Overview

overview

10

Static

static

3

db66b36984...50.exe

windows7-x64

10

db66b36984...50.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    21-03-2024 10:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    db66b3698482c366c1de1189e75e2450.exe

  • Size

    496KB

  • MD5

    db66b3698482c366c1de1189e75e2450

  • SHA1

    4dcf416c4da2476a6340f8d48b75aae1af7552d4

  • SHA256

    5ee51a9806a81b2083b8530d9ec3a923103f1a3f50a8302fa399daa41789723e

  • SHA512

    05a0024e36cc8d1644355124a0a453c7f46d853fbf4df99541a55e862eda8e230ed873f9ed66b545044c0dc527ad98faf267ba753783d04ecbacbb45a21f7747

  • SSDEEP

    12288:LDCPENnBV5jaHBoFvZstQW012B04Ngjw5qu8jxTQlDrLOM:LEEZBV5jCoFvZsSWG2BdN+w2+O

Score
10/10
ponydiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Disables taskbar notifications via registry modification
    evasion
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 17 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 35 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 53 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 5 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\db66b3698482c366c1de1189e75e2450.exe
    "C:\Users\Admin\AppData\Local\Temp\db66b3698482c366c1de1189e75e2450.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2244
    • C:\Users\Admin\j29oAE.exe
      C:\Users\Admin\j29oAE.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2720
      • C:\Users\Admin\nuuwuiw.exe
        "C:\Users\Admin\nuuwuiw.exe"
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:2936
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del j29oAE.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2712
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:2664
    • C:\Users\Admin\2men.exe
      C:\Users\Admin\2men.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2432
      • C:\Users\Admin\2men.exe
        "C:\Users\Admin\2men.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2596
      • C:\Users\Admin\2men.exe
        "C:\Users\Admin\2men.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3016
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 88
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:2988
      • C:\Users\Admin\2men.exe
        "C:\Users\Admin\2men.exe"
        3⤵
        • Executes dropped EXE
        • Maps connected drives based on registry
        • Suspicious behavior: EnumeratesProcesses
        PID:1148
      • C:\Users\Admin\2men.exe
        "C:\Users\Admin\2men.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2516
      • C:\Users\Admin\2men.exe
        "C:\Users\Admin\2men.exe"
        3⤵
        • Executes dropped EXE
        PID:2792
    • C:\Users\Admin\3men.exe
      C:\Users\Admin\3men.exe
      2⤵
      • Modifies security service
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • System policy modification
      PID:2840
      • C:\Users\Admin\3men.exe
        C:\Users\Admin\3men.exe startC:\Users\Admin\AppData\Roaming\2956A\2EB9B.exe%C:\Users\Admin\AppData\Roaming\2956A
        3⤵
        • Executes dropped EXE
        PID:1952
      • C:\Users\Admin\3men.exe
        C:\Users\Admin\3men.exe startC:\Program Files (x86)\6A908\lvvm.exe%C:\Program Files (x86)\6A908
        3⤵
        • Executes dropped EXE
        PID:800
      • C:\Program Files (x86)\LP\9B52\FBBD.tmp
        "C:\Program Files (x86)\LP\9B52\FBBD.tmp"
        3⤵
        • Executes dropped EXE
        PID:1744
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c tasklist&&del db66b3698482c366c1de1189e75e2450.exe
      2⤵
      • Deletes itself
      PID:2160
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:2384
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2292
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2884

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Modify Registry

5
T1112

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Process Discovery

1
T1057

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\2956A\A908.956
    Filesize

    600B

    MD5

    365b7df65ae6393c0a969e2718436966

    SHA1

    b60ed921ab110e4cec24644a55dcdc65880f5072

    SHA256

    2df58af688ded2c38827dc87456c04e584339442219a28e34233d0bab03cf2e0

    SHA512

    d26234e287088c1ea13bf28e2b5f1644d8308232a2dd66926849a5d4127ab0d9af6067d0f8221f56f007b6084e6cb12c157a531c98dc0ede7a927e32457ca283

    Download Submit
  • C:\Users\Admin\AppData\Roaming\2956A\A908.956
    Filesize

    996B

    MD5

    f462ace8180cd639c27510008e2ece7c

    SHA1

    c1b32f8629a603deaa5ac598bd2072652c92ef04

    SHA256

    b708c56be84fafb743b40c75f1f310772b92b47eed704f7521ea25b360f36a89

    SHA512

    0e7c0298e28c0c18cab86dea747c7f065af8891a6715e7e56994b31d372df239db6bd76e2d3f4c3129ee59d5d841f906723f59ea56de7fdb848cbd5ba032c9cb

