pony | 56122070a3bdb1f168cbae330d58b9c268700509420d2670ccafd01221b45751

Analysis

max time kernel
144s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2022 05:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

files/4.exe
Size

13.3MB
MD5

3506d61924caf464f2504d3e330ba11e
SHA1

4472cc23b5e7860a8fd5d371152ab92c263273f4
SHA256

8810286390803f16cf848691b51bfc92b21ace6a537503a86bc3ed497d579f2c
SHA512

cf9009cf2a56b7d611f268c3931e85ac99b3a22e3461d1bb492e114cd198d108f9e269f4a12b2cb03985ebf6a7dbe404334176e1530e7282b653b82ca586634f

Score

10^/10

pony collection discovery persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://mepsb-com.me/solisoft/coreserver/gate.php

Attributes

payload_url
http://mepsb-com.me/solisoft/coreserver/shit.exe

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Executes dropped EXE 2 IoCs

pid	Process
1588	filename.scr
396	filename.scr

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	filename.scr

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	filename.scr

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	filename.scr

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\subfolder = "C:\\Users\\Admin\\AppData\\Local\\Temp\\subfolder\\filename.vbs"	WScript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings	4.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeImpersonatePrivilege	396	filename.scr
Token: SeTcbPrivilege	396	filename.scr
Token: SeChangeNotifyPrivilege	396	filename.scr
Token: SeCreateTokenPrivilege	396	filename.scr
Token: SeBackupPrivilege	396	filename.scr
Token: SeRestorePrivilege	396	filename.scr
Token: SeIncreaseQuotaPrivilege	396	filename.scr
Token: SeAssignPrimaryTokenPrivilege	396	filename.scr
Token: SeImpersonatePrivilege	396	filename.scr
Token: SeTcbPrivilege	396	filename.scr
Token: SeChangeNotifyPrivilege	396	filename.scr
Token: SeCreateTokenPrivilege	396	filename.scr
Token: SeBackupPrivilege	396	filename.scr
Token: SeRestorePrivilege	396	filename.scr
Token: SeIncreaseQuotaPrivilege	396	filename.scr
Token: SeAssignPrimaryTokenPrivilege	396	filename.scr
Token: SeImpersonatePrivilege	396	filename.scr
Token: SeTcbPrivilege	396	filename.scr
Token: SeChangeNotifyPrivilege	396	filename.scr
Token: SeCreateTokenPrivilege	396	filename.scr
Token: SeBackupPrivilege	396	filename.scr
Token: SeRestorePrivilege	396	filename.scr
Token: SeIncreaseQuotaPrivilege	396	filename.scr
Token: SeAssignPrimaryTokenPrivilege	396	filename.scr
Token: SeImpersonatePrivilege	396	filename.scr
Token: SeTcbPrivilege	396	filename.scr
Token: SeChangeNotifyPrivilege	396	filename.scr
Token: SeCreateTokenPrivilege	396	filename.scr
Token: SeBackupPrivilege	396	filename.scr
Token: SeRestorePrivilege	396	filename.scr
Token: SeIncreaseQuotaPrivilege	396	filename.scr
Token: SeAssignPrimaryTokenPrivilege	396	filename.scr
Token: SeImpersonatePrivilege	396	filename.scr
Token: SeTcbPrivilege	396	filename.scr
Token: SeChangeNotifyPrivilege	396	filename.scr
Token: SeCreateTokenPrivilege	396	filename.scr
Token: SeBackupPrivilege	396	filename.scr
Token: SeRestorePrivilege	396	filename.scr
Token: SeIncreaseQuotaPrivilege	396	filename.scr
Token: SeAssignPrimaryTokenPrivilege	396	filename.scr
Token: SeImpersonatePrivilege	396	filename.scr
Token: SeTcbPrivilege	396	filename.scr
Token: SeChangeNotifyPrivilege	396	filename.scr
Token: SeCreateTokenPrivilege	396	filename.scr
Token: SeBackupPrivilege	396	filename.scr
Token: SeRestorePrivilege	396	filename.scr
Token: SeIncreaseQuotaPrivilege	396	filename.scr
Token: SeAssignPrimaryTokenPrivilege	396	filename.scr

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4228	4.exe
1588	filename.scr

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4228 wrote to memory of 2276	4228	4.exe	81
PID 4228 wrote to memory of 2276	4228	4.exe	81
PID 4228 wrote to memory of 2276	4228	4.exe	81
PID 2276 wrote to memory of 1588	2276	WScript.exe	82
PID 2276 wrote to memory of 1588	2276	WScript.exe	82
PID 2276 wrote to memory of 1588	2276	WScript.exe	82
PID 1588 wrote to memory of 396	1588	filename.scr	83
PID 1588 wrote to memory of 396	1588	filename.scr	83
PID 1588 wrote to memory of 396	1588	filename.scr	83
PID 1588 wrote to memory of 396	1588	filename.scr	83
PID 1588 wrote to memory of 396	1588	filename.scr	83
PID 1588 wrote to memory of 396	1588	filename.scr	83
PID 1588 wrote to memory of 396	1588	filename.scr	83
PID 1588 wrote to memory of 396	1588	filename.scr	83
PID 1588 wrote to memory of 396	1588	filename.scr	83
PID 1588 wrote to memory of 396	1588	filename.scr	83
PID 1588 wrote to memory of 396	1588	filename.scr	83
PID 1588 wrote to memory of 396	1588	filename.scr	83
PID 1588 wrote to memory of 396	1588	filename.scr	83
PID 1588 wrote to memory of 396	1588	filename.scr	83
PID 396 wrote to memory of 4788	396	filename.scr	86
PID 396 wrote to memory of 4788	396	filename.scr	86
PID 396 wrote to memory of 4788	396	filename.scr	86

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	filename.scr

C:\Users\Admin\AppData\Local\Temp\files\4.exe
"C:\Users\Admin\AppData\Local\Temp\files\4.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4228
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\subfolder\filename.vbs"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Users\Admin\AppData\Local\Temp\subfolder\filename.scr
    "C:\Users\Admin\AppData\Local\Temp\subfolder\filename.scr" /S
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1588
  - - C:\Users\Admin\AppData\Local\Temp\subfolder\filename.scr
      "C:\Users\Admin\AppData\Local\Temp\subfolder\filename.scr" /S
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Accesses Microsoft Outlook accounts
      Accesses Microsoft Outlook profiles
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      outlook_win_path
      PID:396
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240640640.bat" "C:\Users\Admin\AppData\Local\Temp\subfolder\filename.scr" "
        5⤵
        
        PID:4788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240640640.bat

Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.scr

Filesize
13.3MB

MD5
e615354d620941db592d304f53cbaddd

SHA1
a89cd49f4f00b10afea77f44f73071a931858ae6

SHA256
7445f20a8ab4450280b2baca433ccf6bd28763701686822f0595209850f1a94a

SHA512
554fd2161d85751e680ec02ff81718df22ff5ea41ea78a461a1d63497cab9701f8a27aeb3383b68a243832b55f699c44337dbfd8c8a025ff096779dd5347ce73

Download Submit
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.scr

Filesize
13.3MB

MD5
e615354d620941db592d304f53cbaddd

SHA1
a89cd49f4f00b10afea77f44f73071a931858ae6

SHA256
7445f20a8ab4450280b2baca433ccf6bd28763701686822f0595209850f1a94a

SHA512
554fd2161d85751e680ec02ff81718df22ff5ea41ea78a461a1d63497cab9701f8a27aeb3383b68a243832b55f699c44337dbfd8c8a025ff096779dd5347ce73

Download Submit
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.scr

Filesize
13.3MB

MD5
e615354d620941db592d304f53cbaddd

SHA1
a89cd49f4f00b10afea77f44f73071a931858ae6

SHA256
7445f20a8ab4450280b2baca433ccf6bd28763701686822f0595209850f1a94a

SHA512
554fd2161d85751e680ec02ff81718df22ff5ea41ea78a461a1d63497cab9701f8a27aeb3383b68a243832b55f699c44337dbfd8c8a025ff096779dd5347ce73

Download Submit
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.vbs

Filesize
1024B

MD5
b4ecba56f82e31510cf0ee604183871d

SHA1
6de710ee461c3f81e45f6ee607499e45fcbe75e1

SHA256
0357e98a46cfd5620015b01278de1e4bb96d46f9878686da2c43ec93e6a0016a

SHA512
ae6af40e002af35fb112574c1d22eb24e253a8c4582a9776fae021d18d6a71173cdcfa2b2623dd1200b6d7908041329983ec9cb01a8596f401d9de313e4d9611

Download Submit
memory/396-146-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/396-143-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/396-144-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/396-145-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/396-148-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1588-142-0x0000000002FC0000-0x0000000002FC6000-memory.dmp

Filesize
24KB

Download
memory/4228-132-0x0000000003210000-0x0000000003216000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads