File name: | Scan Document_doc.gz |
Full analysis: | https://app.any.run/tasks/2c564c8c-842a-4827-a644-3a46e98ea36b |
Verdict: | Malicious activity |
Threats: | Pony is a malware with two main functions — stealing information and dropping other viruses with different tasks on infected machines. It has been around since 2011, and it still actively attacks users in Europe and America. |
Analysis date: | December 06, 2018, 02:34:33 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/gzip |
File info: | gzip compressed data, was "Scan Document_doc.exe", last modified: Wed Dec 5 12:40:17 2018, max speed, from FAT filesystem (MS-DOS, OS/2, NT) |
MD5: | 757DCCE0A491504B54A9FD22E160B28C |
SHA1: | 0C98F20526B263AD3FF4D2F73A08976BE9FB1F84 |
SHA256: | EDD811F1C66894EBB9F1EE7106CD1404E6C9BD170BD4B6C25C6AD40E191E1CDE |
SSDEEP: | 3072:3Q0XJ8/JXdl0kYmJrC8yNCI1zM+7EZSotfKst9UeYIeDqITRPe9qPBi:AyJ8/JXdlKmBCTCAo+HoeemqITJ/Bi |
.z/gz/gzip | | | GZipped data (100) |
---|
ArchivedFileName: | Scan Document_doc.exe |
---|---|
OperatingSystem: | FAT filesystem (MS-DOS, OS/2, NT/Win32) |
ExtraFlags: | Fastest Algorithm |
ModifyDate: | 2018:12:05 13:40:17+01:00 |
Flags: | FileName |
Compression: | Deflated |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2956 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Scan Document_doc.gz.z" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
1948 | "C:\Users\admin\Desktop\Scan Document_doc.exe" | C:\Users\admin\Desktop\Scan Document_doc.exe | — | explorer.exe |
User: admin Company: LEGALIST Integrity Level: MEDIUM Description: "Intestinally7"TOMY6 Exit code: 0 Version: 6.08.0008 | ||||
2712 | C:\Users\admin\Desktop\Scan Document_doc.exe" | C:\Users\admin\Desktop\Scan Document_doc.exe | Scan Document_doc.exe | |
User: admin Company: LEGALIST Integrity Level: MEDIUM Description: "Intestinally7"TOMY6 Exit code: 0 Version: 6.08.0008 | ||||
1904 | cmd /c ""C:\Users\admin\AppData\Local\Temp\1352515.bat" "C:\Users\admin\Desktop\Scan Document_doc.exe" " | C:\Windows\system32\cmd.exe | — | Scan Document_doc.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
(PID) Process: | (2956) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2956) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2956) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2956) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\Scan Document_doc.gz.z | |||
(PID) Process: | (2956) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2956) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2956) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2956) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (2956) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop | |||
(PID) Process: | (2712) Scan Document_doc.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR |
Operation: | write | Name: | HWID |
Value: 7B36313032314235362D363143352D343331412D384242302D3937324639443230424639467D |
PID | Process | Filename | Type | |
---|---|---|---|---|
2712 | Scan Document_doc.exe | C:\Users\admin\AppData\Local\Temp\1352515.bat | — | |
MD5:— | SHA256:— | |||
2956 | WinRAR.exe | C:\Users\admin\Desktop\Scan Document_doc.exe | executable | |
MD5:A3FA4947F648D7C0C8079C7E54155450 | SHA256:03A357C8FAD6A1120080A3DD9D65C480EE89A4E928D79C423626ABA93D652BF0 | |||
1948 | Scan Document_doc.exe | C:\Users\admin\AppData\Local\Temp\~DF41829527720A0773.TMP | binary | |
MD5:5396A94CB274FD1B604900F50E55EE32 | SHA256:2A5BE419316A8F410354C92F5CE186FCA2769B5513136776341DF624EB6A6E80 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2712 | Scan Document_doc.exe | POST | 200 | 103.18.109.178:80 | http://aspirationgraphics.com.au/ss/panelnew/gate.php | AU | binary | 20 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2712 | Scan Document_doc.exe | 103.18.109.178:80 | aspirationgraphics.com.au | Net Virtue Pty Ltd | AU | unknown |
Domain | IP | Reputation |
---|---|---|
aspirationgraphics.com.au |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2712 | Scan Document_doc.exe | Potential Corporate Privacy Violation | ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System |
2712 | Scan Document_doc.exe | A Network Trojan was detected | ET TROJAN Trojan Generic - POST To gate.php with no referer |
2712 | Scan Document_doc.exe | A Network Trojan was detected | ET TROJAN Fareit/Pony Downloader Checkin 2 |
2712 | Scan Document_doc.exe | A Network Trojan was detected | ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98 |
2712 | Scan Document_doc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Fareit/Pony Downloader Checkin |
2712 | Scan Document_doc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Fareit/Pony CnC Server stdResponse |