Analysis Overview
SHA256
d9b808e05b8c7825a2bac7ce669e621d4d003e028fa46ce92d0f8c8108a33c65
Threat Level: Known bad
The file d9b808e05b8c7825a2bac7ce669e621d4d003e028fa46ce92d0f8c8108a33c65 was found to be: Known bad.
Malicious Activity Summary
Pony,Fareit
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Checks installed software on the system
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
outlook_win_path
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-20 07:24
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-20 07:24
Reported
2022-11-20 07:27
Platform
win7-20221111-en
Max time kernel
142s
Max time network
154s
Command Line
Signatures
Pony,Fareit
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\d9b808e05b8c7825a2bac7ce669e621d4d003e028fa46ce92d0f8c8108a33c65.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\d9b808e05b8c7825a2bac7ce669e621d4d003e028fa46ce92d0f8c8108a33c65.exe | N/A |
Checks installed software on the system
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d9b808e05b8c7825a2bac7ce669e621d4d003e028fa46ce92d0f8c8108a33c65.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\d9b808e05b8c7825a2bac7ce669e621d4d003e028fa46ce92d0f8c8108a33c65.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\d9b808e05b8c7825a2bac7ce669e621d4d003e028fa46ce92d0f8c8108a33c65.exe
"C:\Users\Admin\AppData\Local\Temp\d9b808e05b8c7825a2bac7ce669e621d4d003e028fa46ce92d0f8c8108a33c65.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 213.155.112.91:8080 | tcp | |
| N/A | 213.155.112.91:8080 | tcp | |
| N/A | 213.155.112.91:8080 | tcp | |
| N/A | 213.155.112.91:8080 | tcp | |
| N/A | 213.155.112.91:8080 | tcp |
Files
memory/1700-54-0x0000000076651000-0x0000000076653000-memory.dmp
memory/1700-56-0x00000000003B0000-0x00000000003E3000-memory.dmp
memory/1700-55-0x0000000000310000-0x0000000000329000-memory.dmp
memory/1700-57-0x0000000000400000-0x0000000000433000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-20 07:24
Reported
2022-11-20 07:27
Platform
win10v2004-20221111-en
Max time kernel
163s
Max time network
171s
Command Line
Signatures
Pony,Fareit
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\d9b808e05b8c7825a2bac7ce669e621d4d003e028fa46ce92d0f8c8108a33c65.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\d9b808e05b8c7825a2bac7ce669e621d4d003e028fa46ce92d0f8c8108a33c65.exe | N/A |
Checks installed software on the system
Suspicious use of AdjustPrivilegeToken
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\d9b808e05b8c7825a2bac7ce669e621d4d003e028fa46ce92d0f8c8108a33c65.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\d9b808e05b8c7825a2bac7ce669e621d4d003e028fa46ce92d0f8c8108a33c65.exe
"C:\Users\Admin\AppData\Local\Temp\d9b808e05b8c7825a2bac7ce669e621d4d003e028fa46ce92d0f8c8108a33c65.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 213.155.112.91:8080 | tcp | |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 52.152.110.14:443 | tcp | |
| N/A | 213.155.112.91:8080 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 52.152.110.14:443 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 213.155.112.91:8080 | tcp | |
| N/A | 52.152.110.14:443 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 213.155.112.91:8080 | tcp | |
| N/A | 213.155.112.91:8080 | tcp | |
| N/A | 213.155.112.91:8080 | tcp | |
| N/A | 8.8.8.8:53 | 176.122.125.40.in-addr.arpa | udp |
Files
memory/3508-132-0x0000000002080000-0x0000000002099000-memory.dmp
memory/3508-133-0x00000000020A0000-0x00000000020D3000-memory.dmp
memory/3508-134-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3508-135-0x0000000000400000-0x0000000000433000-memory.dmp