Overview

overview

10

Static

static

29388fe3d1...f8.exe

windows7-x64

1

29388fe3d1...f8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    205s
  • max time network
    239s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2022 08:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    29388fe3d11fe7b03e5a52bfeae8a77558ab901149140c6e28a04f2c44bdfcf8.exe

  • Size

    204KB

  • MD5

    0f957a264a82ec6e275def7b38bd80f9

  • SHA1

    2073b738f80573f0796d5d591c00983e05ba0940

  • SHA256

    29388fe3d11fe7b03e5a52bfeae8a77558ab901149140c6e28a04f2c44bdfcf8

  • SHA512

    706834a86872259c43695f8445a063fe8b2a72e094c826ba5648ca5b26c40462bd0c756686a4746c8cf19268505a25bfb7f47a3ead00a69e08308a2aae5f2ec7

  • SSDEEP

    3072:66WgE6TQkriqLQq+DIZQbQysVGj+8yygsdrCy52VFwdL4KlpKRcgv:6p6rByZS5orwN

Score
10/10
ponycollectiondiscoveryratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://ramzey.net/kilo/gate.php

Signatures

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\29388fe3d11fe7b03e5a52bfeae8a77558ab901149140c6e28a04f2c44bdfcf8.exe
    "C:\Users\Admin\AppData\Local\Temp\29388fe3d11fe7b03e5a52bfeae8a77558ab901149140c6e28a04f2c44bdfcf8.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3888
    • C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" stop sharedaccess
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4276
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop sharedaccess
        3⤵
          PID:1800
      • C:\Users\Admin\AppData\Local\Temp\29388fe3d11fe7b03e5a52bfeae8a77558ab901149140c6e28a04f2c44bdfcf8.exe
        "C:\Users\Admin\AppData\Local\Temp\29388fe3d11fe7b03e5a52bfeae8a77558ab901149140c6e28a04f2c44bdfcf8.exe"
        2⤵
        • Accesses Microsoft Outlook accounts
        • Accesses Microsoft Outlook profiles
        • Suspicious use of AdjustPrivilegeToken
        • outlook_win_path
        PID:2672

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Email Collection

    2
    T1114

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1800-175-0x0000000000000000-mapping.dmp
      Download
    • memory/2672-182-0x0000000000400000-0x0000000000419000-memory.dmp
      Filesize

      100KB

      Download
    • memory/2672-181-0x0000000000400000-0x0000000000419000-memory.dmp
      Filesize

      100KB

      Download
    • memory/2672-180-0x0000000000400000-0x0000000000419000-memory.dmp
      Filesize

      100KB

      Download
    • memory/2672-179-0x0000000000400000-0x0000000000419000-memory.dmp
      Filesize

      100KB

      Download
    • memory/2672-177-0x0000000000400000-0x0000000000419000-memory.dmp
      Filesize

      100KB

      Download
    • memory/2672-176-0x0000000000000000-mapping.dmp
      Download
    • memory/3888-157-0x0000000001101000-0x0000000001117000-memory.dmp
      Filesize

      88KB

      Download
    • memory/3888-160-0x0000000001101000-0x0000000001117000-memory.dmp
      Filesize

      88KB

      Download
    • memory/3888-143-0x0000000001101000-0x0000000001117000-memory.dmp
      Filesize

      88KB

      Download
    • memory/3888-144-0x0000000001101000-0x0000000001117000-memory.dmp
      Filesize

      88KB

      Download
    • memory/3888-145-0x0000000001101000-0x0000000001117000-memory.dmp
      Filesize

      88KB

      Download
    • memory/3888-146-0x0000000001101000-0x0000000001117000-memory.dmp
      Filesize

      88KB

      Download
    • memory/3888-148-0x0000000001101000-0x0000000001117000-memory.dmp
      Filesize

      88KB

      Download
    • memory/3888-149-0x0000000001101000-0x0000000001117000-memory.dmp
      Filesize

