Overview

overview

10

Static

static

2adb07916f...6d.exe

windows7-x64

10

2adb07916f...6d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    179s
  • max time network
    189s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-11-2022 14:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2adb07916f90ebe960d28568427815fda73b01a40a47b9e7bedb487b8301b96d.exe

  • Size

    1.3MB

  • MD5

    c75f98e9bde735b1785b9f3e3d7b6ad6

  • SHA1

    8028222efcf71c343aa3ce45b2dde05403696a3d

  • SHA256

    2adb07916f90ebe960d28568427815fda73b01a40a47b9e7bedb487b8301b96d

  • SHA512

    59b8b5fefe4b72becf3eefbbb70480174f9b2ae588e99cb5cc3b623847f0018ce603f3c4a6dcf9dc328618e71a68442ff5f7a214d2cec000ded1bc53aad81499

  • SSDEEP

    24576:i2O/GlAIaOXAN/+rtH/GsMb7g6zwzRQegxP265:vPXAZetHo5k1tS

Score
10/10
ponycollectionratspywarestealerupx

Malware Config

Extracted

Family

pony

C2

http://finalego.000a.de/1/gate.php

Signatures

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2adb07916f90ebe960d28568427815fda73b01a40a47b9e7bedb487b8301b96d.exe
    "C:\Users\Admin\AppData\Local\Temp\2adb07916f90ebe960d28568427815fda73b01a40a47b9e7bedb487b8301b96d.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\Users\Admin\3llb9dt7w4t\Order.exe
      "C:\Users\Admin\3llb9dt7w4t\Order.exe" xhtiy
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1664
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • Accesses Microsoft Outlook accounts
        • Accesses Microsoft Outlook profiles
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • outlook_win_path
        PID:2236
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240686218.bat" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" "
          4⤵
            PID:4056

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Email Collection

    2
    T1114

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\3LLB9D~1\pwbf.NYP
      Filesize

      34KB

      MD5

      f399b73ee327486c2a1141022b7bc6af

      SHA1

      6dd7c7ebfbbfad9e1ccdac2a33753103de44e940

      SHA256

      51e36dfa1b9bff164a486d1a0ea72afa5336526c11c2ef9a8dc1b810ae5686b8

      SHA512

      63fde7c94498b9f6f9b284d9b1f80309ddb4e8ac17389897d35bdd4e5f88a26b21d38d8473161789e267f5b8684eb136e51553d0ea08c268a658547c3be1e6be

      Download Submit
    • C:\Users\Admin\3LLB9D~1\xaiuob.NPI
      Filesize

      32B

      MD5

      7bedf5d1e14c7254ef5d1bfa35e49d8a

      SHA1

      03fad752cfaaceb5a576b7ebe787e5dcd40d0776

      SHA256

      f5a92af8b21c593f37ca0163a874ef0102dae8d9b79e8dbd330ca3d6dd312ec3

      SHA512

      0448c5b29f6c7aa69db75b7b34387d3ba60ed74ccb63b8de91ff148aaad851f335526445ff1e09ab6726a4f53599bfbdd64194beab48202dd32a6dffb2db0ec5

      Download Submit
    • C:\Users\Admin\3llb9dt7w4t\Order.exe
      Filesize

      732KB

      MD5

      71d8f6d5dc35517275bc38ebcc815f9f

      SHA1

      cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

      SHA256

      fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

      SHA512

      4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

      Download Submit
    • C:\Users\Admin\3llb9dt7w4t\Order.exe
      Filesize

      732KB

      MD5

      71d8f6d5dc35517275bc38ebcc815f9f

      SHA1

      cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

      SHA256

      fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

      SHA512

      4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

      Download Submit
    • C:\Users\Admin\3llb9dt7w4t\xhtiy
      Filesize

      646.7MB

      MD5

      b187219b690411c0fd06cd65e65f6769

      SHA1

      3edfde714b9558af20eae08e94c117a8932310aa

      SHA256

      f76cc795d9a25863638ea815ce0e64f69b8a09eb76dbc81acef31b479b0dc7d6

      SHA512

      3750fca3f7fba3a2d007e6f2269a62647f65d91078fc9b6ce02225a086f93363d8eb2e86801586fe5e82ee2afad01f6216ec99e1eb5d6372e9b52c45ff381fbe

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\240686218.bat
      Filesize

      94B

      MD5

      3880eeb1c736d853eb13b44898b718ab

      SHA1

      4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

      SHA256

      936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

      SHA512

      3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

      Download Submit
    • memory/1664-132-0x0000000000000000-mapping.dmp
      Download
    • memory/2236-138-0x0000000000000000-mapping.dmp
      Download
    • memory/2236-139-0x0000000000400000-0x000000000041D000-memory.dmp
      Filesize

      116KB

      Download
    • memory/2236-140-0x0000000000400000-0x000000000041D000-memory.dmp
      Filesize

      116KB

      Download
    • memory/2236-141-0x0000000000400000-0x000000000041D000-memory.dmp
      Filesize

      116KB

      Download
    • memory/4056-142-0x0000000000000000-mapping.dmp
      Download