    Download Submit
  • C:\Users\Admin\AppData\Roaming\2956A\A908.956
    Filesize

    1KB

    MD5

    2cf3e6a14f3726a0180b10d7a9ae36d9

    SHA1

    366709e1521851292628e2239a2b5007a83ef0a4

    SHA256

    77af91e4483919c398cf76f9e2e7412be474cb11a8f6d7cb8e94fbe4181f67fb

    SHA512

    320a575496f0a51b63d46d26c1b9b1a403a617ca17b8fe1152af408ababba73fb3154a74bc78afcf6871600031d5abc195becc5763665bf555b389c36648fb57

    Download Submit
  • \Program Files (x86)\LP\9B52\FBBD.tmp
    Filesize

    96KB

    MD5

    6b9ed8570a1857126c8bf99e0663926c

    SHA1

    94e08d8a0be09be35f37a9b17ec2130febfa2074

    SHA256

    888e4e571a6f78ee81d94ab56bd033d413f9160f1089073176b03c91878aae2d

    SHA512

    23211a1b71f1d05ad7f003231da826220ac4940e48071135cc3fba14708123fa0292e2e71c294a8086d8dc5f90dd32c4da3b41e6857c56f38cb325d78cb14880

    Download Submit
  • \Users\Admin\2men.exe
    Filesize

    132KB

    MD5

    945a713b037b50442ec5d18d3dc0d55e

    SHA1

    2c8881b327a79fafcce27479b78f05487d93c802

    SHA256

    2da470571a64bcdeb56f62c916ee2bffa87ccc6c028b7c8cb0132d09bceedd2f

    SHA512

    0eab4bb5d04725cc20e463ae6959f71064674602f8ee7b3c9b2db75e928b9a0b1bdc94233dc261f6277d02e54a443b42a59b12aaebb8bbf243f0940344fbf385

    Download Submit
  • \Users\Admin\3men.exe
    Filesize

    271KB

    MD5

    0d668203e24463de2bf228f00443b7bc

    SHA1

    eacff981d71f6648f6315e508bfd75e11683dba8

    SHA256

    509d530e99839d7dbc8fccac163420d9dc455fb478fa57fdec1b7a2ef629d7bc

    SHA512

    3251bb1341bd466e71468d72723bd5cf545dbd232327f343b44c51daae8755ed3caa02f74adbb0304912769346fa90dfa4c7036c211836e5650bdb06993ba803

    Download Submit
  • \Users\Admin\j29oAE.exe
    Filesize

    176KB

    MD5

    c4a634088e095eab98183984bb7252d8

    SHA1

    c205f2c1f8040c9205c6c06accd75c0396c59781

    SHA256

    db345985313397a39cc2817134315c8db71ab4c48680e62c0358db406b0eff6a

    SHA512

    b6a30f6d5cc30bee9b9d483629f16c80c5338360cec629f9ee2a3307b73b9743fd71396e408ac72008b84f4b8fded26002c910421853253b52b8b4d530df7a8e

    Download Submit
  • \Users\Admin\nuuwuiw.exe
    Filesize

    176KB

    MD5

    54b3c38f3863eea72ad3f1c182582055

    SHA1

    17753f8192b078b916534fa4290e572ba92a3271

    SHA256

    b107a4627f54f5650db47cec5e6e6a756712f7adde42ef88b1a0239adcee9822

    SHA512

    b82384f2a69fab93b33bc49b853149644bc9ba1c3997c3eaa23c335f409a8d2ef4003475c6bcb6d9d35ab3ccace671d7cdd8e14aa99290374d4eb74738a87b57

    Download Submit
  • memory/800-263-0x0000000000400000-0x000000000046A000-memory.dmp
    Filesize

    424KB

    Download
  • memory/800-442-0x0000000000400000-0x000000000046A000-memory.dmp
    Filesize

    424KB

    Download
  • memory/800-264-0x0000000000536000-0x0000000000556000-memory.dmp
    Filesize

    128KB

    Download
  • memory/1148-68-0x0000000000400000-0x0000000000426000-memory.dmp
    Filesize

    152KB

    Download
  • memory/1148-70-0x0000000000400000-0x0000000000426000-memory.dmp
    Filesize

