Analysis Overview
SHA256
66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c
Threat Level: Known bad
The file 66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c was found to be: Known bad.
Malicious Activity Summary
Pony,Fareit
Reads user/profile data of web browsers
Checks computer location settings
Reads data files stored by FTP clients
Deletes itself
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
Drops file in Windows directory
Program crash
Enumerates physical storage devices
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-20 08:34
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-20 08:34
Reported
2022-11-20 08:36
Platform
win7-20221111-en
Max time kernel
103s
Max time network
77s
Command Line
Signatures
Pony,Fareit
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1724 set thread context of 1476 | N/A | C:\Users\Admin\AppData\Local\Temp\66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe | C:\Users\Admin\AppData\Local\Temp\66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\calc2.exe | C:\Users\Admin\AppData\Local\Temp\66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe
"C:\Users\Admin\AppData\Local\Temp\66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe"
C:\Users\Admin\AppData\Local\Temp\66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe
"C:\Users\Admin\AppData\Local\Temp\66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c at 09:38:00 /every:T,M,Th,F,W,S,Su wmic.exe nicconfig where "IPEnabled=true" call SetDNSServerSearchOrder ("37.10.116.203", "8.8.8.8")
C:\Windows\SysWOW64\at.exe
at 09:38:00 /every:T,M,Th,F,W,S,Su wmic.exe nicconfig where "IPEnabled=true" call SetDNSServerSearchOrder ("37.10.116.203", "8.8.8.8")
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping -n 10 localhost && erase "C:\Users\Admin\AppData\Local\Temp\66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe"
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | voladex.pw | udp |
| N/A | 8.8.8.8:53 | bolakes.pw | udp |
| N/A | 8.8.8.8:53 | camtest33.pw | udp |
| N/A | 8.8.8.8:53 | camtest3.pw | udp |
Files
memory/1476-54-0x0000000000400000-0x0000000000418000-memory.dmp
memory/1476-55-0x0000000000400000-0x0000000000418000-memory.dmp
memory/1476-56-0x0000000000400000-0x0000000000418000-memory.dmp
memory/1724-58-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1476-60-0x0000000076161000-0x0000000076163000-memory.dmp
memory/1476-61-0x0000000000400000-0x0000000000418000-memory.dmp
memory/1476-62-0x0000000000400000-0x0000000000418000-memory.dmp
memory/328-63-0x0000000000000000-mapping.dmp
memory/1812-64-0x0000000000000000-mapping.dmp
memory/364-66-0x0000000000000000-mapping.dmp
memory/1476-67-0x0000000000400000-0x0000000000418000-memory.dmp
memory/924-68-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-20 08:34
Reported
2022-11-20 08:36
Platform
win10v2004-20220812-en
Max time kernel
91s
Max time network
139s
Command Line
Signatures
Pony,Fareit
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 988 set thread context of 1872 | N/A | C:\Users\Admin\AppData\Local\Temp\66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe | C:\Users\Admin\AppData\Local\Temp\66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\calc2.exe | C:\Users\Admin\AppData\Local\Temp\66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe | N/A |
Enumerates physical storage devices
Program crash
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe
"C:\Users\Admin\AppData\Local\Temp\66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 988 -ip 988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 308
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 988 -ip 988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 328
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 988 -ip 988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 336
C:\Users\Admin\AppData\Local\Temp\66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe
"C:\Users\Admin\AppData\Local\Temp\66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 988 -ip 988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 320
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c at 09:37:00 /every:T,M,Th,F,W,S,Su wmic.exe nicconfig where "IPEnabled=true" call SetDNSServerSearchOrder ("37.10.116.203", "8.8.8.8")
C:\Windows\SysWOW64\at.exe
at 09:37:00 /every:T,M,Th,F,W,S,Su wmic.exe nicconfig where "IPEnabled=true" call SetDNSServerSearchOrder ("37.10.116.203", "8.8.8.8")
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping -n 10 localhost && erase "C:\Users\Admin\AppData\Local\Temp\66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c.exe"
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | voladex.pw | udp |
| N/A | 8.8.8.8:53 | voladex.pw | udp |
| N/A | 8.8.8.8:53 | voladex.pw | udp |
| N/A | 8.8.8.8:53 | bolakes.pw | udp |
| N/A | 8.8.8.8:53 | bolakes.pw | udp |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 8.8.8.8:53 | bolakes.pw | udp |
| N/A | 8.8.8.8:53 | camtest33.pw | udp |
| N/A | 8.8.8.8:53 | camtest33.pw | udp |
| N/A | 8.8.8.8:53 | camtest33.pw | udp |
| N/A | 13.69.239.72:443 | tcp | |
| N/A | 8.8.8.8:53 | camtest3.pw | udp |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp |
Files
memory/988-132-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1872-133-0x0000000000000000-mapping.dmp
memory/1872-134-0x0000000000400000-0x0000000000418000-memory.dmp
memory/1872-135-0x0000000000400000-0x0000000000418000-memory.dmp
memory/1872-136-0x0000000000400000-0x0000000000418000-memory.dmp
memory/1872-139-0x0000000000400000-0x0000000000418000-memory.dmp
memory/988-140-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1872-141-0x0000000000400000-0x0000000000418000-memory.dmp
memory/4576-142-0x0000000000000000-mapping.dmp
memory/2288-143-0x0000000000000000-mapping.dmp
memory/3672-144-0x0000000000000000-mapping.dmp
memory/2284-145-0x0000000000000000-mapping.dmp
memory/1872-146-0x0000000000400000-0x0000000000418000-memory.dmp