Analysis
-
max time kernel
150s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
-
submitted
21-03-2024 20:55
General
-
Target
dc97ae4dbd3d7610c97a1e8ea826b5c3.exe
-
Size
655KB
-
MD5
dc97ae4dbd3d7610c97a1e8ea826b5c3
-
SHA1
ac372a39625752355e982e814c7836720648ae52
-
SHA256
82b08b85e60227bcd7b95645a2cbfd6341e8de9c740865063fab712227df2799
-
SHA512
cb0547baa60fdc876d85431e6878fd88e368810d4884d384e6a9219d854be008ddcaaa8fb0f00df1277d70caa803cd4561ba6407f1876b3e0822b86ec6cce007
-
SSDEEP
12288:/ESqJwbBEE+tOi9c2xwlqXs4zUmvycM6xgNyJ6DsZuhEP60dIIFazZyun23:/EdYj+j9c21lz/VnxgAJxuOCciZzE
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Disables taskbar notifications via registry modification
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 9 IoCs
-
Loads dropped DLL 14 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 15 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 52 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Modifies registry class 8 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 18 IoCs
-
Suspicious use of FindShellTrayWindow 28 IoCs
-
Suspicious use of SendNotifyMessage 18 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc97ae4dbd3d7610c97a1e8ea826b5c3.exe"C:\Users\Admin\AppData\Local\Temp\dc97ae4dbd3d7610c97a1e8ea826b5c3.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dc97ae4dbd3d7610c97a1e8ea826b5c3.exedc97ae4dbd3d7610c97a1e8ea826b5c3.exe2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\R07924.exeC:\Users\Admin\R07924.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\zghoq.exe"C:\Users\Admin\zghoq.exe"4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del R07924.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\aehost.exeC:\Users\Admin\aehost.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\behost.exeC:\Users\Admin\behost.exe3⤵
- Modifies security service
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\behost.exeC:\Users\Admin\behost.exe startC:\Users\Admin\AppData\Roaming\401C3\5ED3A.exe%C:\Users\Admin\AppData\Roaming\401C34⤵
- Executes dropped EXE
-
C:\Users\Admin\behost.exeC:\Users\Admin\behost.exe startC:\Program Files (x86)\C3919\lvvm.exe%C:\Program Files (x86)\C39194⤵
- Executes dropped EXE
-
C:\Program Files (x86)\LP\3A04\8B20.tmp"C:\Program Files (x86)\LP\3A04\8B20.tmp"4⤵
- Executes dropped EXE
-
C:\Users\Admin\cehost.exeC:\Users\Admin\cehost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exe000000C0*4⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\dehost.exeC:\Users\Admin\dehost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del dc97ae4dbd3d7610c97a1e8ea826b5c3.exe3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\401C3\3919.01CFilesize
600B
MD5a75ffe727f97a64e25c68e3ed541e02e
SHA1ad383fb4dc97a22e24891ca2c2c96aa962506741
SHA256c2192248fa7b58d5f8600c20de35d3661b0231afbba50b5e77619dc8823e84b0
SHA512ebd9c25fc8ce7f136cf9114254ea66ef8ff077599660ecd0bf41614d893a097ef6a87e00d6bdf3848778ccdc3c0240ebcfd363b123417b98e15bb779ee1caa12
-
C:\Users\Admin\AppData\Roaming\401C3\3919.01CFilesize
996B
MD5cb7b6cf6a53d9a30abeeb81dd80946ab
SHA17aa36aa8d9cfc6a0482b37f0d31a02e4adf9ad20
SHA256cbadda6d7b6210c854b1a153daa7aeafea5055c233834f0044559d4b7cc1eb85
SHA51249f85f98c3828c3b58a64ae27998c12b6522c3db7a6630685102e79a72d9a41af01469df43c6bf950698f56ade64714d0a488d8f63c8cbd65fddde5e1625c60f
-
C:\Users\Admin\AppData\Roaming\401C3\3919.01CFilesize
1KB
MD50e37809b6d9dc54cbd52d5bd7dee90d9
SHA14a756188485d3d03b6d31b16f98a12e5fac93c71
SHA256e4c50b0786391a2039734ce0c95d87256a1727651e2cecfaf3853ed0d2652ee3
SHA512426da3622ed3a484c845f74685f0e9f2410e6a56f14e1e51bcb44bb2d3db2ae104412f270358fad1490b6b4f8978211e7ac312aadcafaff0007bcd8e4d858755
-
C:\Users\Admin\AppData\Roaming\401C3\3919.01CFilesize
1KB
MD5ea6c4503b0a1fbfa0436584a5613caf4
SHA1de7232b83bc5ca80c6763c9cb1560d8ef5899acc
SHA256ddb4d17a58abae8cba522c9d4c105884fff3f1894e256635013ae5fee0505429
SHA512a415b5c8ee1eb433a83eb8b520f40e98edcf3eb5c14a022134b1e8501aeac9e0876b9cf1c1c1ed7941fca8bc7412f0f7df6a4bf8424b79d6974a1a3f23fff50f
-
C:\Users\Admin\aehost.exeFilesize
129KB
MD5e2b1704acdf48221cd9be91bae3546c5
SHA1f53a59b62276f58cf8689768f747e16f53dbd341
SHA2568b1c13bb2e95f71ed75d8fca7aeefc556ecd377d5d4f6c544d77ac8f74255ca5
SHA5121b3d8baa981851a79c4f12f3ea2a4d197b3439e76ca723acd578acabd731310d6eeb3a4567a10d48f45192ae9c4cd732eca04c0a7fffa636e7bd364ed1357b53
-
C:\Users\Admin\cehost.exeFilesize
145KB
MD556be9270582de0986c72139ea218e121
SHA1d33b8a2127ccf6b6f42a0c0f266136a376def18c
SHA2568b40a882fde5ef3df2ec3112142b654c949adf7f559bc1912ad9d08ebb17c257
SHA512dcee7d3d16e19e5a36a386d097c171ed7761ad4fc626b5d523b9c33f952fa24da733c56fcb8ff440894c3672c468d04cecc001ae9a680a9607347a5f517e6023
-
\Program Files (x86)\LP\3A04\8B20.tmpFilesize
104KB
MD50cb09d0443d2eda312058ae1a2fa83c2
SHA11888844fcab4269a5c08b5cf122b100e8abb3cb0
SHA25650a9af2fe05dd06d6ff825bcf2106b64385e7fdf9a06a0a18ac187c4a057503a
SHA51293bfdc4d14a7ba7cce25d0a83faa29e0efa7932f3024aa82fcc1d606cb9a65e0ebd91942ad9992ce787f639df1748fde9599cb9b676245a17a8198064df2e24c
-
\Users\Admin\R07924.exeFilesize
