Analysis

  • max time kernel
    116s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/11/2022, 03:38

General

  • Target

    5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea.exe

  • Size

    139KB

  • MD5

    1af6c84bb171f0d91cacfc9882967d10

  • SHA1

    7e42072c65d5fffdff4500f7aebc2916f33268d1

  • SHA256

    5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea

  • SHA512

    ea7ff9772cb948284855737f0a4daae8583b663d425016af37f9e1675b2384a72748360602a6f545d5406b19a4f15364487d5e8129ef1fef01f070e8c1e5aade

  • SSDEEP

    3072:7TETqaBpCYfXOTTL08sAuuSsyvSZWk/7dPKgaa9+Inm6xmImvWwePWGAerHTnHWE:E9OTTL08sSSshWkxPTaqz

Malware Config

Extracted

Family

pony

C2

http://3z3muor0045.site11.com/Panel/gate.php

Attributes
  • payload_url

    http://3z3muor0045.site11.com/Panel/po.exe

Signatures

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea.exe
    "C:\Users\Admin\AppData\Local\Temp\5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:2252
    • C:\ProgramData\Sleep bottom\Length Tell.exe
      "C:\ProgramData\Sleep bottom\Length Tell.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4824
      • C:\ProgramData\Sleep bottom\Length Tell.exe
        "C:\ProgramData\Sleep bottom\Length Tell.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Accesses Microsoft Outlook accounts
        • Accesses Microsoft Outlook profiles
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • outlook_win_path
        PID:3064
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240648031.bat" "C:\ProgramData\Sleep bottom\Length Tell.exe" "
          4⤵
            PID:852

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Sleep bottom\Length Tell.exe

            Filesize

            139KB

            MD5

            1af6c84bb171f0d91cacfc9882967d10

            SHA1

            7e42072c65d5fffdff4500f7aebc2916f33268d1

            SHA256

            5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea

            SHA512

            ea7ff9772cb948284855737f0a4daae8583b663d425016af37f9e1675b2384a72748360602a6f545d5406b19a4f15364487d5e8129ef1fef01f070e8c1e5aade

          • C:\ProgramData\Sleep bottom\Length Tell.exe

            Filesize

            139KB

            MD5

            1af6c84bb171f0d91cacfc9882967d10

            SHA1

            7e42072c65d5fffdff4500f7aebc2916f33268d1

            SHA256

            5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea

            SHA512

            ea7ff9772cb948284855737f0a4daae8583b663d425016af37f9e1675b2384a72748360602a6f545d5406b19a4f15364487d5e8129ef1fef01f070e8c1e5aade

          • C:\ProgramData\Sleep bottom\Length Tell.exe

            Filesize

            139KB

            MD5

            1af6c84bb171f0d91cacfc9882967d10

            SHA1

            7e42072c65d5fffdff4500f7aebc2916f33268d1

            SHA256

            5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea

            SHA512

            ea7ff9772cb948284855737f0a4daae8583b663d425016af37f9e1675b2384a72748360602a6f545d5406b19a4f15364487d5e8129ef1fef01f070e8c1e5aade

          • C:\Users\Admin\AppData\Local\Temp\240648031.bat

            Filesize

            94B

            MD5

            3880eeb1c736d853eb13b44898b718ab

            SHA1

            4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

            SHA256

            936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

            SHA512

            3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Who early.lnk

            Filesize

            905B

            MD5

            fba1c6dcea2573ca97df19aabb41d754

            SHA1

            79e4def8c6e4ee035d7537d0ae4295d07199a8c1

            SHA256

            768b11b71d788ab52276c0996593004a1234865f7724cc814868dc4f4d88c746

            SHA512

            243b1fbb85434a0e5aeab2976b159b9ab57ca7c605a26a56e12fe260010f7d6a560cfbb9483e20f14bd618b2e63c050e5d7626fa8a6c8bcddadec7e6ffac8203

          • memory/2252-133-0x0000000074ED0000-0x0000000075481000-memory.dmp

            Filesize

            5.7MB

          • memory/2252-137-0x0000000074ED0000-0x0000000075481000-memory.dmp

            Filesize

            5.7MB

          • memory/2252-132-0x0000000074ED0000-0x0000000075481000-memory.dmp

            Filesize

            5.7MB

          • memory/3064-140-0x0000000000400000-0x000000000041C000-memory.dmp

            Filesize

            112KB

          • memory/3064-146-0x0000000000400000-0x000000000041C000-memory.dmp

            Filesize

            112KB

          • memory/3064-148-0x0000000000400000-0x000000000041C000-memory.dmp

            Filesize

            112KB

          • memory/3064-149-0x0000000000400000-0x000000000041C000-memory.dmp

            Filesize

            112KB

          • memory/3064-150-0x0000000000400000-0x000000000041C000-memory.dmp

            Filesize

            112KB

          • memory/3064-152-0x0000000000400000-0x000000000041C000-memory.dmp

            Filesize

            112KB

          • memory/4824-147-0x0000000074ED0000-0x0000000075481000-memory.dmp

            Filesize

            5.7MB

          • memory/4824-138-0x0000000074ED0000-0x0000000075481000-memory.dmp

            Filesize

            5.7MB