Analysis
-
max time kernel
140s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03-11-2024 22:08
Static task
static1
Behavioral task
behavioral1
Sample
4223b15bfd3c51809c6cb062bbcd111a54da5f653a491d0b8c1deacc1a56de9b.exe
Resource
win7-20240729-en
General
-
Target
4223b15bfd3c51809c6cb062bbcd111a54da5f653a491d0b8c1deacc1a56de9b.exe
-
Size
136KB
-
MD5
886aa3f3d629de1c4c8ac47d442d93d0
-
SHA1
42cabb8d69885ced540a828c8b1249bdb1025796
-
SHA256
4223b15bfd3c51809c6cb062bbcd111a54da5f653a491d0b8c1deacc1a56de9b
-
SHA512
fcd4b20e55863499aad55b3b3e7f165278423981007a0f3a0346d61f13ea0883fa57a5642ce0d2846bb20541a1c7e05571eb3420b4496ec6b774be936234d64d
-
SSDEEP
3072:L9Gd2o8XrfYReqvWTE38VeAQtPpgVWKZh/6:L62owrQbv+I6MPuVW8/
Malware Config
Extracted
pony
http://www.alberghi.com:8080/ponybb/gate.php
http://buyandsmile.atomclick.co:8080/ponybb/gate.php
-
payload_url
http://stereovale.fm/PKrmx7Wf/uRWTF.exe
http://periodicosemilladevida.com/QLsAUAjd/kgo.exe
Signatures
-
Pony family
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
4223b15bfd3c51809c6cb062bbcd111a54da5f653a491d0b8c1deacc1a56de9b.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4223b15bfd3c51809c6cb062bbcd111a54da5f653a491d0b8c1deacc1a56de9b.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
4223b15bfd3c51809c6cb062bbcd111a54da5f653a491d0b8c1deacc1a56de9b.exedescription pid Process Token: SeImpersonatePrivilege 1520 4223b15bfd3c51809c6cb062bbcd111a54da5f653a491d0b8c1deacc1a56de9b.exe Token: SeTcbPrivilege 1520 4223b15bfd3c51809c6cb062bbcd111a54da5f653a491d0b8c1deacc1a56de9b.exe Token: SeChangeNotifyPrivilege 1520 4223b15bfd3c51809c6cb062bbcd111a54da5f653a491d0b8c1deacc1a56de9b.exe Token: SeCreateTokenPrivilege 1520 4223b15bfd3c51809c6cb062bbcd111a54da5f653a491d0b8c1deacc1a56de9b.exe Token: SeBackupPrivilege 1520 4223b15bfd3c51809c6cb062bbcd111a54da5f653a491d0b8c1deacc1a56de9b.exe Token: SeRestorePrivilege 1520 4223b15bfd3c51809c6cb062bbcd111a54da5f653a491d0b8c1deacc1a56de9b.exe Token: SeIncreaseQuotaPrivilege 1520 4223b15bfd3c51809c6cb062bbcd111a54da5f653a491d0b8c1deacc1a56de9b.exe Token: SeAssignPrimaryTokenPrivilege 1520 4223b15bfd3c51809c6cb062bbcd111a54da5f653a491d0b8c1deacc1a56de9b.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4223b15bfd3c51809c6cb062bbcd111a54da5f653a491d0b8c1deacc1a56de9b.exe"C:\Users\Admin\AppData\Local\Temp\4223b15bfd3c51809c6cb062bbcd111a54da5f653a491d0b8c1deacc1a56de9b.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1520