pony | f272777ee69921d167509fdf27ad55f4deb671a9063854d63bef679aaa31d1ba

General

Target

697B7BFC9F44A4E89FB38857312C198B.exe
Size

285KB
MD5

697b7bfc9f44a4e89fb38857312c198b
SHA1

2189356d911952211d15ccf1a21d587ff88e72b0
SHA256

f272777ee69921d167509fdf27ad55f4deb671a9063854d63bef679aaa31d1ba
SHA512

ae2ff5d11e8ecb9825c049a506cc9f5a28b0479cebda6bc466a49c56e913e453d5764a289ce686f92bb8faf84534c0c7fdd8db8759729237d4fb169023dec4f8

Score

10^/10

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/548-6-0x0000000000510000-0x000000000052E000-memory.dmp	disable_win_def

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/548-6-0x0000000000510000-0x000000000052E000-memory.dmp	rezer0

Suspicious use of SetThreadContext 1 IoCs

Processes:

697B7BFC9F44A4E89FB38857312C198B.exe

description pid process target process

PID 548 set thread context of 2032 548 697B7BFC9F44A4E89FB38857312C198B.exe MSBuild.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1908 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

697B7BFC9F44A4E89FB38857312C198B.exe

pid process

548 697B7BFC9F44A4E89FB38857312C198B.exe

description	pid	process	target process
PID 548 set thread context of 2032	548	697B7BFC9F44A4E89FB38857312C198B.exe	MSBuild.exe

pid	process
1908	schtasks.exe

pid	process
548	697B7BFC9F44A4E89FB38857312C198B.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

697B7BFC9F44A4E89FB38857312C198B.exeMSBuild.exe

description	pid	process
Token: SeDebugPrivilege	548	697B7BFC9F44A4E89FB38857312C198B.exe
Token: SeImpersonatePrivilege	2032	MSBuild.exe
Token: SeTcbPrivilege	2032	MSBuild.exe
Token: SeChangeNotifyPrivilege	2032	MSBuild.exe
Token: SeCreateTokenPrivilege	2032	MSBuild.exe
Token: SeBackupPrivilege	2032	MSBuild.exe
Token: SeRestorePrivilege	2032	MSBuild.exe
Token: SeIncreaseQuotaPrivilege	2032	MSBuild.exe
Token: SeAssignPrimaryTokenPrivilege	2032	MSBuild.exe
Token: SeImpersonatePrivilege	2032	MSBuild.exe
Token: SeTcbPrivilege	2032	MSBuild.exe
Token: SeChangeNotifyPrivilege	2032	MSBuild.exe
Token: SeCreateTokenPrivilege	2032	MSBuild.exe
Token: SeBackupPrivilege	2032	MSBuild.exe
Token: SeRestorePrivilege	2032	MSBuild.exe
Token: SeIncreaseQuotaPrivilege	2032	MSBuild.exe
Token: SeAssignPrimaryTokenPrivilege	2032	MSBuild.exe
Token: SeImpersonatePrivilege	2032	MSBuild.exe
Token: SeTcbPrivilege	2032	MSBuild.exe
Token: SeChangeNotifyPrivilege	2032	MSBuild.exe
Token: SeCreateTokenPrivilege	2032	MSBuild.exe
Token: SeBackupPrivilege	2032	MSBuild.exe
Token: SeRestorePrivilege	2032	MSBuild.exe
Token: SeIncreaseQuotaPrivilege	2032	MSBuild.exe
Token: SeAssignPrimaryTokenPrivilege	2032	MSBuild.exe
Token: SeImpersonatePrivilege	2032	MSBuild.exe
Token: SeTcbPrivilege	2032	MSBuild.exe
Token: SeChangeNotifyPrivilege	2032	MSBuild.exe
Token: SeCreateTokenPrivilege	2032	MSBuild.exe
Token: SeBackupPrivilege	2032	MSBuild.exe
Token: SeRestorePrivilege	2032	MSBuild.exe
Token: SeIncreaseQuotaPrivilege	2032	MSBuild.exe
Token: SeAssignPrimaryTokenPrivilege	2032	MSBuild.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

