Overview

overview

10

Static

static

bff27f8e21...ce.exe

windows7-x64

10

bff27f8e21...ce.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    87s
  • max time network
    92s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    26-11-2022 21:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bff27f8e21892803695b2b5fbcb7e21378244fbde4c44fa611c5e5fa98b549ce.exe

  • Size

    254KB

  • MD5

    8c89b6d5c462d5acf263595847ec4b73

  • SHA1

    4470bc92f00abc47253bdfa44bc31c7ae7caa45f

  • SHA256

    bff27f8e21892803695b2b5fbcb7e21378244fbde4c44fa611c5e5fa98b549ce

  • SHA512

    8b6e4406be7a7e22ca5029e74fe9c24ef9d6a384098ed047d847297f578ab8d5601708c403f168a0c990763b61ae945e44ef07419896f7fd6f2f4c5162fb37c1

  • SSDEEP

    3072:QQorU9oV62DZCVKxHvhNmQtsZv2Wbacl7U6TxnwXPq2vAlywrKft4ZZf3FPkAXvt:TorU9oV6oxHpLtS72cBfwC240mF

Score
10/10
ponycollectionpersistenceratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://shoptoolgtav.craym.eu/gate.php

Signatures

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bff27f8e21892803695b2b5fbcb7e21378244fbde4c44fa611c5e5fa98b549ce.exe
    "C:\Users\Admin\AppData\Local\Temp\bff27f8e21892803695b2b5fbcb7e21378244fbde4c44fa611c5e5fa98b549ce.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1784
    • C:\Windows\SysWOW64\CMD.exe
      "CMD"
      2⤵
        PID:1008
      • C:\Windows\SysWOW64\CMD.exe
        "CMD"
        2⤵
          PID:320
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\\AppLaunch.exe"
          2⤵
          • Accesses Microsoft Outlook accounts
          • Accesses Microsoft Outlook profiles
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:524
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\7125127.bat" "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" "
            3⤵
              PID:872
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\\AppLaunch.exe"
            2⤵
            • Accesses Microsoft Outlook accounts
            • Accesses Microsoft Outlook profiles
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • outlook_win_path
            PID:1752
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Local\Temp\7157388.bat" "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" "
              3⤵
                PID:1244

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Registry Run Keys / Startup Folder

          1
          T1060

          Privilege Escalation

          Defense Evasion

          Modify Registry

          2
          T1112

          Install Root Certificate

          1
          T1130

          Credential Access

          Discovery

          System Information Discovery

          1
          T1082

          Lateral Movement

          Collection

          Email Collection

          2
          T1114

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\7125127.bat
            Filesize

            94B

            MD5

            3880eeb1c736d853eb13b44898b718ab

            SHA1

            4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

            SHA256

            936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

            SHA512

            3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\7157388.bat
            Filesize

            94B

            MD5

            3880eeb1c736d853eb13b44898b718ab

            SHA1

            4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

            SHA256

            936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

            SHA512

            3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\out.bin
            Filesize

            199B

            MD5

            8ccdb2db9e967e668aff0d57f70fd689

            SHA1

            e487e779b99fc699ede39289b4cf9eaa39213ff5

            SHA256

            3973be8d663877721e7eada399898ddfbefe9f452a8ad2cc78aa8b2a209cc3fa

            SHA512

            c3d04daba30dfec28f50208d04a5d9d1db76a912cfd42f4debadc65a369b7024cc7b911440077ee12df5298fe729185058bf14cd6c3625a2955f2230a9c4d1ec

            Download Submit
          • memory/320-57-0x0000000000000000-mapping.dmp
            Download
          • memory/524-61-0x0000000000400000-0x0000000000419000-memory.dmp
            Filesize

            100KB

            Download
          • memory/524-58-0x0000000000400000-0x0000000000419000-memory.dmp
            Filesize

            100KB

            Download
          • memory/524-59-0x0000000000400000-0x0000000000419000-memory.dmp
            Filesize

            100KB

            Download
          • memory/524-62-0x0000000000400000-0x0000000000419000-memory.dmp
            Filesize

            100KB

            Download
          • memory/524-65-0x000000000041029F-mapping.dmp
            Download
          • memory/524-64-0x0000000000400000-0x0000000000419000-memory.dmp
            Filesize

            100KB

            Download
          • memory/524-67-0x0000000000400000-0x0000000000419000-memory.dmp
            Filesize

            100KB

            Download
          • memory/524-70-0x0000000000400000-0x0000000000419000-memory.dmp
            Filesize

            100KB

            Download
          • memory/524-73-0x0000000000400000-0x0000000000419000-memory.dmp
            Filesize

            100KB

            Download
          • memory/872-72-0x0000000000000000-mapping.dmp
            Download
          • memory/1008-56-0x0000000000000000-mapping.dmp
            Download
          • memory/1244-91-0x0000000000000000-mapping.dmp
            Download
          • memory/1752-83-0x000000000041029F-mapping.dmp
            Download
          • memory/1752-85-0x0000000000400000-0x0000000000419000-memory.dmp
            Filesize

            100KB

            Download
          • memory/1752-89-0x0000000000400000-0x0000000000419000-memory.dmp
            Filesize

            100KB

            Download
          • memory/1752-90-0x0000000000400000-0x0000000000419000-memory.dmp
            Filesize

            100KB

            Download
          • memory/1752-92-0x0000000000400000-0x0000000000419000-memory.dmp
            Filesize

            100KB

            Download
          • memory/1784-71-0x00000000742E0000-0x000000007488B000-memory.dmp
            Filesize

            5.7MB

            Download
          • memory/1784-54-0x00000000753C1000-0x00000000753C3000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1784-55-0x00000000742E0000-0x000000007488B000-memory.dmp
            Filesize

            5.7MB

            Download
          • memory/1784-95-0x00000000742E0000-0x000000007488B000-memory.dmp
            Filesize

            5.7MB

            Download