Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
-
submitted
26-03-2024 18:37
General
-
Target
dfd508ce328b9ec9a51ae057506df229.exe
-
Size
496KB
-
MD5
dfd508ce328b9ec9a51ae057506df229
-
SHA1
60b38c0fc9eae02dd7be4735f981852eb6d51689
-
SHA256
3d529a586c44bdeb8526cfac2dbdc2167e0f64b22d3adbb0036470648f855319
-
SHA512
385db0988f4d54893f93bf7be789df771cc3d318b6b1ac793998ff526553e04c6b6f721b6c2c806c03cdcee19249dc32811473c0b8dd30c61dedcdc5abb9178f
-
SSDEEP
12288:+DCPENnBV5jaHBoFvZstQW012B04Ngjw5qu8jxTQlDrLOM:+EEZBV5jCoFvZsSWG2BdN+w2+O
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Disables taskbar notifications via registry modification
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 12 IoCs
-
Loads dropped DLL 17 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 30 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 50 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 5 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 18 IoCs
-
Suspicious use of FindShellTrayWindow 29 IoCs
-
Suspicious use of SendNotifyMessage 19 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\dfd508ce328b9ec9a51ae057506df229.exe"C:\Users\Admin\AppData\Local\Temp\dfd508ce328b9ec9a51ae057506df229.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\j29oAE.exeC:\Users\Admin\j29oAE.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\qntoq.exe"C:\Users\Admin\qntoq.exe"3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del j29oAE.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\2men.exeC:\Users\Admin\2men.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\2men.exe"C:\Users\Admin\2men.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\2men.exe"C:\Users\Admin\2men.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 884⤵
- Loads dropped DLL
- Program crash
-
C:\Users\Admin\2men.exe"C:\Users\Admin\2men.exe"3⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\2men.exe > nul4⤵
-
C:\Users\Admin\2men.exe"C:\Users\Admin\2men.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\2men.exe"C:\Users\Admin\2men.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\3men.exeC:\Users\Admin\3men.exe2⤵
- Modifies security service
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- System policy modification
-
C:\Users\Admin\3men.exeC:\Users\Admin\3men.exe startC:\Users\Admin\AppData\Roaming\84D46\376B3.exe%C:\Users\Admin\AppData\Roaming\84D463⤵
- Executes dropped EXE
-
C:\Users\Admin\3men.exeC:\Users\Admin\3men.exe startC:\Program Files (x86)\46A35\lvvm.exe%C:\Program Files (x86)\46A353⤵
- Executes dropped EXE
-
C:\Program Files (x86)\LP\B3D8\3478.tmp"C:\Program Files (x86)\LP\B3D8\3478.tmp"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del dfd508ce328b9ec9a51ae057506df229.exe2⤵
- Deletes itself
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Defense Evasion
Modify Registry
5Hide Artifacts
1Hidden Files and Directories
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\84D46\6A35.4D4Filesize
600B
MD559de6b83e40418091aa8fdf0b01704ea
SHA1ac62153eb1e8fe1cbe5cb20362d81ff55e73261c
SHA2561d31526c9233f8c3ba798f081924aca3138b31d32865ed296cc08f18c3d673af
SHA51254800a773558ae4ce56a80ce0e2e0118774df1a72e7239687628c6188d760368ecdb18a5d8c252e3843fbd3e94165d75a2cb31ef48873e2aa76f3b7fe049c362
-
C:\Users\Admin\AppData\Roaming\84D46\6A35.4D4Filesize
996B
MD518fcb5eef5b93ffa8c94f0e822d71970
SHA163eee7d0ad28a8feb4422460edfa859e7f772ae4
SHA25667918b13a2b734e457e85ba0e03347abaa961abd93990e4f998343cbd8511c1a
SHA5127b7f1136ee364f8f7c4af6a862443655626e37138c093c841d222d71519d7f4253a8ef9feeb69f24d38b98971ce10d381b5ba73825c24c176e71f2594b64836f
-
C:\Users\Admin\AppData\Roaming\84D46\6A35.4D4Filesize
1KB
MD5da8cf4412aac6c8a285d30842e718970
SHA11ea648326e7170ba4611bcaa7db5539a902b4a72
SHA25648de4dabb3051cf247cc6f5a6752026782be874194132f25d8e372a5b4da8535
SHA512367aa5536fd2fde1576af107d4aa9acf661acd253cef02542b74e1728f6672a36fd03413d35c9df6a894a4c5e0e0a80186da83a7793816e7c80a5b54c618fc64
-
C:\Users\Admin\AppData\Roaming\84D46\6A35.4D4Filesize
1KB
MD573d6a882e6205967b887cb533bd5f95e
SHA169b49b235a80ce4e2617d865caf4820941b52688
SHA25615f5fd895c37878acfb6ab8bd3cb68f0b9e6dda07f63435de66570de67c7c25b
SHA512d4aa4142d9fce22d1591f40802072465c25fb8405bd203766abbae292b4aa325ad7683fafd6a5074096b07fad20d750d30a046dcb1378aa8db0c3a34dcc495bd
-
\Program Files (x86)\LP\B3D8\3478.tmpFilesize
96KB
MD56b9ed8570a1857126c8bf99e0663926c
SHA194e08d8a0be09be35f37a9b17ec2130febfa2074
SHA256888e4e571a6f78ee81d94ab56bd033d413f9160f1089073176b03c91878aae2d
SHA51223211a1b71f1d05ad7f003231da826220ac4940e48071135cc3fba14708123fa0292e2e71c294a8086d8dc5f90dd32c4da3b41e6857c56f38cb325d78cb14880
-
\Users\Admin\2men.exeFilesize
132KB
MD5945a713b037b50442ec5d18d3dc0d55e
SHA12c8881b327a79fafcce27479b78f05487d93c802
SHA2562da470571a64bcdeb56f62c916ee2bffa87ccc6c028b7c8cb0132d09bceedd2f
SHA5120eab4bb5d04725cc20e463ae6959f71064674602f8ee7b3c9b2db75e928b9a0b1bdc94233dc261f6277d02e54a443b42a59b12aaebb8bbf243f0940344fbf385
-
\Users\Admin\3men.exeFilesize
271KB
MD50d668203e24463de2bf228f00443b7bc
SHA1eacff981d71f6648f6315e508bfd75e11683dba8
SHA256509d530e99839d7dbc8fccac163420d9dc455fb478fa57fdec1b7a2ef629d7bc
SHA5123251bb1341bd466e71468d72723bd5cf545dbd232327f343b44c51daae8755ed3caa02f74adbb0304912769346fa90dfa4c7036c211836e5650bdb06993ba803
-
\Users\Admin\j29oAE.exeFilesize
176KB
MD5c4a634088e095eab98183984bb7252d8
SHA1c205f2c1f8040c9205c6c06accd75c0396c59781
SHA256db345985313397a39cc2817134315c8db71ab4c48680e62c0358db406b0eff6a
SHA512b6a30f6d5cc30bee9b9d483629f16c80c5338360cec629f9ee2a3307b73b9743fd71396e408ac72008b84f4b8fded26002c910421853253b52b8b4d530df7a8e
-
\Users\Admin\qntoq.exeFilesize
176KB
MD54edcca4c7ad764c91eb760b638b78774
SHA1999f60023ebb1a2b7fb1083d62f963c53334310e
SHA256bfc2b61090927ee0a726f788cdc1a38696c33b20264f569247c176e3a457d73b
SHA512ad1c273175550e7ee10136d27eea985e8401c54ce782b8d84edf62167fe0bd77cc4390db160b2cfdb7e8d6c23508218de895f735c3f25fdf2fe456ef3827c9e0
-
memory/756-96-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/756-81-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/756-92-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/756-102-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/756-104-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/876-330-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/876-331-0x0000000000630000-0x0000000000730000-memory.dmpFilesize
1024KB
-
memory/1604-125-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/1604-126-0x00000000005F0000-0x00000000006F0000-memory.dmpFilesize
1024KB
-
memory/1604-128-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/1604-200-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/1604-204-0x00000000005F0000-0x00000000006F0000-memory.dmpFilesize
1024KB
-
memory/1720-65-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/1720-67-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/1720-49-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/1720-51-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/1720-54-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/1720-66-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/1720-61-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/2380-105-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2380-80-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2380-68-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2380-84-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2380-70-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2380-83-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2380-75-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2380-72-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2488-333-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/2488-334-0x00000000002F0000-0x00000000003F0000-memory.dmpFilesize
1024KB
-
memory/2488-454-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/2560-456-0x0000000004230000-0x0000000004231000-memory.dmpFilesize
4KB
-
memory/2560-201-0x0000000004230000-0x0000000004231000-memory.dmpFilesize
4KB
-
memory/2664-197-0x00000000005E0000-0x00000000006E0000-memory.dmpFilesize
1024KB
-
memory/2664-198-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/2720-46-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/2720-40-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/2720-55-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/2720-44-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2720-108-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/2720-120-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/2720-38-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/2720-42-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/2720-52-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/2720-57-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB