Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

2bd2160f08...5d.exe

windows7-x64

10

2bd2160f08...5d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    116s
  • max time network
    106s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    16/01/2025, 19:49 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2bd2160f08f944e74eb8d504210d53d754966ef817b735b72f02bf6c6cbee35d.exe

  • Size

    179KB

  • MD5

    bd5e77cdeff10dab30aa283480cca89e

  • SHA1

    d836bf3beccd2e7da06f9a6ad7d5851e964f1bce

  • SHA256

    2bd2160f08f944e74eb8d504210d53d754966ef817b735b72f02bf6c6cbee35d

  • SHA512

    c650b7e944cb83352ea14654a525f913ff904d31be042bd77c1460eba035259c192498eb715418ba00584c591aca396e9189f466a272fef8a15933b72a0bc8a1

  • SSDEEP

    3072:7bnWMrGD5IAXEmLs++MqFz+AF/s+36haGkSzJT9WXO7tLXm1IUTDXzoXP5:PWMzA0mIJM6zzFU+3UmqE6CKUTLY

Score
10/10
ponycollectioncredential_accessdefense_evasiondiscoverypersistenceratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://mg1lz2fzd.mdutmtm.in/p/image.php

http://mw1lz2fzd.mdutmtm.in/p/image.php

http://mm1lz2fzd.mdutmtm.in/p/image.php

http://m21lz2fzd.mdutmtm.in/p/image.php

http://ng1lz2fzd.mdutmtm.in/p/image.php

http://nw1lz2fzd.mdutmtm.in/p/image.php

http://nm1lz2fzd.mdutmtm.in/p/image.php

http://n21lz2fzd.mdutmtm.in/p/image.php

http://og1lz2fzd.mdutmtm.in/p/image.php

http://ow1lz2fzd.mdutmtm.in/p/image.php

http://mg1lz2fzd.mdutmti.in/p/contact.php

http://mw1lz2fzd.mdutmti.in/p/contact.php

http://mm1lz2fzd.mdutmti.in/p/contact.php

http://m21lz2fzd.mdutmti.in/p/contact.php

http://ng1lz2fzd.mdutmti.in/p/contact.php

http://nw1lz2fzd.mdutmti.in/p/contact.php

http://nm1lz2fzd.mdutmti.in/p/contact.php

http://n21lz2fzd.mdutmti.in/p/contact.php

http://og1lz2fzd.mdutmti.in/p/contact.php

http://ow1lz2fzd.mdutmti.in/p/contact.php

Signatures

  • Pony family
    pony
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2bd2160f08f944e74eb8d504210d53d754966ef817b735b72f02bf6c6cbee35d.exe
    "C:\Users\Admin\AppData\Local\Temp\2bd2160f08f944e74eb8d504210d53d754966ef817b735b72f02bf6c6cbee35d.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1464
    • C:\Users\Admin\AppData\Roaming\WinRAR\systlw.exe
      "C:\Users\Admin\AppData\Roaming\WinRAR\systlw.exe"
      2⤵
      • Executes dropped EXE
      • Accesses Microsoft Outlook accounts
      • Accesses Microsoft Outlook profiles
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • outlook_win_path
      PID:2960
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\2BD216~1.EXE" > NUL
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2980

Network

  • flag-us
    DNS
    mg1lz2fzd.mdutmtm.in
    systlw.exe
    Remote address:
    8.8.8.8:53
    Request
    mg1lz2fzd.mdutmtm.in
    IN A
    Response
  • flag-us
    DNS
    mw1lz2fzd.mdutmtm.in
    systlw.exe
    Remote address:
    8.8.8.8:53
    Request
    mw1lz2fzd.mdutmtm.in
    IN A
    Response
  • flag-us
    DNS
    mm1lz2fzd.mdutmtm.in
    systlw.exe
    Remote address:
    8.8.8.8:53
    Request
    mm1lz2fzd.mdutmtm.in
    IN A
    Response
  • flag-us
    DNS
    m21lz2fzd.mdutmtm.in
    systlw.exe
    Remote address:
    8.8.8.8:53
    Request
    m21lz2fzd.mdutmtm.in
    IN A
    Response
  • flag-us
    DNS
    ng1lz2fzd.mdutmtm.in
    systlw.exe
    Remote address:
    8.8.8.8:53
    Request
    ng1lz2fzd.mdutmtm.in
    IN A
    Response
  • flag-us
    DNS
    nw1lz2fzd.mdutmtm.in
    systlw.exe
    Remote address:
    8.8.8.8:53
    Request
    nw1lz2fzd.mdutmtm.in
    IN A
    Response
No results found
  • 8.8.8.8:53
    mg1lz2fzd.mdutmtm.in
    dns
    systlw.exe
    66 B
     119 B
     1
    1

    DNS Request

    mg1lz2fzd.mdutmtm.in

  • 8.8.8.8:53
    mw1lz2fzd.mdutmtm.in
    dns
    systlw.exe
    66 B
     119 B
     1
    1

    DNS Request

    mw1lz2fzd.mdutmtm.in

  • 8.8.8.8:53
    mm1lz2fzd.mdutmtm.in
    dns
    systlw.exe
    66 B
     119 B
     1
    1

    DNS Request

    mm1lz2fzd.mdutmtm.in

  • 8.8.8.8:53
    m21lz2fzd.mdutmtm.in
    dns
    systlw.exe
    66 B
     119 B
     1
    1

    DNS Request

    m21lz2fzd.mdutmtm.in

  • 8.8.8.8:53
    ng1lz2fzd.mdutmtm.in
    dns
    systlw.exe
    66 B
     119 B
     1
    1

    DNS Request

    ng1lz2fzd.mdutmtm.in

  • 8.8.8.8:53
    nw1lz2fzd.mdutmtm.in
    dns
    systlw.exe
    66 B
     119 B
     1
    1

    DNS Request

    nw1lz2fzd.mdutmtm.in

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\WinRAR\systlw.exe
    Filesize

    179KB

    MD5

    bd5e77cdeff10dab30aa283480cca89e

    SHA1

    d836bf3beccd2e7da06f9a6ad7d5851e964f1bce

    SHA256

    2bd2160f08f944e74eb8d504210d53d754966ef817b735b72f02bf6c6cbee35d

    SHA512

    c650b7e944cb83352ea14654a525f913ff904d31be042bd77c1460eba035259c192498eb715418ba00584c591aca396e9189f466a272fef8a15933b72a0bc8a1

    Download Submit

  • memory/1464-10-0x0000000000400000-0x0000000000431000-memory.dmp

    Filesize

    196KB

    Download

  • memory/1464-1-0x00000000002B0000-0x00000000002B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1464-8-0x00000000002B0000-0x00000000002B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1464-0-0x0000000002140000-0x000000000233E000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1464-6-0x00000000002B0000-0x00000000002B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1464-5-0x00000000002B0000-0x00000000002B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1464-4-0x00000000002B0000-0x00000000002B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1464-3-0x00000000002B0000-0x00000000002B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1464-9-0x00000000002B0000-0x00000000002B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1464-2-0x00000000002B0000-0x00000000002B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1464-7-0x00000000002B0000-0x00000000002B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1464-21-0x0000000000400000-0x0000000000431000-memory.dmp

    Filesize

    196KB

    Download

  • memory/2960-22-0x0000000002060000-0x000000000225E000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2960-25-0x00000000002A0000-0x00000000002A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2960-24-0x00000000002A0000-0x00000000002A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2960-23-0x00000000002A0000-0x00000000002A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2960-26-0x0000000000400000-0x0000000000431000-memory.dmp

    Filesize

    196KB

    Download

  • memory/2960-28-0x0000000002060000-0x000000000225E000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2960-29-0x0000000000400000-0x0000000000431000-memory.dmp

    Filesize

    196KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.