Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
21-03-2024 10:55
General
-
Target
db73f7ce2cfd35c4ce55cd2d8fde4560.exe
-
Size
496KB
-
MD5
db73f7ce2cfd35c4ce55cd2d8fde4560
-
SHA1
7c20d0c728d7b865163f0490dd48ae3821893e73
-
SHA256
a58debbcc04235408d8fa6d826990fb82c512f5a8f6b2abfc5a3c597c2b38319
-
SHA512
574c9758f59b0ea623eca105b0e3f3b3a567ff79362a8579c2abf004e092d20b57884fff18123eb1ecc2b5a9f315dca979ba121f25222438dac6d60c6464e4dc
-
SSDEEP
12288:2DCPENnBV5jaHBoFvZstQW012B04Ngjw5qu8jxTQlDrLOM:2EEZBV5jCoFvZsSWG2BdN+w2+O
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Disables taskbar notifications via registry modification
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 12 IoCs
-
Loads dropped DLL 17 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 33 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 53 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 5 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
-
Suspicious use of FindShellTrayWindow 28 IoCs
-
Suspicious use of SendNotifyMessage 18 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\db73f7ce2cfd35c4ce55cd2d8fde4560.exe"C:\Users\Admin\AppData\Local\Temp\db73f7ce2cfd35c4ce55cd2d8fde4560.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\j29oAE.exeC:\Users\Admin\j29oAE.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\cuawua.exe"C:\Users\Admin\cuawua.exe"3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del j29oAE.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\2men.exeC:\Users\Admin\2men.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\2men.exe"C:\Users\Admin\2men.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\2men.exe"C:\Users\Admin\2men.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 884⤵
- Loads dropped DLL
- Program crash
-
C:\Users\Admin\2men.exe"C:\Users\Admin\2men.exe"3⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\2men.exe"C:\Users\Admin\2men.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\2men.exe"C:\Users\Admin\2men.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\3men.exeC:\Users\Admin\3men.exe2⤵
- Modifies security service
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- System policy modification
-
C:\Users\Admin\3men.exeC:\Users\Admin\3men.exe startC:\Users\Admin\AppData\Roaming\BE6D2\96DE4.exe%C:\Users\Admin\AppData\Roaming\BE6D23⤵
- Executes dropped EXE
-
C:\Users\Admin\3men.exeC:\Users\Admin\3men.exe startC:\Program Files (x86)\D208D\lvvm.exe%C:\Program Files (x86)\D208D3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\LP\E45B\C3BC.tmp"C:\Program Files (x86)\LP\E45B\C3BC.tmp"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del db73f7ce2cfd35c4ce55cd2d8fde4560.exe2⤵
- Deletes itself
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Defense Evasion
Modify Registry
5Hide Artifacts
1Hidden Files and Directories
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\2men.exeFilesize
132KB
MD5945a713b037b50442ec5d18d3dc0d55e
SHA12c8881b327a79fafcce27479b78f05487d93c802
SHA2562da470571a64bcdeb56f62c916ee2bffa87ccc6c028b7c8cb0132d09bceedd2f
SHA5120eab4bb5d04725cc20e463ae6959f71064674602f8ee7b3c9b2db75e928b9a0b1bdc94233dc261f6277d02e54a443b42a59b12aaebb8bbf243f0940344fbf385
-
C:\Users\Admin\AppData\Roaming\BE6D2\208D.E6DFilesize
600B
MD534967f26f92649c12add9cf006d9b8b3
SHA1456e5a035f56585ce93dd3d0592bfc433d42b092
SHA256f4dffa518638eb13c61c214f3d5c744ccd4d20927c0d9707e0b949f829c0ab84
SHA5121c25d645e3db481b1c4ba85cab4332a24fff20fa45c347044af8b9b14848984fa6e54432cc915a6040782c590c5f0121c60fb521471c87fca03b17fb122cf0e6
-
C:\Users\Admin\AppData\Roaming\BE6D2\208D.E6DFilesize
996B
MD58ca19d069940b7afba7e836412fe2113
SHA18e7e1ecce19d9dbf008cf084b540af29089a6a98
SHA25640106e42a5a106789e32b0c7f468f7565564f8f20a2252391fd0a13f805ba9e2
SHA51255423e022f7198d8d0ae1b14fbbee1395e82dbcaebca0f26478f16a52dd8b7b52ea04f9eb1c9bf27942de44743a8cd7fd85c32ae5ccc8d0795110855e996c821
-
C:\Users\Admin\AppData\Roaming\BE6D2\208D.E6DFilesize
1KB
MD5221f067ccbec426df2edc622f5219516
SHA1f681b98c5e7df94c5ecfbe584db7870233c2e169
SHA256781377fe7c22d856524fc702809a19d5e3f161eed6a1b8b124a77a4df16f774e
SHA5120a086292d23a17687d997b05df78655fc088b9d8d315c6a4ff8e58c70b204c8f1b59a528d17ed8be7d7f0d5aa661446b9c3d6cc345d72880369eab950850a0dd
-
C:\Users\Admin\AppData\Roaming\BE6D2\208D.E6DFilesize
1KB
MD5e6135278bce4a7f029a5ece9bd7d8233
SHA10b82b6f4fe6e63f234df24c43ee973602b06b17f
SHA25699452f3db3ce888d2ac2eda0b9b06bb0482dad25b29267afe97edebda84146a2
SHA51266b54971b035fc87eba4cf5660ced91574664f900d9b0203a265c08430e64d57a8bcd6bc9c1cc86e98ec2afdb994aac1fe7b575d7129c00837d64923d770548c
-
\Program Files (x86)\LP\E45B\C3BC.tmpFilesize
96KB
MD56b9ed8570a1857126c8bf99e0663926c
SHA194e08d8a0be09be35f37a9b17ec2130febfa2074
SHA256888e4e571a6f78ee81d94ab56bd033d413f9160f1089073176b03c91878aae2d
SHA51223211a1b71f1d05ad7f003231da826220ac4940e48071135cc3fba14708123fa0292e2e71c294a8086d8dc5f90dd32c4da3b41e6857c56f38cb325d78cb14880
-
\Users\Admin\3men.exeFilesize
271KB
MD50d668203e24463de2bf228f00443b7bc
SHA1eacff981d71f6648f6315e508bfd75e11683dba8
SHA256509d530e99839d7dbc8fccac163420d9dc455fb478fa57fdec1b7a2ef629d7bc
SHA5123251bb1341bd466e71468d72723bd5cf545dbd232327f343b44c51daae8755ed3caa02f74adbb0304912769346fa90dfa4c7036c211836e5650bdb06993ba803
-
\Users\Admin\cuawua.exeFilesize
176KB
MD5ba63196251a3b8fe5c0a6ec184b36beb
SHA1541e8ccf1142bb8f83027fd29dbbd47b93bfb879
SHA256eccf84d36006c27c1e422a976a7b410c80a439f3ecfc04bf34d4d9c36ef7664a
SHA51228108fbbf1c94530e4bf4eecd7739b51be78f9c854a02f43e6513daa26d2c7a9c07f32e944aace937124a90208bcfaeefc892fb66bc508883dfa971341301e82
-
\Users\Admin\j29oAE.exeFilesize
176KB
MD5c4a634088e095eab98183984bb7252d8
SHA1c205f2c1f8040c9205c6c06accd75c0396c59781
SHA256db345985313397a39cc2817134315c8db71ab4c48680e62c0358db406b0eff6a
SHA512b6a30f6d5cc30bee9b9d483629f16c80c5338360cec629f9ee2a3307b73b9743fd71396e408ac72008b84f4b8fded26002c910421853253b52b8b4d530df7a8e
-
memory/344-54-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/344-43-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/344-56-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/344-47-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/344-45-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/344-39-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/344-119-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/344-52-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/344-41-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/356-127-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/356-122-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/356-123-0x0000000000290000-0x0000000000390000-memory.dmpFilesize
1024KB
-
memory/356-300-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/356-301-0x0000000000290000-0x0000000000390000-memory.dmpFilesize
1024KB
-
memory/836-103-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/836-105-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/836-126-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/836-94-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/836-98-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/836-92-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/836-101-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/1632-307-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1632-306-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/1720-139-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/1720-140-0x0000000000556000-0x0000000000576000-memory.dmpFilesize
128KB
-
memory/1728-90-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1728-80-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1728-81-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1728-76-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1728-73-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1728-69-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1728-125-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1728-91-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1728-71-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2088-26-0x0000000003FE0000-0x0000000004A9A000-memory.dmpFilesize
10.7MB
-
memory/2244-433-0x0000000000590000-0x0000000000690000-memory.dmpFilesize
1024KB
-
memory/2244-432-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/2244-436-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/2452-308-0x00000000043E0000-0x00000000043E1000-memory.dmpFilesize
4KB
-
memory/2452-441-0x00000000043E0000-0x00000000043E1000-memory.dmpFilesize
4KB
-
memory/2700-68-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/2700-62-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/2700-67-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/2700-65-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/2700-53-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/2700-57-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/2700-50-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB