Overview

overview

10

Static

static

3

dd6320b125...a4.exe

windows7-x64

10

dd6320b125...a4.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    25-03-2024 05:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dd6320b125131dabd2a8215d5dae2fa4.exe

  • Size

    361KB

  • MD5

    dd6320b125131dabd2a8215d5dae2fa4

  • SHA1

    8ad8efc9d656d4525b9d00743774fbbed79bacda

  • SHA256

    c24c7641930fef4c547f3fe70a8a9adf1eb5318876f1dece044f640377b5c01a

  • SHA512

    abeb8162720d6f9d4fd112146a9b5b5f76463258740daedfa6e2b1d22d89cae5abe5e1a8f3931b6979a4714250883b3cac862ae33dd430cebd24538a888af1a7

  • SSDEEP

    6144:UFBBSls5rfh8Y9lt7Xon2u6hcjTSShc8KDdI1NXxNdWHJRbKnajjETh2gPoL:cBBSl+rfh8sLq2udjtnKu1HOJROajjEd

Score
10/10
ponydiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Disables taskbar notifications via registry modification
    evasion
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies system executable filetype association 2 TTPs 17 IoCs
    persistence
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Modifies registry class 41 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 21 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\dd6320b125131dabd2a8215d5dae2fa4.exe
    "C:\Users\Admin\AppData\Local\Temp\dd6320b125131dabd2a8215d5dae2fa4.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:300
    • C:\Users\Admin\AppData\Local\jmu.exe
      "C:\Users\Admin\AppData\Local\jmu.exe" -gav C:\Users\Admin\AppData\Local\Temp\dd6320b125131dabd2a8215d5dae2fa4.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:2644
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:524

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Modify Registry

3
T1112

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

2
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\pki6589.tmp
    Filesize

    255B

    MD5

    851036f09f7c92f0504dbe76d4811257

    SHA1

    bc474cd19121b61daf8f832414dcf1aaf166122d

    SHA256

    01c50a506269ee8dd40b2b6461671267afec440f0d2f8133f4a444869141ed4f

    SHA512

    ec4e9a45a2bbe9950d336b498d0dbd7a59015bd04ab46b0d91914b7007dfc56f44e93dcd2749c9e2b921618d6c4e683955f69fcc0384d49fdb9e965e5378b8ce

    Download Submit
  • \Users\Admin\AppData\Local\jmu.exe
    Filesize

    361KB

    MD5

    dd6320b125131dabd2a8215d5dae2fa4

    SHA1

    8ad8efc9d656d4525b9d00743774fbbed79bacda

    SHA256

    c24c7641930fef4c547f3fe70a8a9adf1eb5318876f1dece044f640377b5c01a

    SHA512

    abeb8162720d6f9d4fd112146a9b5b5f76463258740daedfa6e2b1d22d89cae5abe5e1a8f3931b6979a4714250883b3cac862ae33dd430cebd24538a888af1a7

    Download Submit
  • memory/300-54-0x00000000003D0000-0x00000000003D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/300-55-0x00000000028E0000-0x0000000002A61000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/300-56-0x0000000000400000-0x00000000004C5A00-memory.dmp
    Filesize

    790KB

    Download
  • memory/300-109-0x0000000000510000-0x0000000000526000-memory.dmp
    Filesize

    88KB

    Download
  • memory/300-153-0x0000000000400000-0x00000000004C5A00-memory.dmp
    Filesize

    790KB

    Download
  • memory/524-159-0x00000000040D0000-0x00000000040D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/524-154-0x00000000040D0000-0x00000000040D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/524-173-0x0000000002750000-0x0000000002760000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2644-152-0x0000000000400000-0x00000000004C5A00-memory.dmp
    Filesize

    790KB

    Download
  • memory/2644-158-0x0000000000400000-0x00000000004C5A00-memory.dmp
    Filesize

    790KB

    Download
  • memory/2644-157-0x0000000000400000-0x00000000004C5A00-memory.dmp
    Filesize

    790KB

    Download
  • memory/2644-156-0x0000000000400000-0x00000000004C5A00-memory.dmp
    Filesize

    790KB

    Download