c1f936b

              SHA1

              d7357d0431862c1bdf30751217cd72453ddaed82

              SHA256

              153d103b2892cf979e1e4389fea0fcd1c77080f2ddf555ccd9fd837566a6d531

              SHA512

              55cc22b7e9cdf99ff3458dc9fbb316cf518b49fe5fb5c4ffa86cae9e17fcc30c1f86de9d020d98b4689e2d635679b38a70cd5ce865b0143eedc0b2b528d5acce

              Download Submit

            • C:\Users\Admin\AppData\Roaming\35C3A\A08D.5C3
              Filesize

              996B

              MD5

              7701e4519edb4be3128eefd9989cdb66

              SHA1

              2293a538dd8f2b40e283cbecbb58a5988c6297d8

              SHA256

              01f247d9525cd9241215772018d88f7150b3dc3b9c73c922ce9e45c4184151e2

              SHA512

              c19a69283212d706d08af8110008fc2a34636c5371809958acb3d923725391a67672c6f9f685ab5ee563c611ffe8357f9e5fc0efdaf8aba040963733a0bd0168

              Download Submit

            • \Program Files (x86)\LP\CA63\CC25.tmp
              Filesize

              99KB

              MD5

              9d83b6d4629b9d0e96bbdb171b0dc5db

              SHA1

              e9bed14c44fe554e0e8385096bbacca494da30b1

              SHA256

              d3a6060ff059a7724a483d82025a9231a61143839b633a6d3842a58ccb5a7d7d

              SHA512

              301187bdcab5ca9942b2c7b7114e37e53e58b5661eef50c389622950d7691993a29f5a825132cf499ca73cdb6637d3f58afdc024cb04fac2b8e01f752209572c

              Download Submit

            • memory/804-120-0x0000000003EF0000-0x0000000003EF1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/804-215-0x0000000003EF0000-0x0000000003EF1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1292-213-0x0000000000400000-0x000000000041C000-memory.dmp

              Filesize

              112KB

              Download

            • memory/1292-211-0x00000000005C0000-0x00000000006C0000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/1292-210-0x0000000000400000-0x000000000041C000-memory.dmp

              Filesize

              112KB

              Download

            • memory/1676-29-0x0000000000400000-0x000000000046C000-memory.dmp

              Filesize

              432KB

              Download

            • memory/1676-30-0x0000000000300000-0x0000000000348000-memory.dmp

              Filesize

              288KB

              Download

            • memory/1676-28-0x0000000000400000-0x000000000046C000-memory.dmp

              Filesize

              432KB

              Download

            • memory/2128-1-0x0000000000400000-0x000000000046C000-memory.dmp

              Filesize

              432KB

              Download

            • memory/2128-117-0x0000000000400000-0x000000000046C000-memory.dmp

              Filesize

              432KB

              Download

            • memory/2128-121-0x0000000000400000-0x000000000046C000-memory.dmp

              Filesize

              432KB

              Download

            • memory/2128-31-0x0000000000400000-0x000000000046C000-memory.dmp

              Filesize

              432KB

              Download

            • memory/2128-119-0x00000000002A0000-0x00000000003A0000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/2128-4-0x0000000000400000-0x000000000046C000-memory.dmp

              Filesize

              432KB

              Download

            • memory/2128-214-0x0000000000400000-0x000000000046C000-memory.dmp

              Filesize

              432KB

              Download

            • memory/2128-2-0x00000000002A0000-0x00000000003A0000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/2128-219-0x0000000000400000-0x000000000046C000-memory.dmp

              Filesize

              432KB

              Download

            • memory/2352-116-0x0000000000400000-0x000000000046C000-memory.dmp

              Filesize

              432KB

              Download

            • memory/2352-118-0x0000000000470000-0x00000000004B8000-memory.dmp

              Filesize

              288KB

              Download