Overview

overview

10

Static

static

b7b86225de...88.exe

windows7_x64

10

b7b86225de...88.exe

windows10-2004_x64

10

Resubmissions

18-02-2022 12:16

220218-pftnfacec5 10

14-02-2022 02:51

220214-db6lnadhc3 10

Analysis

  • max time kernel
    155s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    14-02-2022 02:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b7b86225defaae424aa2e447fc784088.exe

  • Size

    579KB

  • MD5

    b7b86225defaae424aa2e447fc784088

  • SHA1

    4cb5d0afea368c7668fda827d5c8a0fea122520a

  • SHA256

    dab8893b6a8b67b41ad07bd0d01c6d9ba67bf3f80ff414ef7a85ec2a1f991c75

  • SHA512

    aedb708457385bcb8f6e5aed625d1926f276afb1d0b57c276d56a4c05c8dd3e207d17767d2d8887c795c688d87b773d281c520278a5eeccc2eb83d13f5dbfd5b

Score
10/10
ponycollectiondiscoveryratspywarestealer

Malware Config

Signatures

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Windows directory 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b7b86225defaae424aa2e447fc784088.exe
    "C:\Users\Admin\AppData\Local\Temp\b7b86225defaae424aa2e447fc784088.exe"
    1⤵
    • Accesses Microsoft Outlook accounts
    • Accesses Microsoft Outlook profiles
    • Suspicious use of AdjustPrivilegeToken
    • outlook_win_path
    PID:2328
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2132
  • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
    C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:3320

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2132-132-0x0000028051940000-0x0000028051950000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2132-133-0x00000280519A0000-0x00000280519B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2132-134-0x00000280546C0000-0x00000280546C4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2328-131-0x0000000000610000-0x0000000000611000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2328-135-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2328-136-0x00000000005E0000-0x00000000005E1000-memory.dmp

    Filesize

    4KB

    Download