pony | 6a321dac6eb773781972ed74aaaa680cfa3f006934098e3b66cd435c64adc266

Analysis

max time kernel
206s
max time network
208s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
26/11/2022, 01:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Dhl-Information.pdf.exe
Size

146KB
MD5

0596c354d3bc4a70f76e86ac44e5179e
SHA1

de5db12f41c299116aeaf27d1d6b66c1649d3890
SHA256

b152f74631608d6c84e7b406121c19d0b4e75993e11ee8e2bddbacfa7942f639
SHA512

424ce957cb7631d632ce5f1cb806f9a67a78f8e43f856b321c1f08270148fc92edf921f59fd58e6c3ee999619fef46c2612e8768ace0dbd422abc804fd15626d
SSDEEP

3072:Ws7dFzS0qcFuKAfCw7ntjPGy/gud9T7Pxgvk4C21sr7c85GKdMkvtFx0iuFRQWHK:Ws7dFzS0I9Kej+r69GvXCei7qTTiuaW

Score

10^/10

pony collection rat spyware stealer

Malware Config

Extracted

Family

pony

http://185.7.35.9/~peakedca/home/gate.php

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	Dhl-Information.pdf.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4012 set thread context of 3552	4012	Dhl-Information.pdf.exe	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4012	Dhl-Information.pdf.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	4012	Dhl-Information.pdf.exe
Token: SeImpersonatePrivilege	3552	vbc.exe
Token: SeTcbPrivilege	3552	vbc.exe
Token: SeChangeNotifyPrivilege	3552	vbc.exe
Token: SeCreateTokenPrivilege	3552	vbc.exe
Token: SeBackupPrivilege	3552	vbc.exe
Token: SeRestorePrivilege	3552	vbc.exe
Token: SeIncreaseQuotaPrivilege	3552	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	3552	vbc.exe
Token: SeImpersonatePrivilege	3552	vbc.exe
Token: SeTcbPrivilege	3552	vbc.exe
Token: SeChangeNotifyPrivilege	3552	vbc.exe
Token: SeCreateTokenPrivilege	3552	vbc.exe
Token: SeBackupPrivilege	3552	vbc.exe
Token: SeRestorePrivilege	3552	vbc.exe
Token: SeIncreaseQuotaPrivilege	3552	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	3552	vbc.exe
Token: SeImpersonatePrivilege	3552	vbc.exe
Token: SeTcbPrivilege	3552	vbc.exe
Token: SeChangeNotifyPrivilege	3552	vbc.exe
Token: SeCreateTokenPrivilege	3552	vbc.exe
Token: SeBackupPrivilege	3552	vbc.exe
Token: SeRestorePrivilege	3552	vbc.exe
Token: SeIncreaseQuotaPrivilege	3552	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	3552	vbc.exe
Token: SeImpersonatePrivilege	3552	vbc.exe
Token: SeTcbPrivilege	3552	vbc.exe
Token: SeChangeNotifyPrivilege	3552	vbc.exe
Token: SeCreateTokenPrivilege	3552	vbc.exe
Token: SeBackupPrivilege	3552	vbc.exe
Token: SeRestorePrivilege	3552	vbc.exe
Token: SeIncreaseQuotaPrivilege	3552	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	3552	vbc.exe
Token: SeImpersonatePrivilege	3552	vbc.exe
Token: SeTcbPrivilege	3552	vbc.exe
Token: SeChangeNotifyPrivilege	3552	vbc.exe
Token: SeCreateTokenPrivilege	3552	vbc.exe
Token: SeBackupPrivilege	3552	vbc.exe
Token: SeRestorePrivilege	3552	vbc.exe
Token: SeIncreaseQuotaPrivilege	3552	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	3552	vbc.exe
Token: SeImpersonatePrivilege	3552	vbc.exe
Token: SeTcbPrivilege	3552	vbc.exe
Token: SeChangeNotifyPrivilege	3552	vbc.exe
Token: SeCreateTokenPrivilege	3552	vbc.exe
Token: SeBackupPrivilege	3552	vbc.exe
Token: SeRestorePrivilege	3552	vbc.exe
Token: SeIncreaseQuotaPrivilege	3552	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	3552	vbc.exe
Token: SeDebugPrivilege	2232	takshost.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4012 wrote to memory of 3552	4012	Dhl-Information.pdf.exe	85
PID 4012 wrote to memory of 3552	4012	Dhl-Information.pdf.exe	85
PID 4012 wrote to memory of 3552	4012	Dhl-Information.pdf.exe	85
PID 4012 wrote to memory of 3552	4012	Dhl-Information.pdf.exe	85
PID 4012 wrote to memory of 3552	4012	Dhl-Information.pdf.exe	85
PID 4012 wrote to memory of 3552	4012	Dhl-Information.pdf.exe	85
PID 4012 wrote to memory of 3552	4012	Dhl-Information.pdf.exe	85
PID 4012 wrote to memory of 3552	4012	Dhl-Information.pdf.exe	85
PID 4012 wrote to memory of 2232	4012	Dhl-Information.pdf.exe	86
PID 4012 wrote to memory of 2232	4012	Dhl-Information.pdf.exe	86
PID 4012 wrote to memory of 2232	4012	Dhl-Information.pdf.exe	86
PID 3552 wrote to memory of 1956	3552	vbc.exe	87
PID 3552 wrote to memory of 1956	3552	vbc.exe	87
PID 3552 wrote to memory of 1956	3552	vbc.exe	87

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

C:\Users\Admin\AppData\Local\Temp\Dhl-Information.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Dhl-Information.pdf.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4012
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - Accesses Microsoft Outlook accounts
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_win_path
  PID:3552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240653328.bat" "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" "
    3⤵
    PID:1956
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240653328.bat

Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
memory/2232-147-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/2232-146-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/2232-142-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/3552-136-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3552-139-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3552-143-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3552-138-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4012-141-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/4012-133-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/4012-134-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads