Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    114s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/12/2022, 18:01

General

  • Target

    c5f1dd526e09e635b8b7cbe7658358e042ddf092bdda814a3328a42f47e49cbe.exe

  • Size

    81KB

  • MD5

    ab1094bc750e9ee2604b4c69d4b27099

  • SHA1

    2093c3b4232929ee355cef027f02b8fa56475c17

  • SHA256

    c5f1dd526e09e635b8b7cbe7658358e042ddf092bdda814a3328a42f47e49cbe

  • SHA512

    4929580a82a8d6b3c11d9578788291953cc196b856c29f2069d33b9ab5bf96b4111701cfb41c3e2a7fdc5b32f847cfb84b0f23e5ba457f0cb1bb835ca0682481

  • SSDEEP

    1536:6aH1w5TZVN7ciGKTFmLq6d7b/PjuYgFIPV6KFTf3iimaHUavfvV:V1qrd3TFmGo/LuYGIdnfd2un

Malware Config

Extracted

Family

pony

C2

http://dreststat.info:2346/pony/mac.php

http://dertystat.info:2346/pony/mac.php

Attributes
  • payload_url

    http://dertystat.info:2346/pony/view/kos.exe

Signatures

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

  • Drops file in Drivers directory 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c5f1dd526e09e635b8b7cbe7658358e042ddf092bdda814a3328a42f47e49cbe.exe
    "C:\Users\Admin\AppData\Local\Temp\c5f1dd526e09e635b8b7cbe7658358e042ddf092bdda814a3328a42f47e49cbe.exe"
    1⤵
    • Drops file in Drivers directory
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:520
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c at 01:38:00 cmd.exe /c copy %TEMP%\240651578FdOh %WINDIR%\system32\drivers\etc\hosts /Y && rename %WINDIR%\system32\drivers\etc\hosts hosts.sys
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2244
      • C:\Windows\SysWOW64\at.exe
        at 01:38:00 cmd.exe /c copy C:\Users\Admin\AppData\Local\Temp\240651578FdOh C:\Windows\system32\drivers\etc\hosts /Y
        3⤵
          PID:4184
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windows\CurrentVersion\Run /v 240655031 /t REG_SZ /d "cmd.exe /c copy %TEMP%\240651578FdOh %WINDIR%\system32\drivers\etc\hosts /Y && attrib +H %WINDIR%\system32\drivers\etc\hosts /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2420
        • C:\Windows\SysWOW64\reg.exe
          reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windows\CurrentVersion\Run /v 240655031 /t REG_SZ /d "cmd.exe /c copy C:\Users\Admin\AppData\Local\Temp\240651578FdOh C:\Windows\system32\drivers\etc\hosts /Y && attrib +H C:\Windows\system32\drivers\etc\hosts /f
          3⤵
          • Adds Run key to start application
          PID:636
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\abcd.bat" "C:\Users\Admin\AppData\Local\Temp\c5f1dd526e09e635b8b7cbe7658358e042ddf092bdda814a3328a42f47e49cbe.exe" "
        2⤵
          PID:1900

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\abcd.bat

        Filesize

        75B

        MD5

        0849cfe65b98ba5fcd9a9ec61a671d09

        SHA1

        9d0ccb383c32b1bc07fd9064b9324a18e1276902

        SHA256

        44f6a1e48081deccfb61075e585bcb36c6d8e8feeb6ebae50bab41677822c643

        SHA512

        afdeda8122b4cefcf7549018c40d3142985e88a6d8f13eb58e9a59aa312b73608123de5f9feebc2ce25b6ec215d23c324b9f3a9a0e97041d67d863a25e15e57a

      • memory/520-133-0x00000000005C0000-0x00000000005EE000-memory.dmp

        Filesize

        184KB

      • memory/520-132-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

      • memory/520-134-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

      • memory/520-135-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

      • memory/520-136-0x00000000005C0000-0x00000000005EE000-memory.dmp

        Filesize

        184KB

      • memory/520-143-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB