Overview

overview

10

Static

static

3

1ed7f06e7b...a9.exe

windows7-x64

10

1ed7f06e7b...a9.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    140s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-01-2025 21:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1ed7f06e7bbe466ee8827661103808235e8d86d115b39f9b802275de746638a9.exe

  • Size

    274KB

  • MD5

    be32492e6aecda45740e1e93489a30ad

  • SHA1

    524fab6a039db492c52ef9675900bc9369067cf2

  • SHA256

    1ed7f06e7bbe466ee8827661103808235e8d86d115b39f9b802275de746638a9

  • SHA512

    70e7444716b8baeea5bb8e4768d9e2371be07d9929f1490d0d8bb2ea5045a1db5d49f77887aec1ef21f295e47a8a15246b853a50a120d543915e31b182dbf108

  • SSDEEP

    6144:tmZS7byibR/cFje+5EQ1NgnrGO7+HVUuYW+:zPbk5FyZru5+

Score
10/10
cycbotponybackdoorcredential_accessdefense_evasiondiscoverypersistenceratspywarestealerupx

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

    backdoorratcycbot
  • Cycbot family
    cycbot
  • Detects Cycbot payload 6 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Modifies security service 2 TTPs 1 IoCs
    defense_evasion
  • Pony family
    pony
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables taskbar notifications via registry modification
    defense_evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 20 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\1ed7f06e7bbe466ee8827661103808235e8d86d115b39f9b802275de746638a9.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed7f06e7bbe466ee8827661103808235e8d86d115b39f9b802275de746638a9.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2840
    • C:\Users\Admin\AppData\Local\Temp\1ed7f06e7bbe466ee8827661103808235e8d86d115b39f9b802275de746638a9.exe
      C:\Users\Admin\AppData\Local\Temp\1ed7f06e7bbe466ee8827661103808235e8d86d115b39f9b802275de746638a9.exe startC:\Users\Admin\AppData\Roaming\8D121\DC526.exe%C:\Users\Admin\AppData\Roaming\8D121
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2744
    • C:\Users\Admin\AppData\Local\Temp\1ed7f06e7bbe466ee8827661103808235e8d86d115b39f9b802275de746638a9.exe
      C:\Users\Admin\AppData\Local\Temp\1ed7f06e7bbe466ee8827661103808235e8d86d115b39f9b802275de746638a9.exe startC:\Program Files (x86)\21CB0\lvvm.exe%C:\Program Files (x86)\21CB0
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1304
    • C:\Program Files (x86)\LP\26F8\DEAC.tmp
      "C:\Program Files (x86)\LP\26F8\DEAC.tmp"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1816
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2824
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Modify Registry

4
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Query Registry

2
T1012

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\8D121\1CB0.D12
    Filesize

    297B

    MD5

    f35de969e48aeafe599485c0bb8a77f8

    SHA1

    a13e667d2f138998fd8d84cd3b38584dfbe0f679

    SHA256

    0e022b233d7359815c17c203beb3395c10e7332f5d47ccc50b239a8df8da7390

    SHA512

    429d040fa55156fd62072d7d3c33b2126f2532e37e31502033206488a78a73ed6994f847791b8896f9d1d3a48d717d0ab3ec469c081bacac588e7c3dea93b044

    Download Submit

  • C:\Users\Admin\AppData\Roaming\8D121\1CB0.D12
    Filesize

    993B

    MD5

    e51e8fb6837f80e4dbb9af6c13538f3f

    SHA1

    7188d57fed1549dc28f594da20cc249ef35c623d

    SHA256

    fac694579050ceac9f466fa17b75794e495a17d3fbc2d3419c1697ed432399b4

    SHA512

    d5da3ad82a87328f8184e8830860643c1a955537beedba353249dfead9079ad9f16a2f40b6404bd86cb06fdda0fac23860b47f0745eaecd9861a4dfe4b3eb499

    Download Submit

  • C:\Users\Admin\AppData\Roaming\8D121\1CB0.D12
    Filesize

    1KB

    MD5

    cf1ddc394aa3bae5672b94b86baa45db

    SHA1

    46c5c629705ec8cf251baf93cabcd17eba13d504

    SHA256

    4000dbcf0a27124180f548b3a2c70f8a9c37dc1e48dc9673e71be0de4a3301ae

    SHA512

    39f2122f19328446936fe76954c78b95a0bca0825e09caa464efb4fc72eddf40b30d45f90f3e61f748bca7a90951479ef3ee244c259354370d8641d638c6f14f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\8D121\1CB0.D12
    Filesize

    597B

    MD5

    0c99e62b417e00ac621a23867ddf1c79

    SHA1

    3b1f5f2d3154b3822d82c07ab75e44a7c670efe7

    SHA256

    319953d39c93ccc41ef8141c478d2c79daba09dd1341e4205c6271bc3a557abd

    SHA512

    6a949448d6b4eb741e870c5fd9306c41978cfed45a660170cf2b19cae9ebc99351b00e3e84fb1f85828842586a77c4eeb73d8eb3d591087b9600938577f3bcf4

    Download Submit

  • \Program Files (x86)\LP\26F8\DEAC.tmp
    Filesize

    97KB

    MD5

    9a18bd23f4487c251adf429fc5a9eb48

    SHA1

    42439c39140f1ab0df8d866191c07ca36f78085f

    SHA256

    81a27826df1f66fed1d492b5e8257a367ce535bbdb123b743493f788e2d5d39d

    SHA512

    210dcf04da40d11dccd81ca7f3f050bdc581e5ca79f4688b4ab93e255d33733000b0a7990ad1f9f4500b9f9e9620c263cc72bc4806cedcf8920b5fb830b540e4

    Download Submit

  • memory/1304-188-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/1816-368-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1816-369-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2744-73-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2840-0-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2840-186-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2840-71-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2840-367-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2840-372-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download