Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/11/2022, 07:14

General

  • Target

    e7af4fdafe5f10b873d62f4dda8e59897eed1c4aa7cd8e892a07263b497ebf00.exe

  • Size

    140KB

  • MD5

    23e665295ad093def96352d1588c685e

  • SHA1

    c3f5ff02d708279a535f5d3182fdd9955a416b4b

  • SHA256

    e7af4fdafe5f10b873d62f4dda8e59897eed1c4aa7cd8e892a07263b497ebf00

  • SHA512

    43f079dddd5302e5b4c8bb0b54cb84a973645825fbdbfb976d60d03576f166b8c96a822bba06452ec47dbcdfd6cfa93a69b5063475e50ef4ace693649c7ec823

  • SSDEEP

    3072:Amy36rmOiyMO+3hKRY2fbU2SEi/neBZBp4DaSd49hO:APKrmJywhKy2fb8EknFTO

Malware Config

Extracted

Family

pony

C2

http://thesavvyplayer.com/images/view.php

http://trueyogateacherblog.com/resp.php

Signatures

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e7af4fdafe5f10b873d62f4dda8e59897eed1c4aa7cd8e892a07263b497ebf00.exe
    "C:\Users\Admin\AppData\Local\Temp\e7af4fdafe5f10b873d62f4dda8e59897eed1c4aa7cd8e892a07263b497ebf00.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4148
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\abcd.bat" "C:\Users\Admin\AppData\Local\Temp\e7af4fdafe5f10b873d62f4dda8e59897eed1c4aa7cd8e892a07263b497ebf00.exe" "
      2⤵
        PID:3328

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\abcd.bat

            Filesize

            75B

            MD5

            0849cfe65b98ba5fcd9a9ec61a671d09

            SHA1

            9d0ccb383c32b1bc07fd9064b9324a18e1276902

            SHA256

            44f6a1e48081deccfb61075e585bcb36c6d8e8feeb6ebae50bab41677822c643

            SHA512

            afdeda8122b4cefcf7549018c40d3142985e88a6d8f13eb58e9a59aa312b73608123de5f9feebc2ce25b6ec215d23c324b9f3a9a0e97041d67d863a25e15e57a

          • memory/4148-132-0x00000000021A0000-0x00000000021B7000-memory.dmp

            Filesize

            92KB

          • memory/4148-133-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

          • memory/4148-134-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

          • memory/4148-136-0x0000000000400000-0x0000000000417000-memory.dmp

            Filesize

            92KB