Overview

overview

10

Static

static

a0adc79090...65.exe

windows7-x64

10

a0adc79090...65.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    42s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    26-11-2022 04:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a0adc790907eb9deaa6eee79194386aeaa5b05917b38ea48e70148f6379d3465.exe

  • Size

    327KB

  • MD5

    4943388126d9d718ebde510c47c60642

  • SHA1

    3b94eda32cec5981cf4d2e5c6d924a3119f7075e

  • SHA256

    a0adc790907eb9deaa6eee79194386aeaa5b05917b38ea48e70148f6379d3465

  • SHA512

    33437912eef5d5b838b5664c76d8c014a5d58f1dfd8f8eeca9e1549c58ec53e34e645ce73903608d7e2823014931751bbf82e7d04ef4eaa63766a14f08f5b6b1

  • SSDEEP

    6144:dUrqA3AheuswyPnJ5ejM6bfx8/6AwUSj9:dUWA3AheuswysJ8/xwU29

Score
10/10
ponycollectiondiscoveryratspywarestealerupx

Malware Config

Extracted

Family

pony

C2

http://uche.fh2web.com/secure/secure.php

Signatures

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Executes dropped EXE 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 3 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a0adc790907eb9deaa6eee79194386aeaa5b05917b38ea48e70148f6379d3465.exe
    "C:\Users\Admin\AppData\Local\Temp\a0adc790907eb9deaa6eee79194386aeaa5b05917b38ea48e70148f6379d3465.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\fud.bat" "
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1296
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.sfx.exe
        Server.sfx.exe -plove1man -dC:\Users\Admin\AppData\Local\Temp
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1376
        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exe"
          4⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook accounts
          • Accesses Microsoft Outlook profiles
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • outlook_win_path
          PID:1452
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\7081415.bat" "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exe" "
            5⤵
              PID:1284

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\7081415.bat
      Filesize

      94B

      MD5

      3880eeb1c736d853eb13b44898b718ab

      SHA1

      4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

      SHA256

      936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

      SHA512

      3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.sfx.exe
      Filesize

      122KB

      MD5

      973140ccce28e4ddfa10dda7318b70cf

      SHA1

      6f7e74580d4b511b473dab8a9812c89b70b585f5

      SHA256

      35f427945cd471a08570e98b0e0e55e5c4c64cb49084b2c9df164af9c2fa7c93

      SHA512

      d9bddbc0da1ff820c15e303310a436058ae5fa56488ebcb106fc7ae0d79db081e05c9344ca577518decfa014ec79aff39fd37535b3830f05ede31a392dae24be

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.sfx.exe
      Filesize

      122KB

      MD5

      973140ccce28e4ddfa10dda7318b70cf

      SHA1

      6f7e74580d4b511b473dab8a9812c89b70b585f5

      SHA256

      35f427945cd471a08570e98b0e0e55e5c4c64cb49084b2c9df164af9c2fa7c93

      SHA512

      d9bddbc0da1ff820c15e303310a436058ae5fa56488ebcb106fc7ae0d79db081e05c9344ca577518decfa014ec79aff39fd37535b3830f05ede31a392dae24be

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\fud.bat
      Filesize

      50B

      MD5

      6b4314e21650404a968ecded1df08b4d

      SHA1

      c23b86ec637b5af3475579de5d637990d938927c

      SHA256

      02c65ff60ba11f9f9859705cf0e833e6cd950fff62366af946c4c18f87ca25d5

      SHA512

      b90dd81388b02079ef19a872931519e52907b15f1c56cf8e17c5a9322786b11e037bb88a10ce0e91c242df591001127e475b3f7af198b65eb7f6af7f04c06ef7

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exe
      Filesize

      34KB

      MD5

      da909d651c90018244db95fd1985c166

      SHA1

      0458ddc68f5ed2a925e7d5dea8f57876e6479fb5

      SHA256

      1fe4aa004615364dcdfdc73d44498d64498e3562f0b3cdef0d4237b78904f849

      SHA512

      9e338133718e511fa3a7cde6525ef4e66198de3fbe3c11cc0f822df3745e4ffcce4f9b7609191099fed055f76d76c26619fe832528bb0f00ce4303ce4a742083

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exe
      Filesize

      34KB

      MD5

      da909d651c90018244db95fd1985c166

      SHA1

      0458ddc68f5ed2a925e7d5dea8f57876e6479fb5

      SHA256

      1fe4aa004615364dcdfdc73d44498d64498e3562f0b3cdef0d4237b78904f849

      SHA512

      9e338133718e511fa3a7cde6525ef4e66198de3fbe3c11cc0f822df3745e4ffcce4f9b7609191099fed055f76d76c26619fe832528bb0f00ce4303ce4a742083

      Download Submit
    • \Users\Admin\AppData\Local\Temp\RarSFX0\Server.sfx.exe
      Filesize

      122KB

      MD5

      973140ccce28e4ddfa10dda7318b70cf

      SHA1

      6f7e74580d4b511b473dab8a9812c89b70b585f5

      SHA256

      35f427945cd471a08570e98b0e0e55e5c4c64cb49084b2c9df164af9c2fa7c93

      SHA512

      d9bddbc0da1ff820c15e303310a436058ae5fa56488ebcb106fc7ae0d79db081e05c9344ca577518decfa014ec79aff39fd37535b3830f05ede31a392dae24be

      Download Submit
    • \Users\Admin\AppData\Local\Temp\RarSFX1\Server.exe
      Filesize

      34KB

      MD5

      da909d651c90018244db95fd1985c166

      SHA1

      0458ddc68f5ed2a925e7d5dea8f57876e6479fb5

      SHA256

      1fe4aa004615364dcdfdc73d44498d64498e3562f0b3cdef0d4237b78904f849

      SHA512

      9e338133718e511fa3a7cde6525ef4e66198de3fbe3c11cc0f822df3745e4ffcce4f9b7609191099fed055f76d76c26619fe832528bb0f00ce4303ce4a742083

      Download Submit
    • \Users\Admin\AppData\Local\Temp\RarSFX1\Server.exe
      Filesize

      34KB

      MD5

      da909d651c90018244db95fd1985c166

      SHA1

      0458ddc68f5ed2a925e7d5dea8f57876e6479fb5

      SHA256

      1fe4aa004615364dcdfdc73d44498d64498e3562f0b3cdef0d4237b78904f849

      SHA512

      9e338133718e511fa3a7cde6525ef4e66198de3fbe3c11cc0f822df3745e4ffcce4f9b7609191099fed055f76d76c26619fe832528bb0f00ce4303ce4a742083

      Download Submit
    • memory/1284-71-0x0000000000000000-mapping.dmp
      Download
    • memory/1296-55-0x0000000000000000-mapping.dmp
      Download
    • memory/1376-68-0x0000000000510000-0x000000000052C000-memory.dmp
      Filesize

      112KB

      Download
    • memory/1376-69-0x0000000000510000-0x000000000052C000-memory.dmp
      Filesize

      112KB

      Download
    • memory/1376-60-0x0000000000000000-mapping.dmp
      Download
    • memory/1452-65-0x0000000000000000-mapping.dmp
      Download
    • memory/1452-70-0x0000000000400000-0x000000000041C000-memory.dmp
      Filesize

      112KB

      Download
    • memory/1452-72-0x0000000000400000-0x000000000041C000-memory.dmp
      Filesize

      112KB

      Download
    • memory/2008-54-0x00000000761F1000-0x00000000761F3000-memory.dmp
      Filesize

      8KB

      Download