Analysis
-
max time kernel
124s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
26-07-2024 04:10
General
-
Target
82b08b85e60227bcd7b95645a2cbfd6341e8de9c740865063fab712227df2799.exe
-
Size
655KB
-
MD5
dc97ae4dbd3d7610c97a1e8ea826b5c3
-
SHA1
ac372a39625752355e982e814c7836720648ae52
-
SHA256
82b08b85e60227bcd7b95645a2cbfd6341e8de9c740865063fab712227df2799
-
SHA512
cb0547baa60fdc876d85431e6878fd88e368810d4884d384e6a9219d854be008ddcaaa8fb0f00df1277d70caa803cd4561ba6407f1876b3e0822b86ec6cce007
-
SSDEEP
12288:/ESqJwbBEE+tOi9c2xwlqXs4zUmvycM6xgNyJ6DsZuhEP60dIIFazZyun23:/EdYj+j9c21lz/VnxgAJxuOCciZzE
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables taskbar notifications via registry modification
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 10 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 12 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 43 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies registry class 21 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 34 IoCs
-
Suspicious use of FindShellTrayWindow 32 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 54 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\82b08b85e60227bcd7b95645a2cbfd6341e8de9c740865063fab712227df2799.exe"C:\Users\Admin\AppData\Local\Temp\82b08b85e60227bcd7b95645a2cbfd6341e8de9c740865063fab712227df2799.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\82b08b85e60227bcd7b95645a2cbfd6341e8de9c740865063fab712227df2799.exe82b08b85e60227bcd7b95645a2cbfd6341e8de9c740865063fab712227df2799.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\R07924.exeC:\Users\Admin\R07924.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\vwvuv.exe"C:\Users\Admin\vwvuv.exe"4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del R07924.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\aehost.exeC:\Users\Admin\aehost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\aehost.exeaehost.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\behost.exeC:\Users\Admin\behost.exe3⤵
- Modifies security service
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\behost.exeC:\Users\Admin\behost.exe startC:\Users\Admin\AppData\Roaming\6430C\21ED3.exe%C:\Users\Admin\AppData\Roaming\6430C4⤵
- Executes dropped EXE
-
C:\Users\Admin\behost.exeC:\Users\Admin\behost.exe startC:\Program Files (x86)\0C7B2\lvvm.exe%C:\Program Files (x86)\0C7B24⤵
- Executes dropped EXE
-
C:\Program Files (x86)\LP\D3A6\8023.tmp"C:\Program Files (x86)\LP\D3A6\8023.tmp"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\cehost.exeC:\Users\Admin\cehost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exe00000208*4⤵
-
C:\Users\Admin\dehost.exeC:\Users\Admin\dehost.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del 82b08b85e60227bcd7b95645a2cbfd6341e8de9c740865063fab712227df2799.exe3⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
5Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
104KB
MD50cb09d0443d2eda312058ae1a2fa83c2
SHA11888844fcab4269a5c08b5cf122b100e8abb3cb0
SHA25650a9af2fe05dd06d6ff825bcf2106b64385e7fdf9a06a0a18ac187c4a057503a
SHA51293bfdc4d14a7ba7cce25d0a83faa29e0efa7932f3024aa82fcc1d606cb9a65e0ebd91942ad9992ce787f639df1748fde9599cb9b676245a17a8198064df2e24c
-
Filesize
471B
MD54eb8bd2bc530eb9109ff66a5726bf5ad
SHA1e42dbc51ca9c30da7d905090a72b671427598b3c
SHA2561e8c0410131c5a732c88c64b21e530b5dd17683f07b6e80bb0bd2339b6b1a0f8
SHA512dbfdeddf8791878d371f7ad9e8b715326c120a8ec141ab87f6bc4386176d477b76c4c36604644ccea0e6b781014ed9b63113d385e0b5c6adf6e0808ad4f86765
-
Filesize
420B
MD536907078d478c73adc33a81d4d419f32
SHA109d20fd522b8cbaca4fb43cbb6115aef12f5ad79
SHA256f12f283a34b79c9aed91c3ea4a975861daceba1e39d7ecd17f1fe8cad61773cd
SHA512eed906f5c0cbe6759fbbbc0b2145c8167eb85f8391eb317ca10422575f8e755e63c794e8eb4fe21989dde139bf6251462d161b292340f7a92dd10e10f4e1378b
-
Filesize
2KB
MD5e5bf5d32f1420fbd7cc0ec7141ac9f79
SHA1b3d86b7165e8dacc801297a805ab5ca7cd971d65
SHA256bc1c20e6e7e28db8fd918c52122f9c95f795e8030d31b4d39a3e772d20c4afd8
SHA5122c1fd06c40c0393849c8c9413f25ddbc18927243acb3710bc3bad43cf3441171d892da04e01f2dd46ae2c83e643a620abf4039c446231a3953d1dea557ec91bf
-
Filesize
74KB
MD51d19274d0dbafdfafc70e439be92ba9d
SHA1305dc22cc99b45229a7a56a95ba534762240a1e5
SHA25648adca9867b4dba213d22c852bcec647a124ed28090370631561c060d8e06a1a
SHA5122d16f07d6a5172ff81beb9dd63de53d60cf8e675b6346d66cfee6605838645c5681d48293d44563fe502af10c15d7081c59b58bf1ff735e1f4af4396266555ea
-
Filesize
97B
MD54a191d9fedda995f5909efbcfcb7027f
SHA122c748a1c01c2d69a6c742b4aae9d41703a4c960
SHA256c7edba1e760f5de63d096bb30b059fe19b90fbbc65f677e0d2facf77271a79e7
SHA5121162b6872f60e051c569b0b6c8d41bb49be3130373c62ce39bc83c698f5f9a99f75810bccfd7137f831463cbfaf5cd6f13b59d384de334ae1ad58a4c426b162c
-
Filesize
600B
MD50526bc356f654719afb7c8ed86fac2d6
SHA1a97c43a33c9c7cd32267acac4a819402f43d7e13
SHA256273a167977fcb40e90045af9f4f6478ce077706a9f7f4132183a5814d0fc94fe
SHA5128063dd319e642cda1da17229eb3465839d5fb7073c60371dd58a61a25fa00112b1849f42d92dba4e781cf9b74acb6049ee2181b8feb6bb7ce109886c5e622379
-
Filesize
996B
MD5ecb9f58b63a802e97bd8d2ca0a548c67
SHA1dee6867bc569a24db5eddd6e0309853a756a3cb5
SHA256a9a7b7c42ac4c1176149dbb78ca15a904a40eb3c0976d49df87c0a1f574b6232
SHA5128072626d8a1d455d6ee1d8e42f9222ca09a9374c7817767deebb04d2cfa742cde30a8567742574b4cb3dfee78ce004ea983e0facb0056c56221798a121eacbe1
-
Filesize
1KB
MD5d222530b618031263563e49fc69859fe
SHA1dcd9f1e7a230d7f39703ef0520db5f8b90eec82f
SHA2560c6af0553f18339c92237398005b1a333ca3bd28822e354151eb38d6c02bc3f3
SHA5124fc0c0707926e79880c77cfdc2227075b5aee9a09999b838d53a4238d3f009fe0ccb66b015ea239024c1146e055f1a3ebd1ee05ac0a2b7c3c8e50c77dcc1beb3
-
Filesize
1KB
MD5e6a98c38edccde70a17e8f45c087878c
SHA102f1a60876cfe496502bd059df2d5b6626390416
SHA256858771d49bc9747a2eaf6cadb3489364a18e6a1b5526fa302930e68e0089d757
SHA5125c21ea729e2d2ad963b7c37a5dd705905107e01edb691afd0a791378e9e5517bfe2cfc09bf8e4ff32339f467df1112060231c85cd26cf8f14e6e6c1f545c1b79
-
Filesize
188KB
MD54f9c5823c5d1255ded151b01c0a58e15
SHA12f7018a9211472ddfa5d2f09629bf90adce4676c
SHA256e38564871dc5952e2d1d22d51e312e3064cf84df95c0420021153cb5c264adcf
SHA512b5518effbf476d9486a5ddaa65c937e97b10470d533f8e0c9af30956868c032f6bdb524d13a004e4a0d19e9a88b5f3f11ee82e5602b1175092fb36a9959d40ca
-
Filesize
129KB
MD5e2b1704acdf48221cd9be91bae3546c5
SHA1f53a59b62276f58cf8689768f747e16f53dbd341
SHA2568b1c13bb2e95f71ed75d8fca7aeefc556ecd377d5d4f6c544d77ac8f74255ca5
SHA5121b3d8baa981851a79c4f12f3ea2a4d197b3439e76ca723acd578acabd731310d6eeb3a4567a10d48f45192ae9c4cd732eca04c0a7fffa636e7bd364ed1357b53
-
Filesize
279KB
MD52a583120a51178ee5f8bc2727faaa73e
SHA191296d42eeddb285aeea28f5139cadda10f21df7
SHA256b315e97fff3561563da4dcf7283636f42eef9ebaf422506e01f03716d4877b02
SHA512003e11b916256091486311881a06286d532a9940d75977a44afa3c116277a0f490505e9b4053f56846fb6d1d7584d7748f622bc9cae088af93820452027dac8b
-
Filesize
145KB
MD556be9270582de0986c72139ea218e121
SHA1d33b8a2127ccf6b6f42a0c0f266136a376def18c
SHA2568b40a882fde5ef3df2ec3112142b654c949adf7f559bc1912ad9d08ebb17c257
SHA512dcee7d3d16e19e5a36a386d097c171ed7761ad4fc626b5d523b9c33f952fa24da733c56fcb8ff440894c3672c468d04cecc001ae9a680a9607347a5f517e6023
-
Filesize
24KB
MD57cda5863b933988b7bd1d0c8035dafd9
SHA168c64d655d0df1c9974587d12b3b88f5ce1f4cac
SHA256400cb530f1489c46ada1dedc35b51cb53e8174f5cdda0d086ef593c135e0f216
SHA512978440c09b70b695fdc171c6e2a7c064aa078d4a300db7f297afde5e3c1cfdf513da01dae967a9a8c524c185432ef87bf922a5cc97a9c8a6d1fd9cc3155e0aea
-
Filesize
188KB
MD53f3e6deca40539bbaf4c8cf1c0b3dc56
SHA1ac34fa46c804550e928cf91467c8c0a873d6d446
SHA256996b73fa150445882885df3d283d1379122ae3dd0934fcdd2fcf8d10d2d8f19f
SHA512b4a0a740efe0997d72b84fb6005bcba51d58f5668c148fdee1d3b570f34a952e858da0f4dbd89ab1d3e0a2c10b24dfc9fff48931741954050754e4681653b44b
-
Filesize
804KB
-
Filesize
804KB
-
Filesize
804KB
-
Filesize
804KB
-
Filesize
804KB
-
Filesize
804KB
-
Filesize
804KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
116KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
420KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
84KB
-
Filesize
1024KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
140KB
-
Filesize
420KB