188KB
MD54f9c5823c5d1255ded151b01c0a58e15
SHA12f7018a9211472ddfa5d2f09629bf90adce4676c
SHA256e38564871dc5952e2d1d22d51e312e3064cf84df95c0420021153cb5c264adcf
SHA512b5518effbf476d9486a5ddaa65c937e97b10470d533f8e0c9af30956868c032f6bdb524d13a004e4a0d19e9a88b5f3f11ee82e5602b1175092fb36a9959d40ca
-
\Users\Admin\behost.exeFilesize
279KB
MD52a583120a51178ee5f8bc2727faaa73e
SHA191296d42eeddb285aeea28f5139cadda10f21df7
SHA256b315e97fff3561563da4dcf7283636f42eef9ebaf422506e01f03716d4877b02
SHA512003e11b916256091486311881a06286d532a9940d75977a44afa3c116277a0f490505e9b4053f56846fb6d1d7584d7748f622bc9cae088af93820452027dac8b
-
\Users\Admin\dehost.exeFilesize
24KB
MD57cda5863b933988b7bd1d0c8035dafd9
SHA168c64d655d0df1c9974587d12b3b88f5ce1f4cac
SHA256400cb530f1489c46ada1dedc35b51cb53e8174f5cdda0d086ef593c135e0f216
SHA512978440c09b70b695fdc171c6e2a7c064aa078d4a300db7f297afde5e3c1cfdf513da01dae967a9a8c524c185432ef87bf922a5cc97a9c8a6d1fd9cc3155e0aea
-
\Users\Admin\zghoq.exeFilesize
188KB
MD5df51393de519595064c630df87c3b51e
SHA112cf7ceb9f694b3b9e7e596cf3352e008b4f377e
SHA256e74dba12d9656505e2e6ec54a00db326a1c89b4cc7ca48c27f267ec2e950f0ce
SHA512cdef80790ce6110068ec7206bf7332c11daf97a2c036ddfca54dcb2cce7d1fd75b4ff7a4a2b50b8d9a9fe1fe810a7d0f601023eb504280bfcafa798a00b4787d
-
memory/836-119-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/836-120-0x00000000002D0000-0x0000000000317000-memory.dmpFilesize
284KB
-
memory/1276-316-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/1276-14-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/1276-0-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/1276-2-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/1276-15-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/1276-4-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/1276-6-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/1276-52-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/1276-77-0x0000000000390000-0x00000000003D2000-memory.dmpFilesize
264KB
-
memory/1276-78-0x0000000000390000-0x00000000003D2000-memory.dmpFilesize
264KB
-
memory/1276-12-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/1276-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1288-322-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1288-283-0x0000000000860000-0x0000000000960000-memory.dmpFilesize
1024KB
-
memory/1288-282-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1288-321-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1516-55-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/1516-125-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/1516-337-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/1516-332-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/1516-330-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/1516-328-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/1516-53-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/1516-325-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/1516-323-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/1516-57-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/1516-194-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/1516-183-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/1516-319-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/1624-10-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/2056-44-0x0000000003330000-0x0000000003DEA000-memory.dmpFilesize
10.7MB
-
memory/2532-191-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/2532-192-0x0000000001C90000-0x0000000001D90000-memory.dmpFilesize
1024KB
-
memory/2612-318-0x0000000004440000-0x0000000004441000-memory.dmpFilesize
4KB
-
memory/2612-327-0x0000000004440000-0x0000000004441000-memory.dmpFilesize
4KB
-
memory/2628-320-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/2628-127-0x0000000001CA0000-0x0000000001DA0000-memory.dmpFilesize
1024KB
-
memory/2628-68-0x0000000001CA0000-0x0000000001DA0000-memory.dmpFilesize
1024KB
-
memory/2628-67-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/2628-329-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/2628-117-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/2628-184-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/2628-126-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/2760-81-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2760-83-0x00000000005E0000-0x0000000000622000-memory.dmpFilesize
264KB
-
memory/2760-82-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2760-85-0x00000000005E1000-0x00000000005E2000-memory.dmpFilesize
4KB
-
memory/2760-79-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2760-88-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2760-80-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2844-87-0x0000000000060000-0x0000000000075000-memory.dmpFilesize
84KB
-
memory/2844-100-0x0000000000300000-0x0000000000319000-memory.dmpFilesize
100KB
-
memory/2844-95-0x0000000000300000-0x0000000000319000-memory.dmpFilesize
100KB
-
memory/2844-89-0x0000000000300000-0x0000000000319000-memory.dmpFilesize
100KB