Overview

overview

10

Static

static

BL_PL_&_IN...DF.exe

windows7-x64

10

BL_PL_&_IN...DF.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    168s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2022 04:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BL_PL_&_INVOICE_PDF.exe

  • Size

    134KB

  • MD5

    0e087a29f6694524e66020d9454ccdb9

  • SHA1

    10e5050f1975938399827be5dab35e5d01cb0c89

  • SHA256

    eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c

  • SHA512

    9e9c8bb4c3c577a41d930356c8b2d0a9eba0f0692b7e654053b2af478471c1b36db78cd33d2d5b800e661d5a5752e53448fbd299bdc670da5091e704ec10a1af

  • SSDEEP

    3072:LlMyoAdZDhDOdtgXwDEi5xZgrdkkeRQHadg/wb:pvomDhi8wgiXZgrulk/

Score
10/10
ponycollectionpersistenceratspywarestealerupx

Malware Config

Extracted

Family

pony

C2

http://d-mmoney.favcc1.com/gate.php

Attributes
  • payload_url

    http://d-mmoney.favcc1.com/shit.exe

Signatures

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Executes dropped EXE 3 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 52 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\BL_PL_&_INVOICE_PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\BL_PL_&_INVOICE_PDF.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2388
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      2⤵
      • Accesses Microsoft Outlook accounts
      • Accesses Microsoft Outlook profiles
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • outlook_win_path
      PID:4880
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240674000.bat" "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" "
        3⤵
          PID:3124
      • C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe"
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3636
        • C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
          C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
          3⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2312
          • C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe"
            4⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of AdjustPrivilegeToken
            PID:4988

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scripting

    1
    T1064

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Scripting

    1
    T1064

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Email Collection

    2
    T1114

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\IpOverUsbSvrc.exe.log
      Filesize

      224B

      MD5

      c19eb8c8e7a40e6b987f9d2ee952996e

      SHA1

      6fc3049855bc9100643e162511673c6df0f28bfb

      SHA256

      677e9e30350df17e2bc20fa9f7d730e9f7cc6e870d6520a345f5f7dc5b31f58a

      SHA512

      860713b4a787c2189ed12a47d4b68b60ac00c7a253cae52dd4eb9276dacafeae3a81906b6d0742c8ecfdfaa255777c445beb7c2a532f3c677a9903237ac97596

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\240674000.bat
      Filesize

      94B

      MD5

      3880eeb1c736d853eb13b44898b718ab

      SHA1

      4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

      SHA256

      936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

      SHA512

      3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe
      Filesize

      8KB

      MD5

      54fbde415453f5c9089b49e65bd5f8e7

      SHA1

      d77b86631f629b52bbebc6e08fbf60c78e8ceab0

      SHA256

      7d31b70e949833d9f78199848b14307e41da511ca4915c20a8ca61ee8eeeedbf

      SHA512

      90dbbb3986ab3f4dda4292b580bfac7c97bbf20f68d0be0af271b9bc5e22a4abc326baaf284be005c6460ecc2187b6ca5d015fab55be3b242122436fcf3ee5ed

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe
      Filesize

      8KB

      MD5

      54fbde415453f5c9089b49e65bd5f8e7

      SHA1

      d77b86631f629b52bbebc6e08fbf60c78e8ceab0

      SHA256

      7d31b70e949833d9f78199848b14307e41da511ca4915c20a8ca61ee8eeeedbf

      SHA512

      90dbbb3986ab3f4dda4292b580bfac7c97bbf20f68d0be0af271b9bc5e22a4abc326baaf284be005c6460ecc2187b6ca5d015fab55be3b242122436fcf3ee5ed

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe
      Filesize

      8KB

      MD5

      54fbde415453f5c9089b49e65bd5f8e7

      SHA1

      d77b86631f629b52bbebc6e08fbf60c78e8ceab0

      SHA256

      7d31b70e949833d9f78199848b14307e41da511ca4915c20a8ca61ee8eeeedbf

      SHA512

      90dbbb3986ab3f4dda4292b580bfac7c97bbf20f68d0be0af271b9bc5e22a4abc326baaf284be005c6460ecc2187b6ca5d015fab55be3b242122436fcf3ee5ed

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      Filesize

      134KB

      MD5

      0e087a29f6694524e66020d9454ccdb9

      SHA1

      10e5050f1975938399827be5dab35e5d01cb0c89

      SHA256

      eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c

      SHA512

      9e9c8bb4c3c577a41d930356c8b2d0a9eba0f0692b7e654053b2af478471c1b36db78cd33d2d5b800e661d5a5752e53448fbd299bdc670da5091e704ec10a1af

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      Filesize

      134KB

      MD5

      0e087a29f6694524e66020d9454ccdb9

      SHA1

      10e5050f1975938399827be5dab35e5d01cb0c89

      SHA256

      eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c

      SHA512

      9e9c8bb4c3c577a41d930356c8b2d0a9eba0f0692b7e654053b2af478471c1b36db78cd33d2d5b800e661d5a5752e53448fbd299bdc670da5091e704ec10a1af

      Download Submit
    • memory/2312-152-0x0000000074D50000-0x0000000075301000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2312-147-0x0000000074D50000-0x0000000075301000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2312-143-0x0000000000000000-mapping.dmp
      Download
    • memory/2388-132-0x0000000074D50000-0x0000000075301000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2388-153-0x0000000074D50000-0x0000000075301000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2388-133-0x0000000074D50000-0x0000000075301000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/3124-148-0x0000000000000000-mapping.dmp
      Download
    • memory/3636-151-0x0000000074D50000-0x0000000075301000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/3636-146-0x0000000074D50000-0x0000000075301000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/3636-140-0x0000000000000000-mapping.dmp
      Download
    • memory/3636-154-0x0000000074D50000-0x0000000075301000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/4880-149-0x0000000000400000-0x000000000041C000-memory.dmp
      Filesize

      112KB

      Download
    • memory/4880-139-0x0000000000400000-0x000000000041C000-memory.dmp
      Filesize

      112KB

      Download
    • memory/4880-138-0x0000000000400000-0x000000000041C000-memory.dmp
      Filesize

      112KB

      Download
    • memory/4880-137-0x0000000000400000-0x000000000041C000-memory.dmp
      Filesize

      112KB

      Download
    • memory/4880-135-0x0000000000400000-0x000000000041C000-memory.dmp
      Filesize

      112KB

      Download
    • memory/4880-134-0x0000000000000000-mapping.dmp
      Download
    • memory/4988-155-0x0000000000000000-mapping.dmp
      Download
    • memory/4988-158-0x0000000074D50000-0x0000000075301000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/4988-159-0x0000000074D50000-0x0000000075301000-memory.dmp
      Filesize

      5.7MB

      Download