pony | 1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324

General

Target

1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
Size

324KB
MD5

7d05eebdb0afe7c4c4d5231eaa271118
SHA1

ae2c8059389887f0028ae61c89fd65d878eea7b4
SHA256

1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324
SHA512

46a250708d573966313dd28e1b3db546634c58bb886fdda667208ae9608048521bd6a8a8d529c68cd447bc419f773952b559cd555c911aea940335768d3369e6
SSDEEP

6144:a4w/TEf3zR2c++Mr4sIJbWGQ4w/TEJpnss2XjXrHPWftnyBXMxoMKk:xqgvzMrrnIYSqgJZss0jX7uB6uoMb

Score

10^/10

pony rat spyware stealer

Malware Config

Extracted

Family

pony

C2

http://raslo1.bangex.com/regate/regate.php

http://dll1.dinos.al/regate/regate.php

http://dll1-b.dinos.al/regate/regate.php

http://dll1-c.dinos.al/regate/regate.php

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Executes dropped EXE 3 IoCs

Processes:

tmp7562839.exetmp7562839.exelsass.exe

pid process

4204 tmp7562839.exe
4384 tmp7562839.exe
2352 lsass.exe

pid	process
4204	tmp7562839.exe
4384	tmp7562839.exe
2352	lsass.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe

Drops startup file 1 IoCs

Processes:

tmp7562839.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe tmp7562839.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe	tmp7562839.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exetmp7562839.exe

description	pid	process	target process
PID 3504 set thread context of 3144	3504	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
PID 4204 set thread context of 4384	4204	tmp7562839.exe	tmp7562839.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

tmp7562839.exe

description pid process

Token: SeDebugPrivilege 4384 tmp7562839.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exetmp7562839.exe

pid process

3504 1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
4204 tmp7562839.exe

description	pid	process
Token: SeDebugPrivilege	4384	tmp7562839.exe

pid	process
3504	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
4204	tmp7562839.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exetmp7562839.exetmp7562839.exe

description	pid	process	target process
PID 3504 wrote to memory of 4204	3504	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe	tmp7562839.exe
PID 3504 wrote to memory of 4204	3504	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe	tmp7562839.exe
PID 3504 wrote to memory of 4204	3504	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe	tmp7562839.exe
PID 4204 wrote to memory of 4384	4204	tmp7562839.exe	tmp7562839.exe
PID 4204 wrote to memory of 4384	4204	tmp7562839.exe	tmp7562839.exe
PID 4204 wrote to memory of 4384	4204	tmp7562839.exe	tmp7562839.exe
PID 4204 wrote to memory of 4384	4204	tmp7562839.exe	tmp7562839.exe
PID 4204 wrote to memory of 4384	4204	tmp7562839.exe	tmp7562839.exe
PID 3504 wrote to memory of 3144	3504	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
PID 3504 wrote to memory of 3144	3504	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
PID 3504 wrote to memory of 3144	3504	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
PID 3504 wrote to memory of 3144	3504	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
PID 3504 wrote to memory of 3144	3504	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
PID 3504 wrote to memory of 3144	3504	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
PID 3504 wrote to memory of 3144	3504	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
PID 3504 wrote to memory of 3144	3504	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
PID 4204 wrote to memory of 4384	4204	tmp7562839.exe	tmp7562839.exe
PID 4384 wrote to memory of 2352	4384	tmp7562839.exe	lsass.exe
PID 4384 wrote to memory of 2352	4384	tmp7562839.exe	lsass.exe
PID 4384 wrote to memory of 2352	4384	tmp7562839.exe	lsass.exe

C:\Users\Admin\AppData\Local\Temp\1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
"C:\Users\Admin\AppData\Local\Temp\1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3504

C:\Users\Admin\AppData\Local\Temp\tmp7562839.exe
"C:\Users\Admin\AppData\Local\Temp\tmp7562839.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4204

C:\Users\Admin\AppData\Local\Temp\tmp7562839.exe
"C:\Users\Admin\AppData\Local\Temp\tmp7562839.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4384

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe"
4⤵
- Executes dropped EXE
PID:2352

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe"
5⤵
PID:3924

C:\Windows\explorer.exe
C:\Windows\explorer.exe
6⤵
PID:2328

C:\Users\Admin\AppData\Local\Temp\1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
"C:\Users\Admin\AppData\Local\Temp\1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe"
2⤵
PID:3144

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7562839.exe
Filesize
164KB

MD5
ee86a6eb2f94db6c8caa0b95bc468174

SHA1
b07fef1c69176369a6f09da5a2359d062b2d0c65

SHA256
fd1d70cf0753ad0e290126caab6445f66940c242309fdcb7792354657948ac3e

SHA512
eb82b97602fae6dcb352b34f8dc24267b29584ff9ed86d7b6445a6b5316363d1ef8f66946852dba2eb5aae327271373ba60743b7998472bf9c9528a7eeb045a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7562839.exe
Filesize
164KB

