Overview

overview

10

Static

static

3

df6d4fb5b3...b6.exe

windows7-x64

10

df6d4fb5b3...b6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26-03-2024 14:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    df6d4fb5b398bc1051f5a5914d7e41b6.exe

  • Size

    279KB

  • MD5

    df6d4fb5b398bc1051f5a5914d7e41b6

  • SHA1

    8055da8133ae2398edafd675bac8f5315dabbeba

  • SHA256

    dee566569bb0f7ecb40d8148fe88e4643cfecd03fcf796866fe1cd582e023bc1

  • SHA512

    61d0ce8421eb620122790d3124e231954d88cb270c54369d5d77cc135c448f9d8ca3c409ed66d47e9aecd9c25af85e2526401ab1f11260f56f919426b7fac54c

  • SSDEEP

    6144:J7nr+l65RAHqjeEnozHOEKS64yoRHfmTj8UiUDTQv:J7XRGgdozHLDLRH+NXk

Score
10/10
ponydiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Disables taskbar notifications via registry modification
    evasion
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 3 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\df6d4fb5b398bc1051f5a5914d7e41b6.exe
    "C:\Users\Admin\AppData\Local\Temp\df6d4fb5b398bc1051f5a5914d7e41b6.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1368
    • C:\Users\Admin\AppData\Local\Temp\df6d4fb5b398bc1051f5a5914d7e41b6.exe
      C:\Users\Admin\AppData\Local\Temp\df6d4fb5b398bc1051f5a5914d7e41b6.exe startC:\Users\Admin\AppData\Roaming\8EAA6\0A62F.exe%C:\Users\Admin\AppData\Roaming\8EAA6
      2⤵
        PID:2636
      • C:\Users\Admin\AppData\Local\Temp\df6d4fb5b398bc1051f5a5914d7e41b6.exe
        C:\Users\Admin\AppData\Local\Temp\df6d4fb5b398bc1051f5a5914d7e41b6.exe startC:\Program Files (x86)\A622A\lvvm.exe%C:\Program Files (x86)\A622A
        2⤵
          PID:1848
        • C:\Program Files (x86)\LP\2FD8\BE3.tmp
          "C:\Program Files (x86)\LP\2FD8\BE3.tmp"
          2⤵
          • Executes dropped EXE
          PID:1304
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2608
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:700

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Privilege Escalation

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Defense Evasion

      Modify Registry

      4
      T1112

      Credential Access

      Unsecured Credentials

      2
      T1552

      Credentials In Files

      2
      T1552.001

      Discovery

      Query Registry

      2
      T1012

      Lateral Movement

      Collection

      Data from Local System

      2
      T1005

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\8EAA6\622A.EAA
        Filesize

        1KB

        MD5

        49fedc6117e0fb926dd5c4c6a1cffa02

        SHA1

        b4dc7384f3d5b0ac5a4b5c50965c12cdc24b0524

        SHA256

        11cc8616ca4c74df8dbeb401b032572cdd3f9a698dcab307886cbd33fc319d2b

        SHA512

        c7ebae8029acc32d83d98d2a4a9b18eea06f42938b3dfb9dd7d31a3c8584b1107ff0bf5ea24d0a0a33a85c7a82787cc94e0e5f54b500d085eb9e8fa48190e284

        Download Submit
      • C:\Users\Admin\AppData\Roaming\8EAA6\622A.EAA
        Filesize

        600B

        MD5

        d451b92d4d9e03b8567d5f9fa70562a8

        SHA1

        dff74192d3f88001729f5c0872930c5eb125ad3b

        SHA256

        3a5a9984d337870c887e357dd319d8355980c99253319d03e6319b78949f08b9

        SHA512

        bb620c219c0a5f50846fbfbd2391d29c38a9435e1127cbd796239aef573aa700f29da06016a30a9b2690da680eec1273df8843999f8c52b0e795f8aaf8d9df73