      88KB

      Download
    • memory/3888-150-0x0000000001101000-0x0000000001117000-memory.dmp
      Filesize

      88KB

      Download
    • memory/3888-151-0x0000000001101000-0x0000000001117000-memory.dmp
      Filesize

      88KB

      Download
    • memory/3888-152-0x0000000001101000-0x0000000001117000-memory.dmp
      Filesize

      88KB

      Download
    • memory/3888-153-0x0000000001101000-0x0000000001117000-memory.dmp
      Filesize

      88KB

      Download
    • memory/3888-154-0x0000000001101000-0x0000000001117000-memory.dmp
      Filesize

      88KB

      Download
    • memory/3888-155-0x0000000001101000-0x0000000001117000-memory.dmp
      Filesize

      88KB

      Download
    • memory/3888-156-0x0000000001101000-0x0000000001117000-memory.dmp
      Filesize

      88KB

      Download
    • memory/3888-132-0x0000000001100000-0x0000000001134000-memory.dmp
      Filesize

      208KB

      Download
    • memory/3888-158-0x0000000001101000-0x0000000001117000-memory.dmp
      Filesize

      88KB

      Download
    • memory/3888-159-0x0000000001101000-0x0000000001117000-memory.dmp
      Filesize

      88KB

      Download
    • memory/3888-162-0x0000000001101000-0x0000000001117000-memory.dmp
      Filesize

      88KB

      Download
    • memory/3888-142-0x0000000001101000-0x0000000001117000-memory.dmp
      Filesize

      88KB

      Download
    • memory/3888-161-0x0000000001101000-0x0000000001117000-memory.dmp
      Filesize

      88KB

      Download
    • memory/3888-163-0x0000000001101000-0x0000000001117000-memory.dmp
      Filesize

      88KB

      Download
    • memory/3888-164-0x0000000001101000-0x0000000001117000-memory.dmp
      Filesize

      88KB

      Download
    • memory/3888-165-0x0000000001101000-0x0000000001117000-memory.dmp
      Filesize

      88KB

      Download
    • memory/3888-166-0x0000000001101000-0x0000000001117000-memory.dmp
      Filesize

      88KB

      Download
    • memory/3888-167-0x0000000001101000-0x0000000001117000-memory.dmp
      Filesize

      88KB

      Download
    • memory/3888-168-0x0000000001101000-0x0000000001117000-memory.dmp
      Filesize

      88KB

      Download
    • memory/3888-169-0x0000000001101000-0x0000000001117000-memory.dmp
      Filesize

      88KB

      Download
    • memory/3888-170-0x0000000001101000-0x0000000001117000-memory.dmp
      Filesize

      88KB

      Download
    • memory/3888-172-0x0000000001101000-0x0000000001117000-memory.dmp
      Filesize

      88KB

      Download
    • memory/3888-171-0x0000000001101000-0x0000000001117000-memory.dmp
      Filesize

      88KB

      Download
    • memory/3888-173-0x0000000001101000-0x0000000001117000-memory.dmp
      Filesize

      88KB

      Download
    • memory/3888-135-0x0000000001101000-0x0000000001117000-memory.dmp
      Filesize

      88KB

      Download
    • memory/3888-141-0x0000000001101000-0x0000000001117000-memory.dmp
      Filesize

      88KB

      Download
    • memory/3888-140-0x0000000001101000-0x0000000001117000-memory.dmp
      Filesize

      88KB

      Download
    • memory/3888-139-0x0000000001101000-0x0000000001117000-memory.dmp
      Filesize

      88KB

      Download
    • memory/3888-137-0x0000000001101000-0x0000000001117000-memory.dmp
      Filesize

      88KB

      Download
    • memory/3888-138-0x0000000001101000-0x0000000001117000-memory.dmp
      Filesize

      88KB

      Download
    • memory/3888-136-0x0000000001101000-0x0000000001117000-memory.dmp
      Filesize

      88KB

      Download
    • memory/4276-174-0x0000000000000000-mapping.dmp
      Download