Overview

overview

10

Static

static

3

42b8503d47...26.exe

windows7-x64

10

42b8503d47...26.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 21:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    42b8503d47b564a1366a12b67db662d27f209e6c785eb234e8788cdf65b55726.exe

  • Size

    513KB

  • MD5

    8a74c1af5c133e0b74afd23d1d16558c

  • SHA1

    ae685b826bd5f7c231f8d9ee7c94c48eac7fe30b

  • SHA256

    42b8503d47b564a1366a12b67db662d27f209e6c785eb234e8788cdf65b55726

  • SHA512

    2a94764784193586444dbd16fb7b8c81f8418d002538c0fb87080abd10188131ba6eff4798846f4b58172a9ce9f0c527dd6bb6fbaa445825e1e4708c0616917f

  • SSDEEP

    6144:WTfFDbRnOTrA24QS575Xvk6VBiHQLO8IUeErP+k9IMXgXNZ4iIFgRpctuD1MTRAr:U5O74T7RvkQit8jrgBZrMwyTRAZG4av6

Score
10/10
ponycollectioncredential_accessdiscoveryratspywarestealerupx

Malware Config

Extracted

Family

pony

C2

http://orangefornowsee.webatu.com/yt/gate.php

Signatures

  • Pony family
    pony
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
    collection
  • Suspicious use of SetThreadContext 3 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\42b8503d47b564a1366a12b67db662d27f209e6c785eb234e8788cdf65b55726.exe
    "C:\Users\Admin\AppData\Local\Temp\42b8503d47b564a1366a12b67db662d27f209e6c785eb234e8788cdf65b55726.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3200
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\novDof.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\novDof.exe" "BWniac"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4172
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Windows\System32\svchost.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2108
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /delete /tn WindowsUpdatebwniac0x8429524
          4⤵
          • System Location Discovery: System Language Discovery
          PID:5108
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /sc minute /mo 1 /tn WindowsUpdatebwniac0x8429525 /tr "C:\ProgramData\bwniac\Project1.exe" /RL HIGHEST
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:4828
        • C:\Windows\SysWOW64\svchost.exe
          "C:\Windows\SysWOW64\svchost.exe"
          4⤵
          • Accesses Microsoft Outlook accounts
          • Accesses Microsoft Outlook profiles
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • outlook_win_path
          PID:4620
        • C:\Windows\SysWOW64\svchost.exe
          "C:\Windows\SysWOW64\svchost.exe"
          4⤵
            PID:1960
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 84
              5⤵
              • Program crash
              PID:1784
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1960 -ip 1960
      1⤵
        PID:2900

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\BWniac
        Filesize

        6KB

        MD5

        a39356dc7d53aa9a8b37b0939d4ea5a8

        SHA1

        304e0f38b90adbfe697407ed060c9f0b193c9d82

        SHA256

        d1ffe8f52182ea1a9c2ea36d8086ed5bd8c423a379e55f1ad7bae61a55f04d98

        SHA512

        b63a0725de90a19b752aebf4136016b52fd491d17a51f0a3b1d3c9cd439fa030175f30d131a5ca1c7b0156449799a3099145562e465842880ed3a6fb3dfc7fc3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\clYtxv.exe
        Filesize

        102KB

        MD5

        f87405eee448fca26cba20181bc9c523

        SHA1

        3fb4894309fd1b04dd430266fce782f7cd76c4a8

        SHA256

        590c1fc55cd045047bcc8710f7bd73d2c0f8034c5fa70837058f111a2079991d

        SHA512

        4b4164e25d8ab16e4dd84f217431ee3057a0a3b5581843eb1e7135b168f362ed31174bd1737ecf7ad58b829baa07dfa7a8310a030e08508903d134eddc0214ae

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\novDof.exe
        Filesize

        510KB

        MD5

        01d151ccd2a75bd713b8ce81d6509eb8

        SHA1

        c751680d504bece45dc84e363e9e976fe77a8eac

        SHA256

        a4d4dbf9e9124dbd055115706f2a2bfc8816b66cc5f52a148602f9fb0203b801

        SHA512

        8d49a4d97ef38fe5c6bb875d3bc387fade75f9a5d06a494b6a8c9d87840aa3d7cd87343e6aad268a27a9a33390bef7cd8e10d8ebe1df9f7d1ba6a68fe844107d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\oEGOMy.txt
        Filesize

        231KB

        MD5

        3f1471b60d578c33686f3b0f21f44345

        SHA1

        85b1cc86e86092f47f70847fa780090bb1f7c352

        SHA256

        51a6dd04aebbd6a929419ae9ac1371f34255b8825a97d14a1a3208de6873b64f

        SHA512

        cfec7a78e5565b4cf6c869bda230a99c829921d1d8a56e7a2a2c53786360124dbd86162c6d76310550850cf9770f05ff6bc81c2640501940b30f91ce90f104e6

        Download Submit

      • memory/2108-30-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB

        Download

      • memory/2108-29-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB

        Download

      • memory/2108-26-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB

        Download

      • memory/2108-33-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB

        Download

      • memory/2108-54-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB

        Download

      • memory/3200-52-0x0000000000400000-0x0000000000423000-memory.dmp

        Filesize

        140KB

        Download

      • memory/4620-46-0x0000000000400000-0x000000000041D000-memory.dmp

        Filesize

        116KB

        Download

      • memory/4620-48-0x0000000000400000-0x000000000041D000-memory.dmp

        Filesize

        116KB

        Download

      • memory/4620-50-0x0000000000400000-0x000000000041D000-memory.dmp

        Filesize

        116KB

        Download

      • memory/4620-53-0x0000000000400000-0x000000000041D000-memory.dmp

        Filesize

        116KB

        Download