    152KB

    Download
  • memory/1148-88-0x0000000000400000-0x0000000000426000-memory.dmp
    Filesize

    152KB

    Download
  • memory/1148-86-0x0000000000400000-0x0000000000426000-memory.dmp
    Filesize

    152KB

    Download
  • memory/1148-81-0x0000000000400000-0x0000000000426000-memory.dmp
    Filesize

    152KB

    Download
  • memory/1148-84-0x0000000000400000-0x0000000000426000-memory.dmp
    Filesize

    152KB

    Download
  • memory/1148-123-0x0000000000400000-0x0000000000426000-memory.dmp
    Filesize

    152KB

    Download
  • memory/1148-78-0x0000000000400000-0x0000000000426000-memory.dmp
    Filesize

    152KB

    Download
  • memory/1744-440-0x0000000000540000-0x0000000000640000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/1744-439-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/1744-444-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/1952-419-0x00000000004E0000-0x00000000005E0000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/1952-137-0x0000000000400000-0x000000000046A000-memory.dmp
    Filesize

    424KB

    Download
  • memory/1952-138-0x0000000000400000-0x000000000046A000-memory.dmp
    Filesize

    424KB

    Download
  • memory/1952-139-0x00000000004E0000-0x00000000005E0000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/2516-99-0x0000000000400000-0x0000000000407000-memory.dmp
    Filesize

    28KB

    Download
  • memory/2516-124-0x0000000000400000-0x0000000000407000-memory.dmp
    Filesize

    28KB

    Download
  • memory/2516-92-0x0000000000400000-0x0000000000407000-memory.dmp
    Filesize

    28KB

    Download
  • memory/2516-103-0x0000000000400000-0x0000000000407000-memory.dmp
    Filesize

    28KB

    Download
  • memory/2516-102-0x0000000000400000-0x0000000000407000-memory.dmp
    Filesize

    28KB

    Download
  • memory/2516-107-0x0000000000400000-0x0000000000407000-memory.dmp
    Filesize

    28KB

    Download
  • memory/2516-90-0x0000000000400000-0x0000000000407000-memory.dmp
    Filesize

    28KB

    Download
  • memory/2516-96-0x0000000000400000-0x0000000000407000-memory.dmp
    Filesize

    28KB

    Download
  • memory/2596-40-0x0000000000400000-0x0000000000407000-memory.dmp
    Filesize

    28KB

    Download
  • memory/2596-46-0x0000000000400000-0x0000000000407000-memory.dmp
    Filesize

    28KB

    Download
  • memory/2596-38-0x0000000000400000-0x0000000000407000-memory.dmp
    Filesize

    28KB

    Download
  • memory/2596-117-0x0000000000400000-0x0000000000407000-memory.dmp
    Filesize

    28KB

    Download
  • memory/2596-44-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2596-42-0x0000000000400000-0x0000000000407000-memory.dmp
    Filesize

    28KB

    Download
  • memory/2596-53-0x0000000000400000-0x0000000000407000-memory.dmp
    Filesize

    28KB

    Download
  • memory/2596-51-0x0000000000400000-0x0000000000407000-memory.dmp
    Filesize

    28KB

    Download
  • memory/2596-55-0x0000000000400000-0x0000000000407000-memory.dmp
    Filesize

    28KB

    Download
  • memory/2840-135-0x0000000000400000-0x000000000046A000-memory.dmp
    Filesize

    424KB

    Download
  • memory/2840-259-0x0000000000400000-0x000000000046A000-memory.dmp
    Filesize

    424KB

    Download
  • memory/2840-262-0x0000000000290000-0x0000000000390000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/2840-120-0x0000000000400000-0x000000000046A000-memory.dmp
    Filesize

    424KB

    Download
  • memory/2840-121-0x0000000000290000-0x0000000000390000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/2884-319-0x0000000003FA0000-0x0000000003FA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2884-449-0x0000000003FA0000-0x0000000003FA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3016-52-0x0000000000400000-0x000000000040E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/3016-49-0x0000000000400000-0x000000000040E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/3016-56-0x0000000000400000-0x000000000040E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/3016-62-0x0000000000400000-0x000000000040E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/3016-65-0x0000000000400000-0x000000000040E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/3016-66-0x0000000000400000-0x000000000040E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/3016-67-0x0000000000400000-0x000000000040E000-memory.dmp
    Filesize

    56KB

    Download