Analysis
-
max time kernel
147s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
21-03-2024 02:11
Static task
static1
Behavioral task
behavioral1
Sample
da6bdcdf5a1bd5411c082a237bad82e5.exe
Resource
win7-20240221-en
General
-
Target
da6bdcdf5a1bd5411c082a237bad82e5.exe
-
Size
159KB
-
MD5
da6bdcdf5a1bd5411c082a237bad82e5
-
SHA1
dc6382c33c16cf0bae40195bc8dde8d99878ee22
-
SHA256
34fa7142574ee18130928d02970a6bff972e45e42b04c071da44e75708bc3c5b
-
SHA512
32586e5e72e89903d7a130066cd3e4007f30a7dbef000936bec4eec0525bb81b79fb28058c3e142779842bb6d5da60c11a63cdbddbdc39ae8d7f5a08d20ab67e
-
SSDEEP
1536:m+Jb1ltgkxFWzlVUfieYxjLfkrreR0EqLTySQINtcABzuh/Cz60jjCE7Zk5wuKsW:tlOkryleYJ50E+yS/u50H9juKsW
Malware Config
Extracted
pony
http://ks384721.kimsufi.com:81/pony/gate.php
http://72.37.220.10:8080/pony/gate.php
-
payload_url
http://talentquest.com.mx/1MPj.exe
http://eqsync.com/48QUMsb.exe
http://apostagol1.web102.f1.k8.com.br/782V.exe
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
da6bdcdf5a1bd5411c082a237bad82e5.exedescription pid process Token: SeImpersonatePrivilege 1028 da6bdcdf5a1bd5411c082a237bad82e5.exe Token: SeTcbPrivilege 1028 da6bdcdf5a1bd5411c082a237bad82e5.exe Token: SeChangeNotifyPrivilege 1028 da6bdcdf5a1bd5411c082a237bad82e5.exe Token: SeCreateTokenPrivilege 1028 da6bdcdf5a1bd5411c082a237bad82e5.exe Token: SeBackupPrivilege 1028 da6bdcdf5a1bd5411c082a237bad82e5.exe Token: SeRestorePrivilege 1028 da6bdcdf5a1bd5411c082a237bad82e5.exe Token: SeIncreaseQuotaPrivilege 1028 da6bdcdf5a1bd5411c082a237bad82e5.exe Token: SeAssignPrimaryTokenPrivilege 1028 da6bdcdf5a1bd5411c082a237bad82e5.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1028-0-0x00000000004C0000-0x00000000004D7000-memory.dmpFilesize
92KB
-
memory/1028-1-0x00000000004F0000-0x0000000000521000-memory.dmpFilesize
196KB
-
memory/1028-2-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/1028-5-0x00000000004F0000-0x0000000000521000-memory.dmpFilesize
196KB
-
memory/1028-6-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB