Analysis

  • max time kernel
    150s
  • max time network
    90s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    19/11/2022, 01:41

General

  • Target

    3bf8155bd051945bf2e017311392ce5a03f5deef4cd02ef1521907d3c1607444.exe

  • Size

    121KB

  • MD5

    35798c129c35ad80e44e8b206ccf3250

  • SHA1

    d27f5850cd5f497d9d67185c0b88c7ec28d40f39

  • SHA256

    3bf8155bd051945bf2e017311392ce5a03f5deef4cd02ef1521907d3c1607444

  • SHA512

    19dc093ed92d7e58c40e4c65c8437efbc013c912ce7fa79017f830f862372b48a10d710b9867101a089f03c1ee283f607e766a7e7fb461cf040e89f03c3391e0

  • SSDEEP

    3072:53K1Pot8QcrD1W6c+5s7d2a+e874/MHiswK:53K1BXs7ca+e5UCsZ

Malware Config

Extracted

Family

pony

C2

http://cleasexig.pw:65/in/pay.php

http://medalixe.pw:65/in/buy.php

Signatures

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Deletes itself 1 IoCs
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3bf8155bd051945bf2e017311392ce5a03f5deef4cd02ef1521907d3c1607444.exe
    "C:\Users\Admin\AppData\Local\Temp\3bf8155bd051945bf2e017311392ce5a03f5deef4cd02ef1521907d3c1607444.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1604
    • C:\Users\Admin\AppData\Local\Temp\3bf8155bd051945bf2e017311392ce5a03f5deef4cd02ef1521907d3c1607444.exe
      "C:\Users\Admin\AppData\Local\Temp\3bf8155bd051945bf2e017311392ce5a03f5deef4cd02ef1521907d3c1607444.exe"
      2⤵
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:688
      • C:\Windows\SysWOW64\svchost.exe
        svchost.exe
        3⤵
        • Deletes itself
        • Accesses Microsoft Outlook accounts
        • Accesses Microsoft Outlook profiles
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • outlook_win_path
        PID:2028
        • C:\Windows\SysWOW64\wbem\WMIC.exe
          "C:\Windows\System32\wbem\WMIC.exe" nicconfig where IPEnabled=true call SetDNSServerSearchOrder (37.10.116.208,8.8.4.4)
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1988

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/688-67-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/688-55-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/688-58-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/688-59-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/688-60-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/688-61-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/688-63-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/1604-54-0x0000000076DC1000-0x0000000076DC3000-memory.dmp

          Filesize

          8KB

        • memory/2028-69-0x0000000000C60000-0x0000000000C68000-memory.dmp

          Filesize

          32KB

        • memory/2028-70-0x00000000000C0000-0x00000000000CF000-memory.dmp

          Filesize

          60KB

        • memory/2028-72-0x00000000003B0000-0x00000000003D0000-memory.dmp

          Filesize

          128KB

        • memory/2028-73-0x00000000003B0000-0x00000000003D0000-memory.dmp

          Filesize

          128KB

        • memory/2028-74-0x00000000003B0000-0x00000000003D0000-memory.dmp

          Filesize

          128KB