MD5
ee86a6eb2f94db6c8caa0b95bc468174

SHA1
b07fef1c69176369a6f09da5a2359d062b2d0c65

SHA256
fd1d70cf0753ad0e290126caab6445f66940c242309fdcb7792354657948ac3e

SHA512
eb82b97602fae6dcb352b34f8dc24267b29584ff9ed86d7b6445a6b5316363d1ef8f66946852dba2eb5aae327271373ba60743b7998472bf9c9528a7eeb045a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7562839.exe
Filesize
164KB

MD5
ee86a6eb2f94db6c8caa0b95bc468174

SHA1
b07fef1c69176369a6f09da5a2359d062b2d0c65

SHA256
fd1d70cf0753ad0e290126caab6445f66940c242309fdcb7792354657948ac3e

SHA512
eb82b97602fae6dcb352b34f8dc24267b29584ff9ed86d7b6445a6b5316363d1ef8f66946852dba2eb5aae327271373ba60743b7998472bf9c9528a7eeb045a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe
Filesize
164KB

MD5
ee86a6eb2f94db6c8caa0b95bc468174

SHA1
b07fef1c69176369a6f09da5a2359d062b2d0c65

SHA256
fd1d70cf0753ad0e290126caab6445f66940c242309fdcb7792354657948ac3e

SHA512
eb82b97602fae6dcb352b34f8dc24267b29584ff9ed86d7b6445a6b5316363d1ef8f66946852dba2eb5aae327271373ba60743b7998472bf9c9528a7eeb045a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe
Filesize
164KB

MD5
ee86a6eb2f94db6c8caa0b95bc468174

SHA1
b07fef1c69176369a6f09da5a2359d062b2d0c65

SHA256
fd1d70cf0753ad0e290126caab6445f66940c242309fdcb7792354657948ac3e

SHA512
eb82b97602fae6dcb352b34f8dc24267b29584ff9ed86d7b6445a6b5316363d1ef8f66946852dba2eb5aae327271373ba60743b7998472bf9c9528a7eeb045a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe
Filesize
164KB

MD5
ee86a6eb2f94db6c8caa0b95bc468174

SHA1
b07fef1c69176369a6f09da5a2359d062b2d0c65

SHA256
fd1d70cf0753ad0e290126caab6445f66940c242309fdcb7792354657948ac3e

SHA512
eb82b97602fae6dcb352b34f8dc24267b29584ff9ed86d7b6445a6b5316363d1ef8f66946852dba2eb5aae327271373ba60743b7998472bf9c9528a7eeb045a6

Download Submit
memory/2328-169-0x0000000000000000-mapping.dmp

Download
memory/2352-161-0x0000000000000000-mapping.dmp

Download
memory/3144-153-0x0000000000000000-mapping.dmp

Download
memory/3144-160-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3144-155-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3504-139-0x00000000004DB000-0x00000000004DF000-memory.dmp

Filesize
16KB

Download
memory/3504-140-0x00000000004D2000-0x00000000004D7000-memory.dmp

Filesize
20KB

Download
memory/3504-144-0x0000000000565000-0x00000000005A5000-memory.dmp

Filesize
256KB

Download
memory/3504-149-0x0000000000565000-0x00000000005A5000-memory.dmp

Filesize
256KB

Download
memory/3504-151-0x0000000000565000-0x00000000005A5000-memory.dmp

Filesize
256KB

Download
memory/3504-152-0x0000000000565000-0x00000000005A5000-memory.dmp

Filesize
256KB

Download
memory/3504-146-0x0000000000565000-0x00000000005A5000-memory.dmp

Filesize
256KB

Download
memory/3504-136-0x00000000004D2000-0x00000000004D7000-memory.dmp

Filesize
20KB

Download
memory/3504-135-0x00000000004D2000-0x00000000004D7000-memory.dmp

Filesize
20KB

Download
memory/3504-137-0x00000000004D2000-0x00000000004D7000-memory.dmp

Filesize
20KB

Download
memory/3504-134-0x00000000004D2000-0x00000000004D7000-memory.dmp

Filesize
20KB

Download
memory/3504-138-0x00000000004D2000-0x00000000004D7000-memory.dmp

Filesize
20KB

Download
memory/3504-141-0x00000000004D2000-0x00000000004D7000-memory.dmp

Filesize
20KB

Download
memory/3504-147-0x0000000000565000-0x00000000005A5000-memory.dmp

Filesize
256KB

Download
memory/3924-166-0x0000000000000000-mapping.dmp

Download
memory/4204-142-0x0000000000000000-mapping.dmp

Download
memory/4384-159-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4384-156-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4384-154-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads