pony | d31c1aa598252bced9b3fef25a20045d48b91e929e8d7353ffd30bdb3a1a3cf4

Analysis

max time kernel
69s
max time network
112s
platform
windows10_x64
resource
win10
submitted
09-07-2020 12:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77448484848.scr
Size

892KB
MD5

70dba93e5db5b7b8fd48add53d608b3f
SHA1

e23615d9f5cae44259f4ab24b5c32a629a85f1e3
SHA256

d31c1aa598252bced9b3fef25a20045d48b91e929e8d7353ffd30bdb3a1a3cf4
SHA512

415d08b466f6064bbadcb840ac11809fa360b0218c69d7a4c95f98caae96deefe8cf8519ad41b93a994bd268772f91d5a8acb663c7b8e3469074c303f3f52ec0

Score

10^/10

spyware persistence discovery rat stealer pony

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3388	gqshuqmkvj.pif

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3388 set thread context of 644	3388	gqshuqmkvj.pif	70
PID 3388 set thread context of 628	3388	gqshuqmkvj.pif	69

Suspicious use of AdjustPrivilegeToken 80 IoCs

description	pid	Process
Token: SeImpersonatePrivilege	644	RegSvcs.exe
Token: SeTcbPrivilege	644	RegSvcs.exe
Token: SeChangeNotifyPrivilege	644	RegSvcs.exe
Token: SeCreateTokenPrivilege	644	RegSvcs.exe
Token: SeBackupPrivilege	644	RegSvcs.exe
Token: SeRestorePrivilege	644	RegSvcs.exe
Token: SeIncreaseQuotaPrivilege	644	RegSvcs.exe
Token: SeAssignPrimaryTokenPrivilege	644	RegSvcs.exe
Token: SeImpersonatePrivilege	628	RegSvcs.exe
Token: SeTcbPrivilege	628	RegSvcs.exe
Token: SeChangeNotifyPrivilege	628	RegSvcs.exe
Token: SeCreateTokenPrivilege	628	RegSvcs.exe
Token: SeBackupPrivilege	628	RegSvcs.exe
Token: SeRestorePrivilege	628	RegSvcs.exe
Token: SeIncreaseQuotaPrivilege	628	RegSvcs.exe
Token: SeAssignPrimaryTokenPrivilege	628	RegSvcs.exe
Token: SeImpersonatePrivilege	644	RegSvcs.exe
Token: SeTcbPrivilege	644	RegSvcs.exe
Token: SeChangeNotifyPrivilege	644	RegSvcs.exe
Token: SeCreateTokenPrivilege	644	RegSvcs.exe
Token: SeImpersonatePrivilege	628	RegSvcs.exe
Token: SeBackupPrivilege	644	RegSvcs.exe
Token: SeTcbPrivilege	628	RegSvcs.exe
Token: SeRestorePrivilege	644	RegSvcs.exe
Token: SeChangeNotifyPrivilege	628	RegSvcs.exe
Token: SeCreateTokenPrivilege	628	RegSvcs.exe
Token: SeIncreaseQuotaPrivilege	644	RegSvcs.exe
Token: SeBackupPrivilege	628	RegSvcs.exe
Token: SeRestorePrivilege	628	RegSvcs.exe
Token: SeAssignPrimaryTokenPrivilege	644	RegSvcs.exe
Token: SeIncreaseQuotaPrivilege	628	RegSvcs.exe
Token: SeAssignPrimaryTokenPrivilege	628	RegSvcs.exe
Token: SeImpersonatePrivilege	644	RegSvcs.exe
Token: SeTcbPrivilege	644	RegSvcs.exe
Token: SeChangeNotifyPrivilege	644	RegSvcs.exe
Token: SeCreateTokenPrivilege	644	RegSvcs.exe
Token: SeBackupPrivilege	644	RegSvcs.exe
Token: SeRestorePrivilege	644	RegSvcs.exe
Token: SeIncreaseQuotaPrivilege	644	RegSvcs.exe
Token: SeAssignPrimaryTokenPrivilege	644	RegSvcs.exe
Token: SeImpersonatePrivilege	628	RegSvcs.exe
Token: SeTcbPrivilege	628	RegSvcs.exe
Token: SeChangeNotifyPrivilege	628	RegSvcs.exe
Token: SeCreateTokenPrivilege	628	RegSvcs.exe
Token: SeBackupPrivilege	628	RegSvcs.exe
Token: SeRestorePrivilege	628	RegSvcs.exe
Token: SeIncreaseQuotaPrivilege	628	RegSvcs.exe
Token: SeAssignPrimaryTokenPrivilege	628	RegSvcs.exe
Token: SeImpersonatePrivilege	644	RegSvcs.exe
Token: SeTcbPrivilege	644	RegSvcs.exe
Token: SeChangeNotifyPrivilege	644	RegSvcs.exe
Token: SeCreateTokenPrivilege	644	RegSvcs.exe
Token: SeBackupPrivilege	644	RegSvcs.exe
Token: SeRestorePrivilege	644	RegSvcs.exe
Token: SeIncreaseQuotaPrivilege	644	RegSvcs.exe
Token: SeAssignPrimaryTokenPrivilege	644	RegSvcs.exe
Token: SeImpersonatePrivilege	628	RegSvcs.exe
Token: SeTcbPrivilege	628	RegSvcs.exe
Token: SeChangeNotifyPrivilege	628	RegSvcs.exe
Token: SeCreateTokenPrivilege	628	RegSvcs.exe
Token: SeBackupPrivilege	628	RegSvcs.exe
Token: SeRestorePrivilege	628	RegSvcs.exe
Token: SeIncreaseQuotaPrivilege	628	RegSvcs.exe
Token: SeAssignPrimaryTokenPrivilege	628	RegSvcs.exe
Token: SeImpersonatePrivilege	628	RegSvcs.exe
Token: SeTcbPrivilege	628	RegSvcs.exe
Token: SeChangeNotifyPrivilege	628	RegSvcs.exe
Token: SeCreateTokenPrivilege	628	RegSvcs.exe
Token: SeBackupPrivilege	628	RegSvcs.exe
Token: SeRestorePrivilege	628	RegSvcs.exe
Token: SeIncreaseQuotaPrivilege	628	RegSvcs.exe
Token: SeAssignPrimaryTokenPrivilege	628	RegSvcs.exe
Token: SeImpersonatePrivilege	644	RegSvcs.exe
Token: SeTcbPrivilege	644	RegSvcs.exe
Token: SeChangeNotifyPrivilege	644	RegSvcs.exe
Token: SeCreateTokenPrivilege	644	RegSvcs.exe
Token: SeBackupPrivilege	644	RegSvcs.exe
Token: SeRestorePrivilege	644	RegSvcs.exe
Token: SeIncreaseQuotaPrivilege	644	RegSvcs.exe
Token: SeAssignPrimaryTokenPrivilege	644	RegSvcs.exe

Adds Run entry to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AutoUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\01567419\\Update.vbs"	gqshuqmkvj.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	gqshuqmkvj.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\chrome = "C:\\Users\\Admin\\AppData\\Roaming\\01567419\\GQSHUQ~1.PIF C:\\Users\\Admin\\AppData\\Roaming\\01567419\\PJCGKP~1.BUM"	gqshuqmkvj.pif

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3892 wrote to memory of 3388	3892	77448484848.scr	67
PID 3892 wrote to memory of 3388	3892	77448484848.scr	67
PID 3892 wrote to memory of 3388	3892	77448484848.scr	67
PID 3388 wrote to memory of 628	3388	gqshuqmkvj.pif	69
PID 3388 wrote to memory of 628	3388	gqshuqmkvj.pif	69
PID 3388 wrote to memory of 628	3388	gqshuqmkvj.pif	69
PID 3388 wrote to memory of 644	3388	gqshuqmkvj.pif	70
PID 3388 wrote to memory of 644	3388	gqshuqmkvj.pif	70
PID 3388 wrote to memory of 644	3388	gqshuqmkvj.pif	70
PID 3388 wrote to memory of 644	3388	gqshuqmkvj.pif	70
PID 3388 wrote to memory of 644	3388	gqshuqmkvj.pif	70
PID 3388 wrote to memory of 644	3388	gqshuqmkvj.pif	70
PID 3388 wrote to memory of 644	3388	gqshuqmkvj.pif	70
PID 3388 wrote to memory of 644	3388	gqshuqmkvj.pif	70
PID 3388 wrote to memory of 628	3388	gqshuqmkvj.pif	69
PID 3388 wrote to memory of 628	3388	gqshuqmkvj.pif	69
PID 644 wrote to memory of 1192	644	RegSvcs.exe	71
PID 644 wrote to memory of 1192	644	RegSvcs.exe	71
PID 644 wrote to memory of 1192	644	RegSvcs.exe	71
PID 628 wrote to memory of 1184	628	RegSvcs.exe	72
PID 628 wrote to memory of 1184	628	RegSvcs.exe	72
PID 628 wrote to memory of 1184	628	RegSvcs.exe	72

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Checks for installed software on the system 1 TTPs 14 IoCs

discovery

Query Registry

T1012

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName	RegSvcs.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	RegSvcs.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	RegSvcs.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DisplayName	RegSvcs.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	RegSvcs.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	RegSvcs.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	RegSvcs.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	RegSvcs.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName	RegSvcs.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DisplayName	RegSvcs.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	RegSvcs.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	RegSvcs.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

C:\Users\Admin\AppData\Local\Temp\77448484848.scr
"C:\Users\Admin\AppData\Local\Temp\77448484848.scr" /S
1⤵
- Suspicious use of WriteProcessMemory
PID:3892
- C:\Users\Admin\AppData\Roaming\01567419\gqshuqmkvj.pif
  "C:\Users\Admin\AppData\Roaming\01567419\gqshuqmkvj.pif" pjcgkpblx.bum
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Adds Run entry to start application
  - Suspicious use of WriteProcessMemory
  PID:3388
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - Checks for installed software on the system
    PID:628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\76859.bat" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" "
      4⤵
      PID:1184
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - Checks for installed software on the system
    PID:644
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\76875.bat" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" "
      4⤵
      PID:1192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/628-9-0x0000000000400000-0x0000000000997F0E-memory.dmp

Filesize
5.6MB

Download
memory/628-12-0x0000000000400000-0x0000000000997F0E-memory.dmp

Filesize
5.6MB

Download
memory/644-10-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/644-7-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download