Overview

overview

10

Static

static

3

72f893d4e3...3b.exe

windows7-x64

10

72f893d4e3...3b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    3s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/12/2023, 13:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    72f893d4e3aa3446a1e22cf6434f5c3b.exe

  • Size

    144KB

  • MD5

    72f893d4e3aa3446a1e22cf6434f5c3b

  • SHA1

    2490041ee937d432fed7b37a1ac6582fa8f62967

  • SHA256

    22d50f3824ca0f93cb50f610314202b52b1fa981fa2f5d86a829315875f34586

  • SHA512

    e99bbea6e4c1838a83b4b0e7254264e5c28dc927deeba2c2bfc198c4d943246898de39d877e29a8436e8363571ee5b6c1d228516307f6e571c02216fa08a9c8f

  • SSDEEP

    3072:oDZaZeFbvHbSnCZYoB1rLAxgutQb0HdUyY6CpaJFsZLoYHY:wgeRSn8YoLLVrbwzuaj2rH

Score
10/10
ponydiscoveryratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://74.53.97.66:8080/forum/viewtopic.php

http://74.53.97.67:8080/forum/viewtopic.php
Attributes
  • payload_url

    http://orion.obidigital.net/d09ZhGf.exe

    http://ftp.lastraautosport.com.ar/xjH.exe

Signatures

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\72f893d4e3aa3446a1e22cf6434f5c3b.exe
    "C:\Users\Admin\AppData\Local\Temp\72f893d4e3aa3446a1e22cf6434f5c3b.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4780
    • C:\Users\Admin\AppData\Local\Temp\72f893d4e3aa3446a1e22cf6434f5c3b.exe
      "C:\Users\Admin\AppData\Local\Temp\72f893d4e3aa3446a1e22cf6434f5c3b.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2548

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2548-5-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2548-4-0x0000000000EA0000-0x0000000000ECF000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2548-1-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2548-6-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

    Download

  • memory/4780-0-0x0000000000EA0000-0x0000000000ECF000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4780-2-0x0000000000EA0000-0x0000000000ECF000-memory.dmp

    Filesize

    188KB

    Download