Overview

overview

10

Static

static

3

e11b07de21...a7.exe

windows7-x64

10

e11b07de21...a7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    27-03-2024 07:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e11b07de217fd3393260f882361ec1a7.exe

  • Size

    288KB

  • MD5

    e11b07de217fd3393260f882361ec1a7

  • SHA1

    b1ecd38e2e1911986a8b5ac3aaa627925161ac8d

  • SHA256

    7cd00e06d5562d0fe748c83413fc3374f7b6a4d10e1d32f9df8c7c6e4d7a71bc

  • SHA512

    cf29a20f2a1c8d4495b30d02144260c2ae80db824973b2140eb3efd30ea31fa217525edcea41ba4a560ac1fefebfc98dc8f8bf9fb975b11abcf35a6ed407e3c3

  • SSDEEP

    6144:xX8JXHMQUXu+9qjCTWeqKas8hiAHlkyvbhA5qLXtE8VZP6lnrlZdgpP:uBM7u+xWEAyeAGy8V168P

Score
10/10
ponydiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Disables taskbar notifications via registry modification
    evasion
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 3 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\e11b07de217fd3393260f882361ec1a7.exe
    "C:\Users\Admin\AppData\Local\Temp\e11b07de217fd3393260f882361ec1a7.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1704
    • C:\Users\Admin\AppData\Local\Temp\e11b07de217fd3393260f882361ec1a7.exe
      C:\Users\Admin\AppData\Local\Temp\e11b07de217fd3393260f882361ec1a7.exe startC:\Users\Admin\AppData\Roaming\99CF6\6219D.exe%C:\Users\Admin\AppData\Roaming\99CF6
      2⤵
        PID:2144
      • C:\Users\Admin\AppData\Local\Temp\e11b07de217fd3393260f882361ec1a7.exe
        C:\Users\Admin\AppData\Local\Temp\e11b07de217fd3393260f882361ec1a7.exe startC:\Program Files (x86)\F678E\lvvm.exe%C:\Program Files (x86)\F678E
        2⤵
          PID:1440
        • C:\Program Files (x86)\LP\9DF9\14C8.tmp
          "C:\Program Files (x86)\LP\9DF9\14C8.tmp"
          2⤵
          • Executes dropped EXE
          PID:2344
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2864
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:976

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Privilege Escalation

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Defense Evasion

      Modify Registry

      4
      T1112

      Credential Access

      Unsecured Credentials

      2
      T1552

      Credentials In Files

      2
      T1552.001

      Discovery

      Query Registry

      2
      T1012

      Lateral Movement

      Collection

      Data from Local System

      2
      T1005

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\99CF6\678E.9CF
        Filesize

        996B

        MD5

        758acdfc6049625615881f4bd47fb57e

        SHA1

        5a7d8a4d9cb1ec1a3fc91447bf1fff49edfb6d98

        SHA256

        835275314f219b00336bdf8981a44a56e2a48402117438a02e8be8052f60adc0

        SHA512

        c088a3bd3f512bedf5dec82b1c637489966eb6e2a6f9a3b0455aefebdd7fb2efc65f6f095cb6d3a13eaa26e7b95b6a93a044252f3403371a88367ea61b79e91f

        Download Submit
      • C:\Users\Admin\AppData\Roaming\99CF6\678E.9CF
        Filesize

        600B

        MD5

        6ef9ee8c092acb15786a35f4b4b1c8fc

        SHA1

        5b7a448a231c18074dfe54b191a3b3846156e446

        SHA256

        4b841d347104738974e834b39cb9473ed24c4a252c715b34552013a5dd9e3b33

        SHA512

        c7dcfef2a0db4048a92b44d8dd94189cb6a8c0babbd98530d5493877c326e2e4d5c926e8ec97f8ae2d5a379fbcee0bbb1da77830bee130b8d3eeee9162651577

        Download Submit
      • C:\Users\Admin\AppData\Roaming\99CF6\678E.9CF
        Filesize

        1KB

        MD5

        b33275b60e0ca22f06fe89e6be9a15be

        SHA1

        7f3f13554fbee9a616c3a3f8db8819e6f9762d6c

        SHA256

        91afd023a89d9eed879c31f3a9d2a793abed5e493e13f404179277e18be275c1

        SHA512

        2702f96f88d3e0db922f522d50a88f5cb483116510ea99eb3e48754dfc6eacd2a73562ff5686d80240fc49b29eec727d06692bdc7810200398c5f69a2dda2a76

        Download Submit
      • \Program Files (x86)\LP\9DF9\14C8.tmp
        Filesize

        102KB

        MD5

        3dd4e5cd0cb32f735268a740c647065a

        SHA1

        5e88431137152bf76f61d06b1c2086ecd5082a76

        SHA256

        a1cb303db454c3faa73fa6705c9a7ce126110615879047fbd579d2c813fba535

        SHA512

        37463297b6e127dc2689f2b998b14042189baa26727ab1770fc482035b09df2cd3f349fb11038fabde84d0b4a5a07bfc6b5c619001ddc70c9c37c0aa87b3fe04

        Download Submit
      • memory/976-306-0x0000000003D50000-0x0000000003D51000-memory.dmp
        Filesize

        4KB

        Download
      • memory/976-181-0x0000000003D50000-0x0000000003D51000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1440-179-0x0000000000400000-0x000000000046B000-memory.dmp
        Filesize

        428KB

        Download
      • memory/1440-178-0x0000000000610000-0x0000000000710000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1440-177-0x0000000000400000-0x000000000046B000-memory.dmp
        Filesize

        428KB

        Download
      • memory/1704-303-0x0000000000400000-0x000000000046B000-memory.dmp
        Filesize

        428KB

        Download
      • memory/1704-11-0x0000000000400000-0x000000000046B000-memory.dmp
        Filesize

        428KB

        Download
      • memory/1704-174-0x0000000000400000-0x000000000046B000-memory.dmp
        Filesize

        428KB

        Download
      • memory/1704-175-0x00000000005B0000-0x00000000006B0000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1704-180-0x0000000000400000-0x000000000046B000-memory.dmp
        Filesize

        428KB

        Download
      • memory/1704-309-0x0000000000400000-0x000000000046B000-memory.dmp
        Filesize

        428KB

        Download
      • memory/1704-2-0x00000000005B0000-0x00000000006B0000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1704-1-0x0000000000400000-0x000000000046B000-memory.dmp
        Filesize

        428KB

        Download
      • memory/2144-13-0x0000000000400000-0x000000000046B000-memory.dmp
        Filesize

        428KB

        Download
      • memory/2144-14-0x0000000000400000-0x000000000046B000-memory.dmp
        Filesize

        428KB

        Download
      • memory/2144-15-0x00000000005B0000-0x00000000006B0000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2344-301-0x0000000000400000-0x000000000041D000-memory.dmp
        Filesize

        116KB

        Download
      • memory/2344-302-0x00000000004C0000-0x00000000005C0000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2344-304-0x0000000000400000-0x000000000041D000-memory.dmp
        Filesize

        116KB

        Download