Analysis

  • max time kernel
    36s
  • max time network
    50s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    20/11/2022, 08:09

General

  • Target

    8ece18d9b60d85a02aadadcaa170ad92457fcd735cd69059ef685c3de8c387d0.exe

  • Size

    129KB

  • MD5

    334bbeb43873d5464982389df3821094

  • SHA1

    61a8696cd2d12fe9f7e2eebb9726a168523fcf60

  • SHA256

    8ece18d9b60d85a02aadadcaa170ad92457fcd735cd69059ef685c3de8c387d0

  • SHA512

    fba22afcfc3cae551c883746ba7a507c909d4d4a3a99c0267470bb5ba9638b61bf40129944e6463bdb996d7e89d0868c692ac55820d3fe9c53aaadb9f8522d83

  • SSDEEP

    3072:Klgw177mTmSMyyhOYOfSh2wnebvS8wTyoaii:KdwknZq82+/hyH

Malware Config

Extracted

Family

pony

C2

http://62.173.139.212/forum/gate.php

Signatures

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

  • Deletes itself 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8ece18d9b60d85a02aadadcaa170ad92457fcd735cd69059ef685c3de8c387d0.exe
    "C:\Users\Admin\AppData\Local\Temp\8ece18d9b60d85a02aadadcaa170ad92457fcd735cd69059ef685c3de8c387d0.exe"
    1⤵
    • Accesses Microsoft Outlook accounts
    • Accesses Microsoft Outlook profiles
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    • outlook_win_path
    PID:1632
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\abcd.bat" "C:\Users\Admin\AppData\Local\Temp\8ece18d9b60d85a02aadadcaa170ad92457fcd735cd69059ef685c3de8c387d0.exe" "
      2⤵
      • Deletes itself
      PID:1008

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\abcd.bat

          Filesize

          75B

          MD5

          0849cfe65b98ba5fcd9a9ec61a671d09

          SHA1

          9d0ccb383c32b1bc07fd9064b9324a18e1276902

          SHA256

          44f6a1e48081deccfb61075e585bcb36c6d8e8feeb6ebae50bab41677822c643

          SHA512

          afdeda8122b4cefcf7549018c40d3142985e88a6d8f13eb58e9a59aa312b73608123de5f9feebc2ce25b6ec215d23c324b9f3a9a0e97041d67d863a25e15e57a

        • memory/1632-54-0x0000000076091000-0x0000000076093000-memory.dmp

          Filesize

          8KB

        • memory/1632-56-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/1632-55-0x0000000000270000-0x0000000000289000-memory.dmp

          Filesize

          100KB

        • memory/1632-58-0x0000000000400000-0x0000000000419000-memory.dmp

          Filesize

          100KB