697B7BFC9F44A4E89FB38857312C198B.exeMSBuild.exe

description	pid	process	target process
PID 548 wrote to memory of 1908	548	697B7BFC9F44A4E89FB38857312C198B.exe	schtasks.exe
PID 548 wrote to memory of 1908	548	697B7BFC9F44A4E89FB38857312C198B.exe	schtasks.exe
PID 548 wrote to memory of 1908	548	697B7BFC9F44A4E89FB38857312C198B.exe	schtasks.exe
PID 548 wrote to memory of 1908	548	697B7BFC9F44A4E89FB38857312C198B.exe	schtasks.exe
PID 548 wrote to memory of 2032	548	697B7BFC9F44A4E89FB38857312C198B.exe	MSBuild.exe
PID 548 wrote to memory of 2032	548	697B7BFC9F44A4E89FB38857312C198B.exe	MSBuild.exe
PID 548 wrote to memory of 2032	548	697B7BFC9F44A4E89FB38857312C198B.exe	MSBuild.exe
PID 548 wrote to memory of 2032	548	697B7BFC9F44A4E89FB38857312C198B.exe	MSBuild.exe
PID 548 wrote to memory of 2032	548	697B7BFC9F44A4E89FB38857312C198B.exe	MSBuild.exe
PID 548 wrote to memory of 2032	548	697B7BFC9F44A4E89FB38857312C198B.exe	MSBuild.exe
PID 548 wrote to memory of 2032	548	697B7BFC9F44A4E89FB38857312C198B.exe	MSBuild.exe
PID 548 wrote to memory of 2032	548	697B7BFC9F44A4E89FB38857312C198B.exe	MSBuild.exe
PID 548 wrote to memory of 2032	548	697B7BFC9F44A4E89FB38857312C198B.exe	MSBuild.exe
PID 2032 wrote to memory of 1112	2032	MSBuild.exe	cmd.exe
PID 2032 wrote to memory of 1112	2032	MSBuild.exe	cmd.exe
PID 2032 wrote to memory of 1112	2032	MSBuild.exe	cmd.exe
PID 2032 wrote to memory of 1112	2032	MSBuild.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\697B7BFC9F44A4E89FB38857312C198B.exe
"C:\Users\Admin\AppData\Local\Temp\697B7BFC9F44A4E89FB38857312C198B.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:548

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TYsahGzZfGPn" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5744.tmp"
2⤵
- Creates scheduled task(s)
PID:1908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"{path}"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\259301414.bat" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" "
3⤵
PID:1112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259301414.bat
MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5744.tmp
MD5
5b7cc84fd152d6da2899388600ebb832

SHA1
0c8b3c1b46287056ca6abb64c9690de128e669f1

SHA256
6a653efd04b6eb9f0659850a95806809680033c0a89ddcfd5fd1c0cecab275e3

SHA512
a6d9d0cd6a5281dce9047e3848e27124aa514c5d9cb942b4a668096fe6f9c128723f508f73ad2dde78b1988782e4b5330c77c0659c192861be2c8edee2ca36bc

Download Submit
memory/548-3-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/548-5-0x0000000004780000-0x0000000004781000-memory.dmp

Filesize
4KB

Download
memory/548-6-0x0000000000510000-0x000000000052E000-memory.dmp

Filesize
120KB

Download
memory/548-2-0x0000000074B50000-0x000000007523E000-memory.dmp

Filesize
6.9MB

Download
memory/840-13-0x000007FEF8800000-0x000007FEF8A7A000-memory.dmp

Filesize
2.5MB

Download
memory/1112-14-0x0000000000000000-mapping.dmp

Download
memory/1908-7-0x0000000000000000-mapping.dmp

Download
memory/2032-9-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2032-12-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2032-11-0x0000000076451000-0x0000000076453000-memory.dmp

Filesize
8KB

Download
memory/2032-10-0x0000000000410621-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads