General

  • Target

    9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5.exe

  • Size

    298KB

  • Sample

    221223-rwallsbg3y

  • MD5

    40cb01660e4b45213c35e997b94238a0

  • SHA1

    8a1f0f62eede7cd183158567f9b78384074f5fed

  • SHA256

    9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5

  • SHA512

    305cedfe911fc108c33310a9954c368d9f3583f275d8cc002473bbb47294d7171b10854e2f513c589c4d17197e39dadcfc11c19bf9cf5573747651fefe5fd4e4

  • SSDEEP

    6144:fMjokASLOMN9/wJP96/jdLnCd4C0+7s0Vlm2QV7wcNTLysyTXLI/dc46xPy3cYsF:nkAqOi94x96Rjw4C02silwNTLxyTX01a

Malware Config

Extracted

Family

pony

C2

http://gruzdom.ru/api/

Targets

    • Target

      9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5.exe

    • Size

      298KB

    • MD5

      40cb01660e4b45213c35e997b94238a0

    • SHA1

      8a1f0f62eede7cd183158567f9b78384074f5fed

    • SHA256

      9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5

    • SHA512

      305cedfe911fc108c33310a9954c368d9f3583f275d8cc002473bbb47294d7171b10854e2f513c589c4d17197e39dadcfc11c19bf9cf5573747651fefe5fd4e4

    • SSDEEP

      6144:fMjokASLOMN9/wJP96/jdLnCd4C0+7s0Vlm2QV7wcNTLysyTXLI/dc46xPy3cYsF:nkAqOi94x96Rjw4C02silwNTLxyTX01a

    • CrypVault

      Ransomware family which makes encrypted files look like they have been quarantined by AV.

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v6

Tasks