Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

100.exe

windows7-x64

8

100.exe

windows10-2004-x64

10

101.exe

windows7-x64

1

101.exe

windows10-2004-x64

1

102.exe

windows7-x64

8

102.exe

windows10-2004-x64

5

103.exe

windows7-x64

8

103.exe

windows10-2004-x64

1

105.exe

windows7-x64

10

105.exe

windows10-2004-x64

10

106.exe

windows7-x64

8

106.exe

windows10-2004-x64

1

107.exe

windows7-x64

6

107.exe

windows10-2004-x64

6

108.exe

windows7-x64

10

108.exe

windows10-2004-x64

10

109.exe

windows7-x64

10

109.exe

windows10-2004-x64

5

110.exe

windows7-x64

10

110.exe

windows10-2004-x64

10

111.exe

windows7-x64

10

111.exe

windows10-2004-x64

10

112.exe

windows7-x64

8

112.exe

windows10-2004-x64

7

113.exe

windows7-x64

10

113.exe

windows10-2004-x64

10

114.exe

windows7-x64

10

114.exe

windows10-2004-x64

8

115.exe

windows7-x64

10

115.exe

windows10-2004-x64

10

116.exe

windows7-x64

8

116.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    156s
  • max time network
    177s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/11/2022, 11:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    110.exe

  • Size

    242KB

  • MD5

    c0224c4d9628b324db1af4d9007fa46c

  • SHA1

    1d264386f3d36b28f78f3cba45c189e0c065ce16

  • SHA256

    673a680f2bad58c131f64dcf538e9e4539ea5b5319020ce27d05baffe9ea0984

  • SHA512

    339492a6de4aa920db03f8e4cff3e76052372096f068d4d5984ffc7fc93d15423ee4a35b24f583a2edb67658e7411d9789fe4024223c27015fe8f555407bbe03

  • SSDEEP

    3072:5hmeYAv6OUGsjtZfSPAnk2eFkf2zXm5XHxXQ41lfmLjCsyQQHX0LTvNaJS7X9hkg:JYAUGs/fSPAkDFKXJHQgENaU7X9h

Score
10/10
ponypersistenceratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://exportservices.co.in/david/Panel/gate.php

Attributes
  • payload_url

    http://exportservices.co.in/david/Panel/shit.exe

Signatures

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\110.exe
    "C:\Users\Admin\AppData\Local\Temp\110.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4392
    • C:\Users\Admin\AppData\Local\Temp\110.exe
      "C:\Users\Admin\AppData\Local\Temp\110.exe"
      2⤵
        PID:2132
      • C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe"
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        PID:3420

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe
      Filesize

      8KB

      MD5

      0ad079e611cf1a31bc5b01ee17fe607d

      SHA1

      d769361e8d0289cfc79adb2b0a5e6f3b9af33c15

      SHA256

      8a0d39c067024add12353126cd79c6ceb8f1680895a0f81737aae070568e38f5

      SHA512

      f78ebeda9e01b6deab338a800be8b267e594845ee258c3e83e12f8c216a11599fe63c15147c26fbab2b4090d30739893299b506cbc28025154ea4ec0726e1f05

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe
      Filesize

      8KB

      MD5

      0ad079e611cf1a31bc5b01ee17fe607d

      SHA1

      d769361e8d0289cfc79adb2b0a5e6f3b9af33c15

      SHA256

      8a0d39c067024add12353126cd79c6ceb8f1680895a0f81737aae070568e38f5

      SHA512

      f78ebeda9e01b6deab338a800be8b267e594845ee258c3e83e12f8c216a11599fe63c15147c26fbab2b4090d30739893299b506cbc28025154ea4ec0726e1f05

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe
      Filesize

      242KB

      MD5

      c0224c4d9628b324db1af4d9007fa46c

      SHA1

      1d264386f3d36b28f78f3cba45c189e0c065ce16

      SHA256

      673a680f2bad58c131f64dcf538e9e4539ea5b5319020ce27d05baffe9ea0984

      SHA512

      339492a6de4aa920db03f8e4cff3e76052372096f068d4d5984ffc7fc93d15423ee4a35b24f583a2edb67658e7411d9789fe4024223c27015fe8f555407bbe03

      Download Submit

    • memory/2132-136-0x0000000000700000-0x0000000000719000-memory.dmp

      Filesize

      100KB

      Download

    • memory/3420-141-0x0000000075180000-0x0000000075731000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3420-142-0x0000000075180000-0x0000000075731000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4392-132-0x0000000075180000-0x0000000075731000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4392-133-0x0000000075180000-0x0000000075731000-memory.dmp

      Filesize

      5.7MB

      Download