pony | f272777ee69921d167509fdf27ad55f4deb671a9063854d63bef679aaa31d1ba

General

Target

697B7BFC9F44A4E89FB38857312C198B.exe
Size

285KB
MD5

697b7bfc9f44a4e89fb38857312c198b
SHA1

2189356d911952211d15ccf1a21d587ff88e72b0
SHA256

f272777ee69921d167509fdf27ad55f4deb671a9063854d63bef679aaa31d1ba
SHA512

ae2ff5d11e8ecb9825c049a506cc9f5a28b0479cebda6bc466a49c56e913e453d5764a289ce686f92bb8faf84534c0c7fdd8db8759729237d4fb169023dec4f8

Score

10^/10

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/4772-10-0x0000000008D10000-0x0000000008D2E000-memory.dmp	disable_win_def

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral2/memory/4772-10-0x0000000008D10000-0x0000000008D2E000-memory.dmp	rezer0

Suspicious use of SetThreadContext 1 IoCs

Processes:

697B7BFC9F44A4E89FB38857312C198B.exe

description pid process target process

PID 4772 set thread context of 4216 4772 697B7BFC9F44A4E89FB38857312C198B.exe MSBuild.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3908 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

697B7BFC9F44A4E89FB38857312C198B.exe

pid process

4772 697B7BFC9F44A4E89FB38857312C198B.exe

description	pid	process	target process
PID 4772 set thread context of 4216	4772	697B7BFC9F44A4E89FB38857312C198B.exe	MSBuild.exe

pid	process
3908	schtasks.exe

pid	process
4772	697B7BFC9F44A4E89FB38857312C198B.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

697B7BFC9F44A4E89FB38857312C198B.exeMSBuild.exe

description	pid	process
Token: SeDebugPrivilege	4772	697B7BFC9F44A4E89FB38857312C198B.exe
Token: SeImpersonatePrivilege	4216	MSBuild.exe
Token: SeTcbPrivilege	4216	MSBuild.exe
Token: SeChangeNotifyPrivilege	4216	MSBuild.exe
Token: SeCreateTokenPrivilege	4216	MSBuild.exe
Token: SeBackupPrivilege	4216	MSBuild.exe
Token: SeRestorePrivilege	4216	MSBuild.exe
Token: SeIncreaseQuotaPrivilege	4216	MSBuild.exe
Token: SeAssignPrimaryTokenPrivilege	4216	MSBuild.exe
Token: SeImpersonatePrivilege	4216	MSBuild.exe
Token: SeTcbPrivilege	4216	MSBuild.exe
Token: SeChangeNotifyPrivilege	4216	MSBuild.exe
Token: SeCreateTokenPrivilege	4216	MSBuild.exe
Token: SeBackupPrivilege	4216	MSBuild.exe
Token: SeRestorePrivilege	4216	MSBuild.exe
Token: SeIncreaseQuotaPrivilege	4216	MSBuild.exe
Token: SeAssignPrimaryTokenPrivilege	4216	MSBuild.exe
Token: SeImpersonatePrivilege	4216	MSBuild.exe
Token: SeTcbPrivilege	4216	MSBuild.exe
Token: SeChangeNotifyPrivilege	4216	MSBuild.exe
Token: SeCreateTokenPrivilege	4216	MSBuild.exe
Token: SeBackupPrivilege	4216	MSBuild.exe
Token: SeRestorePrivilege	4216	MSBuild.exe
Token: SeIncreaseQuotaPrivilege	4216	MSBuild.exe
Token: SeAssignPrimaryTokenPrivilege	4216	MSBuild.exe
Token: SeImpersonatePrivilege	4216	MSBuild.exe
Token: SeTcbPrivilege	4216	MSBuild.exe
Token: SeChangeNotifyPrivilege	4216	MSBuild.exe
Token: SeCreateTokenPrivilege	4216	MSBuild.exe
Token: SeBackupPrivilege	4216	MSBuild.exe
Token: SeRestorePrivilege	4216	MSBuild.exe
Token: SeIncreaseQuotaPrivilege	4216	MSBuild.exe
Token: SeAssignPrimaryTokenPrivilege	4216	MSBuild.exe
Token: SeImpersonatePrivilege	4216	MSBuild.exe
Token: SeTcbPrivilege	4216	MSBuild.exe
Token: SeChangeNotifyPrivilege	4216	MSBuild.exe
Token: SeCreateTokenPrivilege	4216	MSBuild.exe
Token: SeBackupPrivilege	4216	MSBuild.exe
Token: SeRestorePrivilege	4216	MSBuild.exe
Token: SeIncreaseQuotaPrivilege	4216	MSBuild.exe
Token: SeAssignPrimaryTokenPrivilege	4216	MSBuild.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

