pony | c4c21a36bd1f32a71dd00f0bd2fa78c9ab6cc9df30de77f4f99cb5d0da080cb3

General

Target

VWR CI 290421.xlsx.exe
Size

331KB
MD5

94c33eb1b3a778c5b38d55c5fd40f2ab
SHA1

10e1a14fc45346a5d4bccfff8d46bf90929fc66c
SHA256

c4c21a36bd1f32a71dd00f0bd2fa78c9ab6cc9df30de77f4f99cb5d0da080cb3
SHA512

92b5cbde3ed79d4b1a2fccf8fc29f8d2b5a18ed158bccdda2350b6802d774bd4e2c083b31a9fdb81b67b1712fa9fce175d2e28fded75e0ba0a3918d52c00ffb9

Score

10^/10

pony rat spyware stealer

Malware Config

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Loads dropped DLL 1 IoCs

Processes:

VWR CI 290421.xlsx.exe

pid process

4008 VWR CI 290421.xlsx.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

VWR CI 290421.xlsx.exe

description pid process target process

PID 4008 set thread context of 2508 4008 VWR CI 290421.xlsx.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

VWR CI 290421.xlsx.exe

pid process

4008 VWR CI 290421.xlsx.exe

pid	process
4008	VWR CI 290421.xlsx.exe

description	pid	process	target process
PID 4008 set thread context of 2508	4008	VWR CI 290421.xlsx.exe	svchost.exe

pid	process
4008	VWR CI 290421.xlsx.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeImpersonatePrivilege	2508	svchost.exe
Token: SeTcbPrivilege	2508	svchost.exe
Token: SeChangeNotifyPrivilege	2508	svchost.exe
Token: SeCreateTokenPrivilege	2508	svchost.exe
Token: SeBackupPrivilege	2508	svchost.exe
Token: SeRestorePrivilege	2508	svchost.exe
Token: SeIncreaseQuotaPrivilege	2508	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2508	svchost.exe
Token: SeImpersonatePrivilege	2508	svchost.exe
Token: SeTcbPrivilege	2508	svchost.exe
Token: SeChangeNotifyPrivilege	2508	svchost.exe
Token: SeCreateTokenPrivilege	2508	svchost.exe
Token: SeBackupPrivilege	2508	svchost.exe
Token: SeRestorePrivilege	2508	svchost.exe
Token: SeIncreaseQuotaPrivilege	2508	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2508	svchost.exe
Token: SeImpersonatePrivilege	2508	svchost.exe
Token: SeTcbPrivilege	2508	svchost.exe
Token: SeChangeNotifyPrivilege	2508	svchost.exe
Token: SeCreateTokenPrivilege	2508	svchost.exe
Token: SeBackupPrivilege	2508	svchost.exe
Token: SeRestorePrivilege	2508	svchost.exe
Token: SeIncreaseQuotaPrivilege	2508	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2508	svchost.exe
Token: SeImpersonatePrivilege	2508	svchost.exe
Token: SeTcbPrivilege	2508	svchost.exe
Token: SeChangeNotifyPrivilege	2508	svchost.exe
Token: SeCreateTokenPrivilege	2508	svchost.exe
Token: SeBackupPrivilege	2508	svchost.exe
Token: SeRestorePrivilege	2508	svchost.exe
Token: SeIncreaseQuotaPrivilege	2508	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2508	svchost.exe
Token: SeImpersonatePrivilege	2508	svchost.exe
Token: SeTcbPrivilege	2508	svchost.exe
Token: SeChangeNotifyPrivilege	2508	svchost.exe
Token: SeCreateTokenPrivilege	2508	svchost.exe
Token: SeBackupPrivilege	2508	svchost.exe
Token: SeRestorePrivilege	2508	svchost.exe
Token: SeIncreaseQuotaPrivilege	2508	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2508	svchost.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

VWR CI 290421.xlsx.exesvchost.exe

description	pid	process	target process
PID 4008 wrote to memory of 2508	4008	VWR CI 290421.xlsx.exe	svchost.exe
PID 4008 wrote to memory of 2508	4008	VWR CI 290421.xlsx.exe	svchost.exe
PID 4008 wrote to memory of 2508	4008	VWR CI 290421.xlsx.exe	svchost.exe
PID 4008 wrote to memory of 2508	4008	VWR CI 290421.xlsx.exe	svchost.exe
PID 2508 wrote to memory of 3916	2508	svchost.exe	cmd.exe
PID 2508 wrote to memory of 3916	2508	svchost.exe	cmd.exe
PID 2508 wrote to memory of 3916	2508	svchost.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\VWR CI 290421.xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\VWR CI 290421.xlsx.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4008

C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\VWR CI 290421.xlsx.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\259269218.bat" "C:\Windows\SysWOW64\svchost.exe" "
3⤵
PID:3916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259269218.bat

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
\Users\Admin\AppData\Local\Temp\nsh1A17.tmp\xrlqvla0n.dll

MD5
587481ce209ff25391ce17827c464cf8

SHA1
0a20871ae621d6f75e74bf5c4f1ef80333201f89

SHA256
f5ffc43f62751866c978c1d5bd24eb7cc1863f58ca22cc12fc333bf9ad667140

SHA512
ff637dbdb1b11a8cbbe8a713ed9cd06728aa9d462986c0330712d879449540488b9ee06b24afbce18638fe839b9029e9ca1ab08215d32060608afe8746e2ce78

Download Submit
memory/2508-115-0x0000000000410621-mapping.dmp

Download
memory/2508-119-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3916-120-0x0000000000000000-mapping.dmp

Download
memory/4008-118-0x0000000002390000-0x0000000002392000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing