Analysis
-
max time kernel
136s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-03-2024 08:38
Static task
static1
Behavioral task
behavioral1
Sample
debdb525bf56212d7d951a22215367e0.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
debdb525bf56212d7d951a22215367e0.exe
Resource
win10v2004-20240226-en
General
-
Target
debdb525bf56212d7d951a22215367e0.exe
-
Size
127KB
-
MD5
debdb525bf56212d7d951a22215367e0
-
SHA1
fa64c64b5d833a284808bb9a31c886e13c0d0704
-
SHA256
95b59ef096e24e28534ab1788671a8c044539d4f5d28a3ed5d3d36e81b3d4415
-
SHA512
69a5e63f1456e4bd49b0bf5a2cab2c019279ba25c9921fbef6e1c0d123fd88c98af5da6ee18fd5209197cb598f7eaf50e36f4c0297d52daa8317552a9ec3dd55
-
SSDEEP
1536:X+xV0ht8Yzk0UyRIDJV3/1veMciKZ4m2sd99SIvlysxPgIbNKCzQaWSITr80y:phufGmDJxeZ449/9hjzYZn80y
Malware Config
Extracted
pony
http://37.59.66.237/pony/gate.php
-
payload_url
http://ftp.irpiniaoggi.it/iztD.exe
http://www.w3haus.com.br/28wio.exe
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
debdb525bf56212d7d951a22215367e0.exedescription pid process Token: SeImpersonatePrivilege 2228 debdb525bf56212d7d951a22215367e0.exe Token: SeTcbPrivilege 2228 debdb525bf56212d7d951a22215367e0.exe Token: SeChangeNotifyPrivilege 2228 debdb525bf56212d7d951a22215367e0.exe Token: SeCreateTokenPrivilege 2228 debdb525bf56212d7d951a22215367e0.exe Token: SeBackupPrivilege 2228 debdb525bf56212d7d951a22215367e0.exe Token: SeRestorePrivilege 2228 debdb525bf56212d7d951a22215367e0.exe Token: SeIncreaseQuotaPrivilege 2228 debdb525bf56212d7d951a22215367e0.exe Token: SeAssignPrimaryTokenPrivilege 2228 debdb525bf56212d7d951a22215367e0.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
debdb525bf56212d7d951a22215367e0.exepid process 2228 debdb525bf56212d7d951a22215367e0.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2228-1-0x0000000000270000-0x0000000000296000-memory.dmpFilesize
152KB
-
memory/2228-0-0x0000000000250000-0x0000000000267000-memory.dmpFilesize
92KB
-
memory/2228-2-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/2228-3-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB