pony | 56122070a3bdb1f168cbae330d58b9c268700509420d2670ccafd01221b45751

Analysis

max time kernel
100s
max time network
113s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
25-07-2022 05:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

files/4.exe
Size

13.3MB
MD5

3506d61924caf464f2504d3e330ba11e
SHA1

4472cc23b5e7860a8fd5d371152ab92c263273f4
SHA256

8810286390803f16cf848691b51bfc92b21ace6a537503a86bc3ed497d579f2c
SHA512

cf9009cf2a56b7d611f268c3931e85ac99b3a22e3461d1bb492e114cd198d108f9e269f4a12b2cb03985ebf6a7dbe404334176e1530e7282b653b82ca586634f

Score

10^/10

pony collection discovery persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://mepsb-com.me/solisoft/coreserver/gate.php

Attributes

payload_url
http://mepsb-com.me/solisoft/coreserver/shit.exe

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Executes dropped EXE 2 IoCs

Processes:

filename.scrfilename.scr

pid process

1812 filename.scr
1472 filename.scr
Loads dropped DLL 3 IoCs

Processes:

WScript.exefilename.scr

pid process

1700 WScript.exe
1700 WScript.exe
1812 filename.scr
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1812	filename.scr
1472	filename.scr

pid	process
1700	WScript.exe
1700	WScript.exe
1812	filename.scr

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

filename.scr

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	filename.scr

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

filename.scr

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	filename.scr

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\subfolder = "C:\\Users\\Admin\\AppData\\Local\\Temp\\subfolder\\filename.vbs"	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	WScript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

filename.scr

description	pid	process
Token: SeImpersonatePrivilege	1472	filename.scr
Token: SeTcbPrivilege	1472	filename.scr
Token: SeChangeNotifyPrivilege	1472	filename.scr
Token: SeCreateTokenPrivilege	1472	filename.scr
Token: SeBackupPrivilege	1472	filename.scr
Token: SeRestorePrivilege	1472	filename.scr
Token: SeIncreaseQuotaPrivilege	1472	filename.scr
Token: SeAssignPrimaryTokenPrivilege	1472	filename.scr
Token: SeImpersonatePrivilege	1472	filename.scr
Token: SeTcbPrivilege	1472	filename.scr
Token: SeChangeNotifyPrivilege	1472	filename.scr
Token: SeCreateTokenPrivilege	1472	filename.scr
Token: SeBackupPrivilege	1472	filename.scr
Token: SeRestorePrivilege	1472	filename.scr
Token: SeIncreaseQuotaPrivilege	1472	filename.scr
Token: SeAssignPrimaryTokenPrivilege	1472	filename.scr
Token: SeImpersonatePrivilege	1472	filename.scr
Token: SeTcbPrivilege	1472	filename.scr
Token: SeChangeNotifyPrivilege	1472	filename.scr
Token: SeCreateTokenPrivilege	1472	filename.scr
Token: SeBackupPrivilege	1472	filename.scr
Token: SeRestorePrivilege	1472	filename.scr
Token: SeIncreaseQuotaPrivilege	1472	filename.scr
Token: SeAssignPrimaryTokenPrivilege	1472	filename.scr
Token: SeImpersonatePrivilege	1472	filename.scr
Token: SeTcbPrivilege	1472	filename.scr
Token: SeChangeNotifyPrivilege	1472	filename.scr
Token: SeCreateTokenPrivilege	1472	filename.scr
Token: SeBackupPrivilege	1472	filename.scr
Token: SeRestorePrivilege	1472	filename.scr
Token: SeIncreaseQuotaPrivilege	1472	filename.scr
Token: SeAssignPrimaryTokenPrivilege	1472	filename.scr

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

4.exefilename.scr

pid process

1492 4.exe
1812 filename.scr

pid	process
1492	4.exe
1812	filename.scr

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

4.exeWScript.exefilename.scrfilename.scr

description	pid	process	target process
PID 1492 wrote to memory of 1700	1492	4.exe	WScript.exe
PID 1492 wrote to memory of 1700	1492	4.exe	WScript.exe
PID 1492 wrote to memory of 1700	1492	4.exe	WScript.exe
PID 1492 wrote to memory of 1700	1492	4.exe	WScript.exe
PID 1700 wrote to memory of 1812	1700	WScript.exe	filename.scr
PID 1700 wrote to memory of 1812	1700	WScript.exe	filename.scr
PID 1700 wrote to memory of 1812	1700	WScript.exe	filename.scr
PID 1700 wrote to memory of 1812	1700	WScript.exe	filename.scr
PID 1812 wrote to memory of 1472	1812	filename.scr	filename.scr
PID 1812 wrote to memory of 1472	1812	filename.scr	filename.scr
PID 1812 wrote to memory of 1472	1812	filename.scr	filename.scr
PID 1812 wrote to memory of 1472	1812	filename.scr	filename.scr
PID 1812 wrote to memory of 1472	1812	filename.scr	filename.scr
PID 1812 wrote to memory of 1472	1812	filename.scr	filename.scr
PID 1812 wrote to memory of 1472	1812	filename.scr	filename.scr
PID 1812 wrote to memory of 1472	1812	filename.scr	filename.scr
PID 1812 wrote to memory of 1472	1812	filename.scr	filename.scr
PID 1812 wrote to memory of 1472	1812	filename.scr	filename.scr
PID 1812 wrote to memory of 1472	1812	filename.scr	filename.scr
PID 1812 wrote to memory of 1472	1812	filename.scr	filename.scr
PID 1812 wrote to memory of 1472	1812	filename.scr	filename.scr
PID 1812 wrote to memory of 1472	1812	filename.scr	filename.scr
PID 1812 wrote to memory of 1472	1812	filename.scr	filename.scr
PID 1472 wrote to memory of 1568	1472	filename.scr	cmd.exe
PID 1472 wrote to memory of 1568	1472	filename.scr	cmd.exe
PID 1472 wrote to memory of 1568	1472	filename.scr	cmd.exe
PID 1472 wrote to memory of 1568	1472	filename.scr	cmd.exe

outlook_win_path 1 IoCs

Processes:

filename.scr

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	filename.scr

C:\Users\Admin\AppData\Local\Temp\files\4.exe
"C:\Users\Admin\AppData\Local\Temp\files\4.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\subfolder\filename.vbs"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1700

