Analysis Overview
SHA256
88415a4a3370cfb5351044cf69c1652ee196cfb31793eac350be3ce0fe7f4980
Threat Level: Known bad
The file 88415a4a3370cfb5351044cf69c1652ee196cfb31793eac350be3ce0fe7f4980 was found to be: Known bad.
Malicious Activity Summary
Pony,Fareit
UPX packed file
Reads data files stored by FTP clients
Deletes itself
Reads user/profile data of web browsers
Checks installed software on the system
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-20 08:13
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-20 08:13
Reported
2022-11-20 08:16
Platform
win7-20221111-en
Max time kernel
49s
Max time network
52s
Command Line
Signatures
Pony,Fareit
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1308 set thread context of 1336 | N/A | C:\Users\Admin\AppData\Local\Temp\88415a4a3370cfb5351044cf69c1652ee196cfb31793eac350be3ce0fe7f4980.exe | C:\Users\Admin\AppData\Local\Temp\88415a4a3370cfb5351044cf69c1652ee196cfb31793eac350be3ce0fe7f4980.exe |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\88415a4a3370cfb5351044cf69c1652ee196cfb31793eac350be3ce0fe7f4980.exe
"C:\Users\Admin\AppData\Local\Temp\88415a4a3370cfb5351044cf69c1652ee196cfb31793eac350be3ce0fe7f4980.exe"
C:\Users\Admin\AppData\Local\Temp\88415a4a3370cfb5351044cf69c1652ee196cfb31793eac350be3ce0fe7f4980.exe
"C:\Users\Admin\AppData\Local\Temp\88415a4a3370cfb5351044cf69c1652ee196cfb31793eac350be3ce0fe7f4980.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7126141.bat" "C:\Users\Admin\AppData\Local\Temp\88415a4a3370cfb5351044cf69c1652ee196cfb31793eac350be3ce0fe7f4980.exe" "
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | www.abogadosiriarte.com | udp |
| N/A | 65.60.53.42:80 | www.abogadosiriarte.com | tcp |
| N/A | 65.60.53.42:80 | www.abogadosiriarte.com | tcp |
| N/A | 65.60.53.42:80 | www.abogadosiriarte.com | tcp |
| N/A | 65.60.53.42:80 | www.abogadosiriarte.com | tcp |
| N/A | 8.8.8.8:53 | www.azucarnatural.com | udp |
| N/A | 23.111.168.154:80 | www.azucarnatural.com | tcp |
| N/A | 23.111.168.154:80 | www.azucarnatural.com | tcp |
| N/A | 23.111.168.154:80 | www.azucarnatural.com | tcp |
| N/A | 23.111.168.154:80 | www.azucarnatural.com | tcp |
Files
memory/1336-54-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/1336-55-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/1336-58-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/1336-57-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/1336-59-0x00000000004D36F0-mapping.dmp
memory/1308-60-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1336-62-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/1336-63-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/1336-64-0x0000000075931000-0x0000000075933000-memory.dmp
memory/1336-65-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/1336-66-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/896-67-0x0000000000000000-mapping.dmp
memory/1336-68-0x0000000000400000-0x00000000004D5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7126141.bat
| MD5 | 3880eeb1c736d853eb13b44898b718ab |
| SHA1 | 4eec9d50360cd815211e3c4e6bdd08271b6ec8e6 |
| SHA256 | 936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7 |
| SHA512 | 3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b |
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-20 08:13
Reported
2022-11-20 08:16
Platform
win10v2004-20220901-en
Max time kernel
91s
Max time network
128s
Command Line
Signatures
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\88415a4a3370cfb5351044cf69c1652ee196cfb31793eac350be3ce0fe7f4980.exe
"C:\Users\Admin\AppData\Local\Temp\88415a4a3370cfb5351044cf69c1652ee196cfb31793eac350be3ce0fe7f4980.exe"
C:\Users\Admin\AppData\Local\Temp\88415a4a3370cfb5351044cf69c1652ee196cfb31793eac350be3ce0fe7f4980.exe
"C:\Users\Admin\AppData\Local\Temp\88415a4a3370cfb5351044cf69c1652ee196cfb31793eac350be3ce0fe7f4980.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 51.132.193.104:443 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp |
Files
memory/1336-135-0x0000000000400000-0x0000000000422000-memory.dmp
memory/372-136-0x0000000000000000-mapping.dmp
memory/1336-137-0x0000000000400000-0x0000000000422000-memory.dmp