Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    146s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    30/10/2022, 16:52

General

  • Target

    81c13a9f00c3f44035f35af76ca5574db284c881adb1c15b362c5602aef725a6.exe

  • Size

    113KB

  • MD5

    822d18994728a28b7fe9fee8f5728c00

  • SHA1

    9a3f82751f5b693c3e17b5af44d7ab2e73355367

  • SHA256

    81c13a9f00c3f44035f35af76ca5574db284c881adb1c15b362c5602aef725a6

  • SHA512

    38056784323c73774d12e28752212d139f87c1f30f0e6329d070dfe7bbc6c6f618e9dc3a3f9eb84fec5d07258dda72a4fc7a1fd9788a39d02b64fd29cac69e99

  • SSDEEP

    3072:RHTE0OuIfuenAbCRdmrqJ6HDQrlIE6HjSgl6J/9WD:RzWLGeK20qoH2D6DtgJ/9

Malware Config

Extracted

Family

pony

C2

http://guttersupply.mobi/ponyb/gate.php

http://iguttersupply.com/ponyb/gate.php

http://micromeshleafguard.com/ponyb/gate.php

http://ornamentalgutters.com/ponyb/gate.php

Attributes
  • payload_url

    http://190.147.81.28/Msm.exe

    http://pje-llc.com/KtE.exe

    http://salsaconfuego.com/RCY.exe

    http://www.les-vins-du-monde.fr/ra7twEg.exe

Signatures

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\81c13a9f00c3f44035f35af76ca5574db284c881adb1c15b362c5602aef725a6.exe
    "C:\Users\Admin\AppData\Local\Temp\81c13a9f00c3f44035f35af76ca5574db284c881adb1c15b362c5602aef725a6.exe"
    1⤵
    • Accesses Microsoft Outlook accounts
    • Accesses Microsoft Outlook profiles
    • Suspicious use of AdjustPrivilegeToken
    • outlook_win_path
    PID:956

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/956-54-0x0000000076561000-0x0000000076563000-memory.dmp

    Filesize

    8KB

  • memory/956-56-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

  • memory/956-55-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB