Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    86s
  • max time network
    73s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    20/10/2022, 20:29

General

  • Target

    31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe

  • Size

    226KB

  • MD5

    4505bb59758f0fa632e1b1d6e25c5450

  • SHA1

    2d55b6afc4b2495d014aca850bac334e6b363816

  • SHA256

    31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718

  • SHA512

    50ce9806c2fdc171dcf411a9564c3e08935f6a4c3e6729dfbca8327616bb8bfbeac9d6c0c9babe32f4de4876a0de089e9bacf05222be58149c1c6e517f4e510d

  • SSDEEP

    1536:zP7q7CW2p0cUi/PlDxbmpfhjekGbtK01mPHD6JURJM:zPwimfwHtKTHD6uLM

Malware Config

Extracted

Family

pony

C2

http://godekela.pw:571/fix/update.php

http://voekazik.pw:571/fix/update.php

Signatures

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Deletes itself 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe
    "C:\Users\Admin\AppData\Local\Temp\31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1088
    • C:\Users\Admin\AppData\Local\Temp\31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe
      "C:\Users\Admin\AppData\Local\Temp\31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe"
      2⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2044
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c at 01:33:00 /every:T,M,Th,F,W,S,Su wmic.exe nicconfig where "IPEnabled=true" call SetDNSServerSearchOrder ("37.10.116.200", "8.8.8.8")
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:944
        • C:\Windows\SysWOW64\at.exe
          at 01:33:00 /every:T,M,Th,F,W,S,Su wmic.exe nicconfig where "IPEnabled=true" call SetDNSServerSearchOrder ("37.10.116.200", "8.8.8.8")
          4⤵
            PID:288
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c ping -n 10 localhost && erase "C:\Users\Admin\AppData\Local\Temp\31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe"
          3⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:460
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 10 localhost
            4⤵
            • Runs ping.exe
            PID:1048

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1088-59-0x0000000000240000-0x000000000027D000-memory.dmp

      Filesize

      244KB

    • memory/1088-54-0x0000000000240000-0x000000000027D000-memory.dmp

      Filesize

      244KB

    • memory/2044-61-0x0000000076681000-0x0000000076683000-memory.dmp

      Filesize

      8KB

    • memory/2044-62-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB

    • memory/2044-63-0x0000000000240000-0x000000000027D000-memory.dmp

      Filesize

      244KB

    • memory/2044-64-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB

    • memory/2044-65-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB

    • memory/2044-66-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB

    • memory/2044-57-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB

    • memory/2044-56-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB

    • memory/2044-71-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB

    • memory/2044-55-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB