Analysis

  • max time kernel
    210s
  • max time network
    31s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 10:39

General

  • Target

    3d53b54d98e14f9de2a2316fe09ee6b9fe27f2dacdd4ad85f52dd1e16eebb006.doc

  • Size

    367KB

  • MD5

    7ad977e490ead6a113d88aa8091d3dfd

  • SHA1

    f5f3c7a449bc658dee88153fbc6cf21061eaa1df

  • SHA256

    3d53b54d98e14f9de2a2316fe09ee6b9fe27f2dacdd4ad85f52dd1e16eebb006

  • SHA512

    84de4a09c3533f94bf76bbaaf47ee67f5b1da809a40140d570ff7000f912e2f6217dc55f1c42895870c26682c7c4ca52803b5fc802fb039755563d3d20377b5c

  • SSDEEP

    6144:CEnfyZlEDVXmnIW2iDKPbIz7yStMvWqDJv7yC3dLPm+UidwOydGWm0CFJ:CEnfyAonINPbwCHDNeCk+UiWOyZwJ

Malware Config

Extracted

Family

pony

C2

http://krossfight.eu/trustmebaby/gate.php

Attributes
  • payload_url

    http://www.conteudosdigitais.org/calc.exe

    http://autohaus-gutmann.de/calc.exe

    http://firstdive.co.kr/calc.exe

Signatures

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\3d53b54d98e14f9de2a2316fe09ee6b9fe27f2dacdd4ad85f52dd1e16eebb006.doc"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1516
    • C:\Users\Admin\GssFip.exe
      GssFip.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1540

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\GssFip.exe

    Filesize

    60KB

    MD5

    21c9a9cfc109e50647eaed89996ddf9e

    SHA1

    3cfe31aaab6b7894b89f2ca5c3d2c147e865baea

    SHA256

    e0e61cee5afe885e2ef811f2ebd21f803f4d85b2c5b5ed3c2483578b7c00d710

    SHA512

    e6f6ddbc3589673f3ab5c4a91d15141bde268d2ca0d9b18375d461beb06158e9f9edc2e5de59d9566aab235c3f99f38f4478ce73089b2c4394fc8fca4de4496b

  • C:\Users\Admin\GssFip.exe

    Filesize

    60KB

    MD5

    21c9a9cfc109e50647eaed89996ddf9e

    SHA1

    3cfe31aaab6b7894b89f2ca5c3d2c147e865baea

    SHA256

    e0e61cee5afe885e2ef811f2ebd21f803f4d85b2c5b5ed3c2483578b7c00d710

    SHA512

    e6f6ddbc3589673f3ab5c4a91d15141bde268d2ca0d9b18375d461beb06158e9f9edc2e5de59d9566aab235c3f99f38f4478ce73089b2c4394fc8fca4de4496b

  • \Users\Admin\GssFip.exe

    Filesize

    60KB

    MD5

    21c9a9cfc109e50647eaed89996ddf9e

    SHA1

    3cfe31aaab6b7894b89f2ca5c3d2c147e865baea

    SHA256

    e0e61cee5afe885e2ef811f2ebd21f803f4d85b2c5b5ed3c2483578b7c00d710

    SHA512

    e6f6ddbc3589673f3ab5c4a91d15141bde268d2ca0d9b18375d461beb06158e9f9edc2e5de59d9566aab235c3f99f38f4478ce73089b2c4394fc8fca4de4496b

  • \Users\Admin\GssFip.exe

    Filesize

    60KB

    MD5

    21c9a9cfc109e50647eaed89996ddf9e

    SHA1

    3cfe31aaab6b7894b89f2ca5c3d2c147e865baea

    SHA256

    e0e61cee5afe885e2ef811f2ebd21f803f4d85b2c5b5ed3c2483578b7c00d710

    SHA512

    e6f6ddbc3589673f3ab5c4a91d15141bde268d2ca0d9b18375d461beb06158e9f9edc2e5de59d9566aab235c3f99f38f4478ce73089b2c4394fc8fca4de4496b

  • memory/1516-57-0x00000000757E1000-0x00000000757E3000-memory.dmp

    Filesize

    8KB

  • memory/1516-58-0x0000000070C5D000-0x0000000070C68000-memory.dmp

    Filesize

    44KB

  • memory/1516-59-0x0000000070C5D000-0x0000000070C68000-memory.dmp

    Filesize

    44KB

  • memory/1516-54-0x00000000721F1000-0x00000000721F4000-memory.dmp

    Filesize

    12KB

  • memory/1516-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/1516-55-0x000000006FC71000-0x000000006FC73000-memory.dmp

    Filesize

    8KB

  • memory/1540-62-0x0000000000000000-mapping.dmp

  • memory/1540-66-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/1540-67-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/1540-68-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB