Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

63c4316232...97.exe

windows7-x64

10

63c4316232...97.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/01/2025, 01:31 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    63c431623221a61ef5e45043b30644804fca5e86105d8a8f81b460b3d097c797.exe

  • Size

    1024KB

  • MD5

    2c4ec5b63d31b02b208d9eb0f5a655d8

  • SHA1

    33a25e761128e4e554260d40b1b54707825060c7

  • SHA256

    63c431623221a61ef5e45043b30644804fca5e86105d8a8f81b460b3d097c797

  • SHA512

    820e5406c1f6d91c269ce68ad42537ff7520380abcc7b0c54f9b8c4e72d78b369d39659d56145b59de0cf30d176ed92026f14ebf7ab6d992403b9cd3e1f9c2f3

  • SSDEEP

    3072:J9Pk4IQY2jhkRarEdTVTeX347V6u+NZo/rk2q32Be417FkcV5ovR9lAFCvWLkr:HzP2o8TeX3a/Fq32Be41BfV5ovRkMv7

Score
10/10
ponycollectioncredential_accessdiscoveryratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://209.59.219.1/forum/viewtopic.php

http://212.58.20.11/forum/viewtopic.php
Attributes
  • payload_url

    http://cumhuriyetciavukatlar.info/M5Mco.exe

    http://thebeautiq.com.au/736XymQx.exe

    http://207.204.20.213/Bd1.exe

Signatures

  • Pony family
    pony
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\63c431623221a61ef5e45043b30644804fca5e86105d8a8f81b460b3d097c797.exe
    "C:\Users\Admin\AppData\Local\Temp\63c431623221a61ef5e45043b30644804fca5e86105d8a8f81b460b3d097c797.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:336
    • C:\Users\Admin\AppData\Local\Temp\63c431623221a61ef5e45043b30644804fca5e86105d8a8f81b460b3d097c797.exe
      "C:\Users\Admin\AppData\Local\Temp\63c431623221a61ef5e45043b30644804fca5e86105d8a8f81b460b3d097c797.exe"
      2⤵
      • Accesses Microsoft Outlook accounts
      • Accesses Microsoft Outlook profiles
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • outlook_win_path
      PID:4208

Network

  • flag-us
    DNS
    133.211.185.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.211.185.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    88.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.210.23.2.in-addr.arpa
    IN PTR
    Response
    88.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-88deploystaticakamaitechnologiescom
  • flag-us
    DNS
    71.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    71.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    75.117.19.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    75.117.19.2.in-addr.arpa
    IN PTR
    Response
    75.117.19.2.in-addr.arpa
    IN PTR
    a2-19-117-75deploystaticakamaitechnologiescom
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    19.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    19.229.111.52.in-addr.arpa
    IN PTR
    Response
  • 209.59.219.1:80
    63c431623221a61ef5e45043b30644804fca5e86105d8a8f81b460b3d097c797.exe
    260 B
     5
  • 209.59.219.1:80
    63c431623221a61ef5e45043b30644804fca5e86105d8a8f81b460b3d097c797.exe
    260 B
     5
  • 209.59.219.1:80
    63c431623221a61ef5e45043b30644804fca5e86105d8a8f81b460b3d097c797.exe
    260 B
     5
  • 209.59.219.1:80
    63c431623221a61ef5e45043b30644804fca5e86105d8a8f81b460b3d097c797.exe
    260 B
     5
  • 209.59.219.1:80
    63c431623221a61ef5e45043b30644804fca5e86105d8a8f81b460b3d097c797.exe
    260 B
     5
  • 209.59.219.1:80
    63c431623221a61ef5e45043b30644804fca5e86105d8a8f81b460b3d097c797.exe
    208 B
     4
  • 8.8.8.8:53
    133.211.185.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    133.211.185.52.in-addr.arpa

  • 8.8.8.8:53
    88.210.23.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    88.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    71.31.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    71.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    75.117.19.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    75.117.19.2.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    19.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    19.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/336-0-0x00000000005C0000-0x00000000005E7000-memory.dmp

    Filesize

    156KB

    Download

  • memory/336-2-0x00000000005C0000-0x00000000005E7000-memory.dmp

    Filesize

    156KB

    Download

  • memory/4208-1-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

    Download

  • memory/4208-4-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

    Download

  • memory/4208-5-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.