Overview

overview

10

Static

static

3

dc864750ce...48.exe

windows7-x64

10

dc864750ce...48.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    21-03-2024 20:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dc864750ce373f5b116f0b2e57720c48.exe

  • Size

    287KB

  • MD5

    dc864750ce373f5b116f0b2e57720c48

  • SHA1

    35572efd585b1de5737c81554bc8342a896aaf0c

  • SHA256

    4ed2308b10226f5dece77a9d581d19f52040d7108eb54106bc3beb8b1f23b954

  • SHA512

    504b1edddba1cfd97cbe160ad08948b0e781edc0d0b249acca0afcaabefdf2463b9c031a6fc298cb7544490883e5101db8c4296aef452eb92b30a9e90e7c7977

  • SSDEEP

    6144:wwYDnroY0Sszp1V8qipl5e7zqz7YFNJfbHz1zgCHyZ388bsXO7Y:8DnroGsNX8qi1e7zqHEPbhzgCHyqiCb

Score
10/10
ponydiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Disables taskbar notifications via registry modification
    evasion
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 3 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 22 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\dc864750ce373f5b116f0b2e57720c48.exe
    "C:\Users\Admin\AppData\Local\Temp\dc864750ce373f5b116f0b2e57720c48.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2168
    • C:\Users\Admin\AppData\Local\Temp\dc864750ce373f5b116f0b2e57720c48.exe
      C:\Users\Admin\AppData\Local\Temp\dc864750ce373f5b116f0b2e57720c48.exe startC:\Users\Admin\AppData\Roaming\D63B5\1DE77.exe%C:\Users\Admin\AppData\Roaming\D63B5
      2⤵
        PID:1568
      • C:\Users\Admin\AppData\Local\Temp\dc864750ce373f5b116f0b2e57720c48.exe
        C:\Users\Admin\AppData\Local\Temp\dc864750ce373f5b116f0b2e57720c48.exe startC:\Program Files (x86)\B5709\lvvm.exe%C:\Program Files (x86)\B5709
        2⤵
          PID:2084
        • C:\Program Files (x86)\LP\775D\B00D.tmp
          "C:\Program Files (x86)\LP\775D\B00D.tmp"
          2⤵
          • Executes dropped EXE
          PID:2084
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2712
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1336

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Privilege Escalation

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Defense Evasion

      Modify Registry

      4
      T1112

      Credential Access

      Unsecured Credentials

      2
      T1552

      Credentials In Files

      2
      T1552.001

      Discovery

      Query Registry

      2
      T1012

      Lateral Movement

      Collection

      Data from Local System

      2
      T1005

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\D63B5\5709.63B
        Filesize

        996B

        MD5

        83654dabca53723bc11792f4d5811fa4

        SHA1

        28f9f59c760041570ca6f95c52c1df8f92b9c125

        SHA256

        97b2ba73b4c4b475797035e0a7d365ee9e82b3840088f88038b2eb43df11b10f

        SHA512

        40463f77d14fecdc14fd9f0cea233275dd88df8b3c2d6ac8b5f4788b94865a4bbdda4b19dbcd5de092df45b16002d19e91ba56abfd5bfc4a5b03915bfe0e9938

        Download Submit
      • C:\Users\Admin\AppData\Roaming\D63B5\5709.63B
        Filesize

        600B

        MD5

        be85904764edab26a6021161b081e6f2

        SHA1

        01913652a2668771c81886c1365ff92a005cd7c6

        SHA256

        6516617355bdd82faf2e06b2b3576ceddf09ea251bfb4e031e8ec23cbf5c6f25

        SHA512

        c285dc7fff813aa2715b9cd8f054e3caa7be760434a5f31211d43d8e8bff7aacd83c899c04bb5136e2236ddc5be99687b37a88c6b70110adfabe0fefda19eda6

        Download Submit
      • C:\Users\Admin\AppData\Roaming\D63B5\5709.63B
        Filesize

        1KB

        MD5

        4c67bfb7ae007cac774a8164f16e4839

        SHA1

        9cbca3d8331d40b376001745cf7625a20191dfea

        SHA256

        3a989ce516f4f7911bd3b471ce3e50542ccb03d823694809276be9ce5e1d1c4b

        SHA512

        9ba762888669e3afa1c6e435b56d090f977dbf968b8d3aa9a57663feeac6b6da990c3410c75b233aa7a228a26b4e461dd71a309601255c24f3f68f8df7373044

        Download Submit
      • \Program Files (x86)\LP\775D\B00D.tmp
        Filesize

        101KB

        MD5

        6248ebe8239384b253fa1f9e37180941

        SHA1

        7021d2fe53bca6fff06db05fb22b673b7432c72e

        SHA256

        dc9a3655ca8fd9aaa8be1e58d0399e8a8170c0616ecb279bdf18da7869ad343a

        SHA512

        6ff610e050892f6f583233a72f699bb2ec2ebbc575fe240f7f44624e6ea7e588d4980e9a4e47435a0f643e5fbd1d9a20c93af6bc5ab3b12f2b3e16614970cafd

        Download Submit
      • memory/1336-338-0x0000000003E50000-0x0000000003E51000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1336-314-0x0000000003E50000-0x0000000003E51000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1568-15-0x00000000005B0000-0x00000000006B0000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1568-14-0x0000000000400000-0x000000000046C000-memory.dmp
        Filesize

        432KB

        Download
      • memory/1568-316-0x00000000005B0000-0x00000000006B0000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1568-13-0x0000000000400000-0x000000000046C000-memory.dmp
        Filesize

        432KB

        Download
      • memory/2084-135-0x0000000000676000-0x00000000006BE000-memory.dmp
        Filesize

        288KB

        Download
      • memory/2084-333-0x0000000000400000-0x000000000041D000-memory.dmp
        Filesize

        116KB

        Download
      • memory/2084-336-0x0000000000400000-0x000000000041D000-memory.dmp
        Filesize

        116KB

        Download
      • memory/2084-334-0x00000000004E0000-0x00000000005E0000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2084-133-0x0000000000400000-0x000000000046C000-memory.dmp
        Filesize

        432KB

        Download
      • memory/2084-134-0x0000000000400000-0x000000000046C000-memory.dmp
        Filesize

        432KB

        Download
      • memory/2168-1-0x0000000000400000-0x000000000046C000-memory.dmp
        Filesize

        432KB

        Download
      • memory/2168-341-0x0000000000400000-0x000000000046C000-memory.dmp
        Filesize

        432KB

        Download
      • memory/2168-131-0x0000000000400000-0x000000000046C000-memory.dmp
        Filesize

        432KB

        Download
      • memory/2168-315-0x0000000000400000-0x000000000046C000-memory.dmp
        Filesize

        432KB

        Download
      • memory/2168-335-0x0000000000400000-0x000000000046C000-memory.dmp
        Filesize

        432KB

        Download
      • memory/2168-11-0x0000000000400000-0x000000000046C000-memory.dmp
        Filesize

        432KB

        Download
      • memory/2168-2-0x00000000005F0000-0x00000000006F0000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2168-340-0x0000000000400000-0x000000000046C000-memory.dmp
        Filesize

        432KB

        Download
      • memory/2168-136-0x00000000005F0000-0x00000000006F0000-memory.dmp
        Filesize

        1024KB

        Download