Analysis
-
max time kernel
137s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system -
submitted
26-03-2024 16:49
Static task
static1
Behavioral task
behavioral1
Sample
dfa3325a73eefbcd94b66c1368fa216c.exe
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
dfa3325a73eefbcd94b66c1368fa216c.exe
Resource
win10v2004-20240226-en
General
-
Target
dfa3325a73eefbcd94b66c1368fa216c.exe
-
Size
170KB
-
MD5
dfa3325a73eefbcd94b66c1368fa216c
-
SHA1
5d6a4a9cb292b5ddcf6d8a511e0c70ff13be777f
-
SHA256
48f54b86f0d684f60dca91e4c51ac038a038edd8d1912fef0a9549e29f50cc0c
-
SHA512
2a03a05e6be669cf44a33b71f3e4fd71092b1c56fd70884344197b08a30d838601c06d6568ef48b3916857916b996c7c0c8dc428aff880c82828741e5d32179b
-
SSDEEP
3072:1XUVOo7pgZelfMbwn8ptxMsLB3GWk5OBKbceqsLB:Ro31gcl+wng91WWuqKl
Malware Config
Extracted
pony
http://108.166.65.182:8080/pony/gate.php
http://198.136.53.72/pony/gate.php
-
payload_url
http://www.manhattan.tur.br/CesRSc6x.exe
http://ftp.clickdanoiva.com.br/E18n.exe
http://ateneaconsultora.com.ar/yaRKc.exe
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
dfa3325a73eefbcd94b66c1368fa216c.exedescription pid process Token: SeImpersonatePrivilege 2908 dfa3325a73eefbcd94b66c1368fa216c.exe Token: SeTcbPrivilege 2908 dfa3325a73eefbcd94b66c1368fa216c.exe Token: SeChangeNotifyPrivilege 2908 dfa3325a73eefbcd94b66c1368fa216c.exe Token: SeCreateTokenPrivilege 2908 dfa3325a73eefbcd94b66c1368fa216c.exe Token: SeBackupPrivilege 2908 dfa3325a73eefbcd94b66c1368fa216c.exe Token: SeRestorePrivilege 2908 dfa3325a73eefbcd94b66c1368fa216c.exe Token: SeIncreaseQuotaPrivilege 2908 dfa3325a73eefbcd94b66c1368fa216c.exe Token: SeAssignPrimaryTokenPrivilege 2908 dfa3325a73eefbcd94b66c1368fa216c.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
dfa3325a73eefbcd94b66c1368fa216c.exepid process 2908 dfa3325a73eefbcd94b66c1368fa216c.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2908-1-0x00000000002F0000-0x0000000000320000-memory.dmpFilesize
192KB
-
memory/2908-2-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/2908-0-0x00000000002D0000-0x00000000002E7000-memory.dmpFilesize
92KB
-
memory/2908-3-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB