Analysis
-
max time kernel
136s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-03-2024 06:43
Static task
static1
Behavioral task
behavioral1
Sample
e10548492faa4a220cb1e9802d327bd6.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e10548492faa4a220cb1e9802d327bd6.exe
Resource
win10v2004-20240226-en
General
-
Target
e10548492faa4a220cb1e9802d327bd6.exe
-
Size
107KB
-
MD5
e10548492faa4a220cb1e9802d327bd6
-
SHA1
82cace712bbec75ae62d4eff065060c8a78ea155
-
SHA256
7947227b2047ab2db3d15e48594571d3c0851b289bbf68c48f9863b4a9d681cc
-
SHA512
916b1bc75336d75d67a2e615ea1e110b154af5b4f34d164784bb6ee25e6524c258e4766ee779b77bea7d00fe365453b944812a867d1b7f6a37b7ae300b448492
-
SSDEEP
3072:6io1oui4jbYCP1bMCQ0KxvDlZH9qxYwD8X5CuUBI:Bui8TP1bzuvDZwDS5CPS
Malware Config
Extracted
pony
http://91.121.93.178:8080/ponychin/gate.php
http://aurianedamez.fr:8080/ponychin/gate.php
-
payload_url
http://erkekmekani.com/p6MfvWWs/oNrXj.exe
http://gdf.hoahuongduongvn.org/3PzW7Ldb/u1FHGv.exe
http://ilamer.org/aFkzrbsk/Tm1MDAjY.exe
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
e10548492faa4a220cb1e9802d327bd6.exedescription pid process Token: SeImpersonatePrivilege 2764 e10548492faa4a220cb1e9802d327bd6.exe Token: SeTcbPrivilege 2764 e10548492faa4a220cb1e9802d327bd6.exe Token: SeChangeNotifyPrivilege 2764 e10548492faa4a220cb1e9802d327bd6.exe Token: SeCreateTokenPrivilege 2764 e10548492faa4a220cb1e9802d327bd6.exe Token: SeBackupPrivilege 2764 e10548492faa4a220cb1e9802d327bd6.exe Token: SeRestorePrivilege 2764 e10548492faa4a220cb1e9802d327bd6.exe Token: SeIncreaseQuotaPrivilege 2764 e10548492faa4a220cb1e9802d327bd6.exe Token: SeAssignPrimaryTokenPrivilege 2764 e10548492faa4a220cb1e9802d327bd6.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
e10548492faa4a220cb1e9802d327bd6.exepid process 2764 e10548492faa4a220cb1e9802d327bd6.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2764-1-0x0000000000250000-0x000000000026E000-memory.dmpFilesize
120KB
-
memory/2764-2-0x0000000000230000-0x0000000000247000-memory.dmpFilesize
92KB
-
memory/2764-0-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2764-3-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/2764-4-0x0000000000250000-0x000000000026E000-memory.dmpFilesize
120KB
-
memory/2764-5-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB