Analysis
-
max time kernel
125s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
26-03-2024 16:32
Static task
static1
Behavioral task
behavioral1
Sample
df9b700afe7baecd365281850ee52c93.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
df9b700afe7baecd365281850ee52c93.exe
Resource
win10v2004-20240226-en
General
-
Target
df9b700afe7baecd365281850ee52c93.exe
-
Size
170KB
-
MD5
df9b700afe7baecd365281850ee52c93
-
SHA1
72d6799ce5d431c93f47b598c500f2d4464f8d8c
-
SHA256
0c21816ea6ae53f0b813afbba69fe50848e518ee8072586ded9d739cdd99fd52
-
SHA512
45ccc8a7e37e33ee0553c04707d6d3969050362d29b6d084ab9f6f0f50693a15899da761ed4dafd83a2fa4c7f7c27afcd3468d480dbe1defe35135092618c137
-
SSDEEP
3072:kuLQst7pKKnjitmoKDOin8ofW3Ouk5AZEP/ZdKfYeU:Pk41KkGtpqFnNWeuugEPrKS
Malware Config
Extracted
pony
http://178.77.99.145:8080/pony/gate.php
http://49.156.20.209:8080/pony/gate.php
-
payload_url
http://connectinfo.com.br/hQMt02q.exe
http://www.shelfspace.co.za/bwBhYgJ.exe
http://alta-e.com/wEs.exe
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
df9b700afe7baecd365281850ee52c93.exedescription pid process Token: SeImpersonatePrivilege 1664 df9b700afe7baecd365281850ee52c93.exe Token: SeTcbPrivilege 1664 df9b700afe7baecd365281850ee52c93.exe Token: SeChangeNotifyPrivilege 1664 df9b700afe7baecd365281850ee52c93.exe Token: SeCreateTokenPrivilege 1664 df9b700afe7baecd365281850ee52c93.exe Token: SeBackupPrivilege 1664 df9b700afe7baecd365281850ee52c93.exe Token: SeRestorePrivilege 1664 df9b700afe7baecd365281850ee52c93.exe Token: SeIncreaseQuotaPrivilege 1664 df9b700afe7baecd365281850ee52c93.exe Token: SeAssignPrimaryTokenPrivilege 1664 df9b700afe7baecd365281850ee52c93.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
df9b700afe7baecd365281850ee52c93.exepid process 1664 df9b700afe7baecd365281850ee52c93.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1664-1-0x0000000000300000-0x0000000000330000-memory.dmpFilesize
192KB
-
memory/1664-0-0x0000000000250000-0x0000000000267000-memory.dmpFilesize
92KB
-
memory/1664-2-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/1664-3-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB