Analysis
-
max time kernel
119s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26-12-2023 15:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7845856e3f8f726a7fae095742bb14f9.exe
Resource
win7-20231215-en
windows7-x64
2 signatures
150 seconds
General
-
Target
7845856e3f8f726a7fae095742bb14f9.exe
-
Size
153KB
-
MD5
7845856e3f8f726a7fae095742bb14f9
-
SHA1
1ddddc0f904c6f366cc48731a4dc4d5f6092a89d
-
SHA256
5c1de7ab2e58cbbb1656fae3de8dc384930af80c2cfcc7e662c40f7416cd2fe2
-
SHA512
8a85b166e34621a2bca48728e6aaf7c23eea6312682f4e5321154689c3563032a4bf8196ea658f22a27c934c582368c78d022fab73b09ef0e8a4bc75e34e3cfc
-
SSDEEP
3072:d2jpmyvLmkNlzOAwa+PbeoB9yzu1oDtblbH/VoxKrUilzM9QR4J:Y5DD+P58u1oDHbfVox8qM
Malware Config
Extracted
Family
pony
C2
http://66.55.89.149:8080/forum/viewtopic.php
http://66.55.89.150:8080/forum/viewtopic.php
Attributes
-
payload_url
http://www.admirals.ae/EF40.exe
http://deltaset.com/4Vvsz.exe
http://81.91.9.66/pVJH.exe
Signatures
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
7845856e3f8f726a7fae095742bb14f9.exedescription pid process target process PID 848 wrote to memory of 1596 848 7845856e3f8f726a7fae095742bb14f9.exe 7845856e3f8f726a7fae095742bb14f9.exe PID 848 wrote to memory of 1596 848 7845856e3f8f726a7fae095742bb14f9.exe 7845856e3f8f726a7fae095742bb14f9.exe PID 848 wrote to memory of 1596 848 7845856e3f8f726a7fae095742bb14f9.exe 7845856e3f8f726a7fae095742bb14f9.exe PID 848 wrote to memory of 1596 848 7845856e3f8f726a7fae095742bb14f9.exe 7845856e3f8f726a7fae095742bb14f9.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7845856e3f8f726a7fae095742bb14f9.exe"C:\Users\Admin\AppData\Local\Temp\7845856e3f8f726a7fae095742bb14f9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Users\Admin\AppData\Local\Temp\7845856e3f8f726a7fae095742bb14f9.exe"C:\Users\Admin\AppData\Local\Temp\7845856e3f8f726a7fae095742bb14f9.exe"2⤵PID:1596