697B7BFC9F44A4E89FB38857312C198B.exeMSBuild.exe

description	pid	process	target process
PID 4772 wrote to memory of 3908	4772	697B7BFC9F44A4E89FB38857312C198B.exe	schtasks.exe
PID 4772 wrote to memory of 3908	4772	697B7BFC9F44A4E89FB38857312C198B.exe	schtasks.exe
PID 4772 wrote to memory of 3908	4772	697B7BFC9F44A4E89FB38857312C198B.exe	schtasks.exe
PID 4772 wrote to memory of 4216	4772	697B7BFC9F44A4E89FB38857312C198B.exe	MSBuild.exe
PID 4772 wrote to memory of 4216	4772	697B7BFC9F44A4E89FB38857312C198B.exe	MSBuild.exe
PID 4772 wrote to memory of 4216	4772	697B7BFC9F44A4E89FB38857312C198B.exe	MSBuild.exe
PID 4772 wrote to memory of 4216	4772	697B7BFC9F44A4E89FB38857312C198B.exe	MSBuild.exe
PID 4772 wrote to memory of 4216	4772	697B7BFC9F44A4E89FB38857312C198B.exe	MSBuild.exe
PID 4772 wrote to memory of 4216	4772	697B7BFC9F44A4E89FB38857312C198B.exe	MSBuild.exe
PID 4772 wrote to memory of 4216	4772	697B7BFC9F44A4E89FB38857312C198B.exe	MSBuild.exe
PID 4772 wrote to memory of 4216	4772	697B7BFC9F44A4E89FB38857312C198B.exe	MSBuild.exe
PID 4216 wrote to memory of 840	4216	MSBuild.exe	cmd.exe
PID 4216 wrote to memory of 840	4216	MSBuild.exe	cmd.exe
PID 4216 wrote to memory of 840	4216	MSBuild.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\697B7BFC9F44A4E89FB38857312C198B.exe
"C:\Users\Admin\AppData\Local\Temp\697B7BFC9F44A4E89FB38857312C198B.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4772

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TYsahGzZfGPn" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6FD6.tmp"
2⤵
- Creates scheduled task(s)
PID:3908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"{path}"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\259299890.bat" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" "
3⤵
PID:840

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259299890.bat
MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6FD6.tmp
MD5
dd5687508def78058f9dd473f0a7b39b

SHA1
bfda703e5b6ac0f889461620c1493f2be3580ce6

SHA256
c1b8d0fbd3d6e6d636a48c9f26f5ff6069dab05e5a277340750c9979681e72d3

SHA512
547a1c9b45b92e07e856005240f9b6603120f5ea8a646049a2f65733293afd37aa68d1f887548dea17319237e6b9ef070a39d9c9b25750c517ca82006d7e1e9f

Download Submit
memory/840-16-0x0000000000000000-mapping.dmp

Download
memory/3908-11-0x0000000000000000-mapping.dmp

Download
memory/4216-15-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4216-14-0x0000000000410621-mapping.dmp

Download
memory/4216-13-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4772-6-0x0000000005620000-0x0000000005621000-memory.dmp

Filesize
4KB

Download
memory/4772-10-0x0000000008D10000-0x0000000008D2E000-memory.dmp

Filesize
120KB

Download
memory/4772-9-0x0000000008D80000-0x0000000008D81000-memory.dmp

Filesize
4KB

Download
memory/4772-8-0x0000000005870000-0x0000000005871000-memory.dmp

Filesize
4KB

Download
memory/4772-7-0x0000000005610000-0x0000000005611000-memory.dmp

Filesize
4KB

Download
memory/4772-2-0x0000000073150000-0x000000007383E000-memory.dmp

Filesize
6.9MB

Download
memory/4772-5-0x0000000005A80000-0x0000000005A81000-memory.dmp

Filesize
4KB

Download
memory/4772-3-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads