Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

2f7cbaacf1...91.exe

windows7-x64

10

2f7cbaacf1...91.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    01/12/2022, 05:20 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2f7cbaacf1abfa89a85b62f61710e23c9260c287935a9237254a1fd7b77fff91.exe

  • Size

    97KB

  • MD5

    b0254639b2067499a3e76ec51cc5bd83

  • SHA1

    876b944ef465af2b091aa18f49e1c3a6359079cc

  • SHA256

    2f7cbaacf1abfa89a85b62f61710e23c9260c287935a9237254a1fd7b77fff91

  • SHA512

    24dcb6d52ef1644e842dfa9ee80b883bbc60dbb0bf9c895442e0efe1b90d1f287d7eb00370d9712fbff26898b3a5c662d5b994fedc7864bb69438ed345f1469e

  • SSDEEP

    1536:zEjU7N5DIhDvb38/fIaDfQyrMHdJnlFNGnl6P7d8m/2f:QjU7N5DI9vUIaDfvMHdJslEd8m/

Score
10/10
ponycollectiondiscoveryratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://115.47.49.181/xSZ64Wiax/ojXVZBxRQVfp6gAUziCGnB8V7Aikbs0Z.php

Signatures

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Deletes itself 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2f7cbaacf1abfa89a85b62f61710e23c9260c287935a9237254a1fd7b77fff91.exe
    "C:\Users\Admin\AppData\Local\Temp\2f7cbaacf1abfa89a85b62f61710e23c9260c287935a9237254a1fd7b77fff91.exe"
    1⤵
    • Accesses Microsoft Outlook accounts
    • Accesses Microsoft Outlook profiles
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • outlook_win_path
    PID:1964
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\7220459.bat" "C:\Users\Admin\AppData\Local\Temp\2f7cbaacf1abfa89a85b62f61710e23c9260c287935a9237254a1fd7b77fff91.exe" "
      2⤵
      • Deletes itself
      PID:676

Network

    No results found
  • 115.47.49.181:80
    2f7cbaacf1abfa89a85b62f61710e23c9260c287935a9237254a1fd7b77fff91.exe
    152 B
     3
  • 115.47.49.181:80
    2f7cbaacf1abfa89a85b62f61710e23c9260c287935a9237254a1fd7b77fff91.exe
    152 B
     3
  • 115.47.49.181:80
    2f7cbaacf1abfa89a85b62f61710e23c9260c287935a9237254a1fd7b77fff91.exe
    152 B
     3
  • 115.47.49.181:80
    2f7cbaacf1abfa89a85b62f61710e23c9260c287935a9237254a1fd7b77fff91.exe
    152 B
     3
  • 115.47.49.181:80
    2f7cbaacf1abfa89a85b62f61710e23c9260c287935a9237254a1fd7b77fff91.exe
    152 B
     3
No results found

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7220459.bat
    Filesize

    94B

    MD5

    3880eeb1c736d853eb13b44898b718ab

    SHA1

    4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

    SHA256

    936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

    SHA512

    3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

    Download Submit

  • memory/1964-54-0x0000000076411000-0x0000000076413000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1964-55-0x0000000000220000-0x000000000022D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/1964-56-0x0000000000230000-0x000000000023D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/1964-57-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1964-58-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1964-60-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.