C:\Users\Admin\AppData\Local\Temp\subfolder\filename.scr
"C:\Users\Admin\AppData\Local\Temp\subfolder\filename.scr" /S
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1812

C:\Users\Admin\AppData\Local\Temp\subfolder\filename.scr
"C:\Users\Admin\AppData\Local\Temp\subfolder\filename.scr" /S
4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:1472

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7186607.bat" "C:\Users\Admin\AppData\Local\Temp\subfolder\filename.scr" "
5⤵
PID:1568

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7186607.bat
Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.scr
Filesize
13.3MB

MD5
e615354d620941db592d304f53cbaddd

SHA1
a89cd49f4f00b10afea77f44f73071a931858ae6

SHA256
7445f20a8ab4450280b2baca433ccf6bd28763701686822f0595209850f1a94a

SHA512
554fd2161d85751e680ec02ff81718df22ff5ea41ea78a461a1d63497cab9701f8a27aeb3383b68a243832b55f699c44337dbfd8c8a025ff096779dd5347ce73

Download Submit
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.scr
Filesize
13.3MB

MD5
e615354d620941db592d304f53cbaddd

SHA1
a89cd49f4f00b10afea77f44f73071a931858ae6

SHA256
7445f20a8ab4450280b2baca433ccf6bd28763701686822f0595209850f1a94a

SHA512
554fd2161d85751e680ec02ff81718df22ff5ea41ea78a461a1d63497cab9701f8a27aeb3383b68a243832b55f699c44337dbfd8c8a025ff096779dd5347ce73

Download Submit
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.scr
Filesize
13.3MB

MD5
e615354d620941db592d304f53cbaddd

SHA1
a89cd49f4f00b10afea77f44f73071a931858ae6

SHA256
7445f20a8ab4450280b2baca433ccf6bd28763701686822f0595209850f1a94a

SHA512
554fd2161d85751e680ec02ff81718df22ff5ea41ea78a461a1d63497cab9701f8a27aeb3383b68a243832b55f699c44337dbfd8c8a025ff096779dd5347ce73

Download Submit
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.vbs
Filesize
1024B

MD5
b4ecba56f82e31510cf0ee604183871d

SHA1
6de710ee461c3f81e45f6ee607499e45fcbe75e1

SHA256
0357e98a46cfd5620015b01278de1e4bb96d46f9878686da2c43ec93e6a0016a

SHA512
ae6af40e002af35fb112574c1d22eb24e253a8c4582a9776fae021d18d6a71173cdcfa2b2623dd1200b6d7908041329983ec9cb01a8596f401d9de313e4d9611

Download Submit
\Users\Admin\AppData\Local\Temp\subfolder\filename.scr
Filesize
13.3MB

MD5
e615354d620941db592d304f53cbaddd

SHA1
a89cd49f4f00b10afea77f44f73071a931858ae6

SHA256
7445f20a8ab4450280b2baca433ccf6bd28763701686822f0595209850f1a94a

SHA512
554fd2161d85751e680ec02ff81718df22ff5ea41ea78a461a1d63497cab9701f8a27aeb3383b68a243832b55f699c44337dbfd8c8a025ff096779dd5347ce73

Download Submit
\Users\Admin\AppData\Local\Temp\subfolder\filename.scr
Filesize
13.3MB

MD5
e615354d620941db592d304f53cbaddd

SHA1
a89cd49f4f00b10afea77f44f73071a931858ae6

SHA256
7445f20a8ab4450280b2baca433ccf6bd28763701686822f0595209850f1a94a

SHA512
554fd2161d85751e680ec02ff81718df22ff5ea41ea78a461a1d63497cab9701f8a27aeb3383b68a243832b55f699c44337dbfd8c8a025ff096779dd5347ce73

Download Submit
\Users\Admin\AppData\Local\Temp\subfolder\filename.scr
Filesize
13.3MB

MD5
e615354d620941db592d304f53cbaddd

SHA1
a89cd49f4f00b10afea77f44f73071a931858ae6

SHA256
7445f20a8ab4450280b2baca433ccf6bd28763701686822f0595209850f1a94a

SHA512
554fd2161d85751e680ec02ff81718df22ff5ea41ea78a461a1d63497cab9701f8a27aeb3383b68a243832b55f699c44337dbfd8c8a025ff096779dd5347ce73

Download Submit
memory/1472-70-0x0000000000000000-mapping.dmp

Download
memory/1472-73-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1472-75-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1472-76-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1472-77-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1472-79-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1492-56-0x00000000750B1000-0x00000000750B3000-memory.dmp

Filesize
8KB

Download
memory/1492-57-0x0000000001260000-0x0000000001266000-memory.dmp

Filesize
24KB

Download
memory/1568-78-0x0000000000000000-mapping.dmp

Download
memory/1700-58-0x0000000000000000-mapping.dmp

Download
memory/1812-64-0x0000000000000000-mapping.dmp

Download
memory/1812-71-0x00000000029C0000-0x00000000029C6000-memory.dmp

Filesize
24KB

Download