        Download Submit
      • C:\Users\Admin\AppData\Roaming\8EAA6\622A.EAA
        Filesize

        1KB

        MD5

        1a4c082d7600374075fda39ee1ed7be1

        SHA1

        415bbd163c9defdafe893c4450e5929e65de58a6

        SHA256

        6eeabdba9ae9fab6ee8f46e0e5280d14589724b407206a99da317ebab8ce62dc

        SHA512

        97dcfa35409e58bdd6ec4d8c31d9e3579e6d1fdaecd9810a7d58df5d5403a5dc4802254fd642b5461bdf56f3cbcaae5e28f4aee84f35e49d6eee09a449a3795f

        Download Submit
      • C:\Users\Admin\AppData\Roaming\8EAA6\622A.EAA
        Filesize

        996B

        MD5

        69b69cf414b3adb7f19876cea2111b4a

        SHA1

        72af30d00c1543b97b2f401b24725c9bde93f35d

        SHA256

        894b1d4c5cbdea86bfefe1ae37abf5cb991021fda748ad180746c65f3ac7120b

        SHA512

        7060094256a3a574ff5c03d8f1ee4b654cb015a583d1e4eb8a46a6a9b6b128a1a3b76f04ed0f0b2ce597aa5cb07c403b15a546aea7dc223542225693f3f06054

        Download Submit
      • \Program Files (x86)\LP\2FD8\BE3.tmp
        Filesize

        99KB

        MD5

        0d57642cffb4a4de227c0021ece3ec81

        SHA1

        ce9d649dbcaf9e418064118bc26cd26c5fa50034

        SHA256

        45fd7c3592c44074a862a22e362f2afbf4e718c0fcb13afbff95f4f7bdfe9c1d

        SHA512

        340a0548cfdb6ab092b082d187262dcaf36c00c0b1ef2b03e3b3588105a139a2e2d55021f2151d2042b807da0a6bd7e4790fa3fa590e599d2a90fe9a8748a3fd

        Download Submit
      • memory/700-111-0x00000000041A0000-0x00000000041A1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/700-204-0x00000000041A0000-0x00000000041A1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1304-202-0x0000000000400000-0x000000000041C000-memory.dmp
        Filesize

        112KB

        Download
      • memory/1304-200-0x0000000000400000-0x000000000041C000-memory.dmp
        Filesize

        112KB

        Download
      • memory/1304-201-0x0000000000570000-0x0000000000670000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1368-15-0x0000000000400000-0x000000000046B000-memory.dmp
        Filesize

        428KB

        Download
      • memory/1368-107-0x0000000000400000-0x000000000046B000-memory.dmp
        Filesize

        428KB

        Download
      • memory/1368-75-0x0000000001ED0000-0x0000000001FD0000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1368-1-0x0000000000400000-0x000000000046B000-memory.dmp
        Filesize

        428KB

        Download
      • memory/1368-199-0x0000000000400000-0x000000000046B000-memory.dmp
        Filesize

        428KB

        Download
      • memory/1368-7-0x0000000000400000-0x000000000046B000-memory.dmp
        Filesize

        428KB

        Download
      • memory/1368-2-0x0000000001ED0000-0x0000000001FD0000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1368-207-0x0000000000400000-0x000000000046B000-memory.dmp
        Filesize

        428KB

        Download
      • memory/1848-108-0x0000000000400000-0x000000000046B000-memory.dmp
        Filesize

        428KB

        Download
      • memory/1848-109-0x0000000000400000-0x000000000046B000-memory.dmp
        Filesize

        428KB

        Download
      • memory/1848-110-0x0000000001E70000-0x0000000001F70000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2636-13-0x0000000000400000-0x000000000046B000-memory.dmp
        Filesize

        428KB

        Download
      • memory/2636-14-0x0000000001F80000-0x0000000002080000-memory.dmp
        Filesize

        1024KB

        Download