Analysis
-
max time kernel
135s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
21-03-2024 20:55
General
-
Target
dc97ae4dbd3d7610c97a1e8ea826b5c3.exe
-
Size
655KB
-
MD5
dc97ae4dbd3d7610c97a1e8ea826b5c3
-
SHA1
ac372a39625752355e982e814c7836720648ae52
-
SHA256
82b08b85e60227bcd7b95645a2cbfd6341e8de9c740865063fab712227df2799
-
SHA512
cb0547baa60fdc876d85431e6878fd88e368810d4884d384e6a9219d854be008ddcaaa8fb0f00df1277d70caa803cd4561ba6407f1876b3e0822b86ec6cce007
-
SSDEEP
12288:/ESqJwbBEE+tOi9c2xwlqXs4zUmvycM6xgNyJ6DsZuhEP60dIIFazZyun23:/EdYj+j9c21lz/VnxgAJxuOCciZzE
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Disables taskbar notifications via registry modification
-
Modifies Installed Components in the registry 2 TTPs 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 10 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 13 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 36 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 36 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Modifies registry class 13 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 34 IoCs
-
Suspicious use of FindShellTrayWindow 28 IoCs
-
Suspicious use of SendNotifyMessage 21 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 54 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc97ae4dbd3d7610c97a1e8ea826b5c3.exe"C:\Users\Admin\AppData\Local\Temp\dc97ae4dbd3d7610c97a1e8ea826b5c3.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dc97ae4dbd3d7610c97a1e8ea826b5c3.exedc97ae4dbd3d7610c97a1e8ea826b5c3.exe2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\R07924.exeC:\Users\Admin\R07924.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\xoooqag.exe"C:\Users\Admin\xoooqag.exe"4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del R07924.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\aehost.exeC:\Users\Admin\aehost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\aehost.exeaehost.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\behost.exeC:\Users\Admin\behost.exe3⤵
- Modifies security service
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\behost.exeC:\Users\Admin\behost.exe startC:\Users\Admin\AppData\Roaming\BE083\FBED3.exe%C:\Users\Admin\AppData\Roaming\BE0834⤵
- Executes dropped EXE
-
C:\Users\Admin\behost.exeC:\Users\Admin\behost.exe startC:\Program Files (x86)\836C8\lvvm.exe%C:\Program Files (x86)\836C84⤵
- Executes dropped EXE
-
C:\Program Files (x86)\LP\D3AB\5569.tmp"C:\Program Files (x86)\LP\D3AB\5569.tmp"4⤵
- Executes dropped EXE
-
C:\Users\Admin\cehost.exeC:\Users\Admin\cehost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exe00000208*4⤵
-
C:\Users\Admin\dehost.exeC:\Users\Admin\dehost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del dc97ae4dbd3d7610c97a1e8ea826b5c3.exe3⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3824 --field-trial-handle=3136,i,3192284747741020952,1225278682167953346,262144 --variations-seed-version /prefetch:81⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Defense Evasion
Modify Registry
5Hide Artifacts
1Hidden Files and Directories
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\LP\D3AB\5569.tmpFilesize
104KB
MD50cb09d0443d2eda312058ae1a2fa83c2
SHA11888844fcab4269a5c08b5cf122b100e8abb3cb0
SHA25650a9af2fe05dd06d6ff825bcf2106b64385e7fdf9a06a0a18ac187c4a057503a
SHA51293bfdc4d14a7ba7cce25d0a83faa29e0efa7932f3024aa82fcc1d606cb9a65e0ebd91942ad9992ce787f639df1748fde9599cb9b676245a17a8198064df2e24c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
471B
MD56475b19cdf10d6f0ccf27ebf0fe76309
SHA16c3ca7a137c2b3041cdb22c994bba356e33f93c4
SHA256635f833910db4e0915ecfe0d515341d4feec384dd83d6309f71f336c838a75d1
SHA5129f695eae05fd9bc6f775cd2e8ec1a235976d82bf8b206449b0595e97afd335b31e79706b281b920e08de6d90a05a7e8b777f6d15bdbf815e61bf96e19542f4ce
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
412B
MD577269ac11ebcfab8745fe0adfdc5ab52
SHA19e34bd47b218c25b1885769f6c1f1b610743c795
SHA25642b59250104c68cbcf9a603369b204878fc406c981b90e1dcf50785429b51dee
SHA51277c19bd79e17018a4bf813edfedaf6cbdc18bfd0085463ec710da292bd1b2badb15bff8567e382a11f6573342c9050ed0951e4c84b05814d0751c0743b3d07da
-
C:\Users\Admin\AppData\Roaming\BE083\36C8.E08Filesize
600B
MD5ec59fec29375a165d92791ce529333ce
SHA19c1ff20da0149fc8ec03045d1bcc61054f2f3113
SHA256271c7185b93005f1175c69054f58fe3d486093d44025a2d9d7258f0c8039a31e
SHA512cf70dc1f4a139950cfcc5ec3a0bf243eb42477ed262dd4a5b22c1e30b887060f9eac256b25d67cbbff9072db2c0c74a3218b7bc8081152e74dca188f4e58dff1
-
C:\Users\Admin\AppData\Roaming\BE083\36C8.E08Filesize
1KB
MD5e3f4ab986e37c6c194e89e71b9d56533
SHA17dd3a478ab0517109562ef7e1f07f828373768a4
SHA256395cf818ce6a177f3dbaa70637c3c58bd639de3e63c7737209745e4f42d07276
SHA5129fd2a40ee29f85a21f420e744e03a28fe9a19b1ff1870aea3c61151304cdc1d8727fcd5b08b86d4dfd840f03422832891cb406a9ae740f9afc1a37e0e201794e
-
C:\Users\Admin\AppData\Roaming\BE083\36C8.E08Filesize
1KB
MD500b99699326195726d5328dc7ce1a26e
SHA1f20b88b6a29aae6d099daf9c40ed802a9a90fc4d
SHA2565e52648d59b40aaa1b0a62455a98aa3ea2147a7f4e7dbb0203c70d4588c506d5
SHA512e68af26110cad090fcf0f6890eb2295a1a5e27bf87b8a1ad53747cc7127cced994a223319197cb3e0d7f412f8013bef0e79acbe1f9a74234ed91e4ce28aa3203
-
C:\Users\Admin\R07924.exeFilesize
188KB
MD54f9c5823c5d1255ded151b01c0a58e15
SHA12f7018a9211472ddfa5d2f09629bf90adce4676c
SHA256e38564871dc5952e2d1d22d51e312e3064cf84df95c0420021153cb5c264adcf
SHA512b5518effbf476d9486a5ddaa65c937e97b10470d533f8e0c9af30956868c032f6bdb524d13a004e4a0d19e9a88b5f3f11ee82e5602b1175092fb36a9959d40ca
-
C:\Users\Admin\aehost.exeFilesize
129KB
MD5e2b1704acdf48221cd9be91bae3546c5
SHA1f53a59b62276f58cf8689768f747e16f53dbd341
SHA2568b1c13bb2e95f71ed75d8fca7aeefc556ecd377d5d4f6c544d77ac8f74255ca5
SHA5121b3d8baa981851a79c4f12f3ea2a4d197b3439e76ca723acd578acabd731310d6eeb3a4567a10d48f45192ae9c4cd732eca04c0a7fffa636e7bd364ed1357b53
-
C:\Users\Admin\behost.exeFilesize
279KB
MD52a583120a51178ee5f8bc2727faaa73e
SHA191296d42eeddb285aeea28f5139cadda10f21df7
SHA256b315e97fff3561563da4dcf7283636f42eef9ebaf422506e01f03716d4877b02
SHA512003e11b916256091486311881a06286d532a9940d75977a44afa3c116277a0f490505e9b4053f56846fb6d1d7584d7748f622bc9cae088af93820452027dac8b
-
C:\Users\Admin\cehost.exeFilesize
145KB
MD556be9270582de0986c72139ea218e121
SHA1d33b8a2127ccf6b6f42a0c0f266136a376def18c
SHA2568b40a882fde5ef3df2ec3112142b654c949adf7f559bc1912ad9d08ebb17c257
SHA512dcee7d3d16e19e5a36a386d097c171ed7761ad4fc626b5d523b9c33f952fa24da733c56fcb8ff440894c3672c468d04cecc001ae9a680a9607347a5f517e6023
-
C:\Users\Admin\dehost.exeFilesize
24KB
MD57cda5863b933988b7bd1d0c8035dafd9
SHA168c64d655d0df1c9974587d12b3b88f5ce1f4cac
SHA256400cb530f1489c46ada1dedc35b51cb53e8174f5cdda0d086ef593c135e0f216
SHA512978440c09b70b695fdc171c6e2a7c064aa078d4a300db7f297afde5e3c1cfdf513da01dae967a9a8c524c185432ef87bf922a5cc97a9c8a6d1fd9cc3155e0aea
-
C:\Users\Admin\xoooqag.exeFilesize
188KB
MD50967208481a6727ef127b1cca1af7d82
SHA104cdf0caf1afa7ff1f25d46274103a6a58964fe5
SHA256e143ef95f3673857569123780dbe090c78153154be8bc2931ab9eecb11ab35eb
SHA512e2c132173edcad38790bad2a60574fa2d78a23c51939ba0b3b687cf00262acd25282c994360d5793f4833dfd8583970678a3ed143fb82bfb62fbe52c0249183b
-
memory/228-273-0x0000000000530000-0x0000000000630000-memory.dmpFilesize
1024KB
-
memory/228-283-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/228-222-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/436-203-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/436-202-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/436-204-0x0000000000670000-0x0000000000770000-memory.dmpFilesize
1024KB
-
memory/496-13-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/496-15-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/496-8-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/496-9-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/496-14-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/496-320-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/496-61-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/1644-12-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1644-0-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1764-117-0x00000000004A0000-0x00000000005A0000-memory.dmpFilesize
1024KB
-
memory/1764-221-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/1764-78-0x00000000004A0000-0x00000000005A0000-memory.dmpFilesize
1024KB
-
memory/1764-77-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/1764-102-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/1764-123-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/2480-71-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/2840-87-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2840-82-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2840-85-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2840-84-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2840-91-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2840-89-0x00000000005B1000-0x00000000005B2000-memory.dmpFilesize
4KB
-
memory/2840-88-0x00000000005B0000-0x00000000005F2000-memory.dmpFilesize
264KB
-
memory/3392-90-0x0000000000680000-0x0000000000695000-memory.dmpFilesize
84KB
-
memory/4712-115-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/4712-116-0x00000000004F0000-0x00000000005F0000-memory.dmpFilesize
1024KB
-
memory/4712-282-0x00000000004F0000-0x00000000005F0000-memory.dmpFilesize
1024KB
-
memory/4940-72-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/4940-69-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/4940-66-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/4940-65-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/4940-64-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/4940-63-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/4940-62-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB