Analysis
-
max time kernel
136s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25-03-2024 06:23
Static task
static1
Behavioral task
behavioral1
Sample
dd72c081e53b2b8feb0726ed58dc1b3d.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
dd72c081e53b2b8feb0726ed58dc1b3d.exe
Resource
win10v2004-20240226-en
General
-
Target
dd72c081e53b2b8feb0726ed58dc1b3d.exe
-
Size
173KB
-
MD5
dd72c081e53b2b8feb0726ed58dc1b3d
-
SHA1
25d078e22e508bf5f80be5ec69d2b02134ec6a8b
-
SHA256
0e6db69bb537de62bf59d86f1c6b4b9f47ef74fc51bd5c5189d37a611119b5cc
-
SHA512
818a18c32e5dd8a47b7bb482edf44d1bc543f3494da537adffc88486419cf6891d2717475e6700b05592fb0132ffaad96cd1674a00c252050b33662b4fdb02e7
-
SSDEEP
1536:5+L7BtXISH0BVpMNijUJKvRBq2EqIiQmLdhkQOSIIolysxPgC5FKDl0LCK2z0DKc:oXISOCwjUJ+4zmL0QuIM10aLU0DK/et
Malware Config
Extracted
pony
http://108.166.65.182:8080/pony/gate.php
http://aloucakbileti.com:8080/pony/gate.php
-
payload_url
http://akradugunsalonlari.com/k0g2Cgr9/nn4hWpH.exe
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
dd72c081e53b2b8feb0726ed58dc1b3d.exedescription pid process Token: SeImpersonatePrivilege 2220 dd72c081e53b2b8feb0726ed58dc1b3d.exe Token: SeTcbPrivilege 2220 dd72c081e53b2b8feb0726ed58dc1b3d.exe Token: SeChangeNotifyPrivilege 2220 dd72c081e53b2b8feb0726ed58dc1b3d.exe Token: SeCreateTokenPrivilege 2220 dd72c081e53b2b8feb0726ed58dc1b3d.exe Token: SeBackupPrivilege 2220 dd72c081e53b2b8feb0726ed58dc1b3d.exe Token: SeRestorePrivilege 2220 dd72c081e53b2b8feb0726ed58dc1b3d.exe Token: SeIncreaseQuotaPrivilege 2220 dd72c081e53b2b8feb0726ed58dc1b3d.exe Token: SeAssignPrimaryTokenPrivilege 2220 dd72c081e53b2b8feb0726ed58dc1b3d.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
dd72c081e53b2b8feb0726ed58dc1b3d.exepid process 2220 dd72c081e53b2b8feb0726ed58dc1b3d.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2220-0-0x00000000002D0000-0x00000000002E7000-memory.dmpFilesize
92KB
-
memory/2220-1-0x00000000002F0000-0x0000000000321000-memory.dmpFilesize
196KB
-
memory/2220-2-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/2220-3-0x00000000002D0000-0x00000000002E7000-memory.dmpFilesize
92KB
-
memory/2220-4-0x00000000002F0000-0x0000000000321000-memory.dmpFilesize
196KB
-
memory/2220-5-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB