Analysis
-
max time kernel
137s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-03-2024 22:18
Static task
static1
Behavioral task
behavioral1
Sample
e03a5564f0eb5dfcb7066eb12f0975d2.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e03a5564f0eb5dfcb7066eb12f0975d2.exe
Resource
win10v2004-20240226-en
General
-
Target
e03a5564f0eb5dfcb7066eb12f0975d2.exe
-
Size
107KB
-
MD5
e03a5564f0eb5dfcb7066eb12f0975d2
-
SHA1
2ceea46fdecc1bae5dc4b6dba575f7db2c37c92b
-
SHA256
6b006f27b16b51836ccda6abed3d9161d36d058f0a21f61b61f83b583558eb17
-
SHA512
c613f179406a657af797ff72b8bc3a2d49669d83d097359282a0cd5273aa4b98e229cb49ae1bfc5d734d9f35b93e61ea0f389b198cb4b81b3ead9608c2595d01
-
SSDEEP
3072:twZU77g7CHJYC+J+ld80KC7dDXOxYVBHtG2jYYnB1Ns1q:Y6ggT+J+Pl7p/HBdnb
Malware Config
Extracted
pony
http://91.121.84.204:8080/pony/gate.php
http://91.121.93.178:8080/pony/gate.php
-
payload_url
http://89.200.200.24/9KPYQZPZ/2i1Z.exe
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
e03a5564f0eb5dfcb7066eb12f0975d2.exedescription pid process Token: SeImpersonatePrivilege 2492 e03a5564f0eb5dfcb7066eb12f0975d2.exe Token: SeTcbPrivilege 2492 e03a5564f0eb5dfcb7066eb12f0975d2.exe Token: SeChangeNotifyPrivilege 2492 e03a5564f0eb5dfcb7066eb12f0975d2.exe Token: SeCreateTokenPrivilege 2492 e03a5564f0eb5dfcb7066eb12f0975d2.exe Token: SeBackupPrivilege 2492 e03a5564f0eb5dfcb7066eb12f0975d2.exe Token: SeRestorePrivilege 2492 e03a5564f0eb5dfcb7066eb12f0975d2.exe Token: SeIncreaseQuotaPrivilege 2492 e03a5564f0eb5dfcb7066eb12f0975d2.exe Token: SeAssignPrimaryTokenPrivilege 2492 e03a5564f0eb5dfcb7066eb12f0975d2.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
e03a5564f0eb5dfcb7066eb12f0975d2.exepid process 2492 e03a5564f0eb5dfcb7066eb12f0975d2.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2492-0-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2492-1-0x0000000000270000-0x000000000028E000-memory.dmpFilesize
120KB
-
memory/2492-2-0x0000000000250000-0x0000000000267000-memory.dmpFilesize
92KB
-
memory/2492-3-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/2492-4-0x0000000000270000-0x000000000028E000-memory.dmpFilesize
120KB
-
memory/2492-5-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB