pony | 3632593f89fb388070390bd7010a8b450e9d1e9d1b496941466a0677f1abd344

General

Target

BL_PL_&_INVOICE_PDF.exe
Size

134KB
MD5

0e087a29f6694524e66020d9454ccdb9
SHA1

10e5050f1975938399827be5dab35e5d01cb0c89
SHA256

eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c
SHA512

9e9c8bb4c3c577a41d930356c8b2d0a9eba0f0692b7e654053b2af478471c1b36db78cd33d2d5b800e661d5a5752e53448fbd299bdc670da5091e704ec10a1af
SSDEEP

3072:LlMyoAdZDhDOdtgXwDEi5xZgrdkkeRQHadg/wb:pvomDhi8wgiXZgrulk/

Score

10^/10

pony collection persistence rat spyware stealer upx

Malware Config

Extracted

Family

pony

C2

http://d-mmoney.favcc1.com/gate.php

Attributes

payload_url
http://d-mmoney.favcc1.com/shit.exe

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Executes dropped EXE 3 IoCs

Processes:

IpOverUsbSvrc.exeatiesrx.exeIpOverUsbSvrc.exe

pid process

1320 IpOverUsbSvrc.exe
860 atiesrx.exe
1360 IpOverUsbSvrc.exe

pid	process
1320	IpOverUsbSvrc.exe
860	atiesrx.exe
1360	IpOverUsbSvrc.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/588-58-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/588-60-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/588-61-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/588-65-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/588-66-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/588-67-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/588-81-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

BL_PL_&_INVOICE_PDF.exeIpOverUsbSvrc.exe

pid process

2008 BL_PL_&_INVOICE_PDF.exe
1320 IpOverUsbSvrc.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

IpOverUsbSvrc.exeIpOverUsbSvrc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Multimedia Class Scheduler = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\IpOverUsbSvrc.exe"	IpOverUsbSvrc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Multimedia Class Scheduler = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\IpOverUsbSvrc.exe"	IpOverUsbSvrc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

BL_PL_&_INVOICE_PDF.exe

description pid process target process

PID 2008 set thread context of 588 2008 BL_PL_&_INVOICE_PDF.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 2008 set thread context of 588	2008	BL_PL_&_INVOICE_PDF.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

BL_PL_&_INVOICE_PDF.exeIpOverUsbSvrc.exeIpOverUsbSvrc.exe

pid	process
2008	BL_PL_&_INVOICE_PDF.exe
1320	IpOverUsbSvrc.exe
2008	BL_PL_&_INVOICE_PDF.exe
2008	BL_PL_&_INVOICE_PDF.exe
2008	BL_PL_&_INVOICE_PDF.exe
2008	BL_PL_&_INVOICE_PDF.exe
2008	BL_PL_&_INVOICE_PDF.exe
2008	BL_PL_&_INVOICE_PDF.exe
2008	BL_PL_&_INVOICE_PDF.exe
2008	BL_PL_&_INVOICE_PDF.exe
2008	BL_PL_&_INVOICE_PDF.exe
2008	BL_PL_&_INVOICE_PDF.exe
2008	BL_PL_&_INVOICE_PDF.exe
2008	BL_PL_&_INVOICE_PDF.exe
2008	BL_PL_&_INVOICE_PDF.exe
2008	BL_PL_&_INVOICE_PDF.exe
2008	BL_PL_&_INVOICE_PDF.exe
2008	BL_PL_&_INVOICE_PDF.exe
2008	BL_PL_&_INVOICE_PDF.exe
2008	BL_PL_&_INVOICE_PDF.exe
2008	BL_PL_&_INVOICE_PDF.exe
2008	BL_PL_&_INVOICE_PDF.exe
1320	IpOverUsbSvrc.exe
2008	BL_PL_&_INVOICE_PDF.exe
2008	BL_PL_&_INVOICE_PDF.exe
1320	IpOverUsbSvrc.exe
2008	BL_PL_&_INVOICE_PDF.exe
2008	BL_PL_&_INVOICE_PDF.exe
1320	IpOverUsbSvrc.exe
2008	BL_PL_&_INVOICE_PDF.exe
2008	BL_PL_&_INVOICE_PDF.exe
2008	BL_PL_&_INVOICE_PDF.exe
1320	IpOverUsbSvrc.exe
2008	BL_PL_&_INVOICE_PDF.exe
2008	BL_PL_&_INVOICE_PDF.exe
1320	IpOverUsbSvrc.exe
2008	BL_PL_&_INVOICE_PDF.exe
2008	BL_PL_&_INVOICE_PDF.exe
2008	BL_PL_&_INVOICE_PDF.exe
1360	IpOverUsbSvrc.exe
2008	BL_PL_&_INVOICE_PDF.exe
2008	BL_PL_&_INVOICE_PDF.exe
2008	BL_PL_&_INVOICE_PDF.exe
1360	IpOverUsbSvrc.exe
2008	BL_PL_&_INVOICE_PDF.exe
2008	BL_PL_&_INVOICE_PDF.exe
1360	IpOverUsbSvrc.exe
2008	BL_PL_&_INVOICE_PDF.exe
2008	BL_PL_&_INVOICE_PDF.exe
1360	IpOverUsbSvrc.exe
2008	BL_PL_&_INVOICE_PDF.exe
2008	BL_PL_&_INVOICE_PDF.exe
2008	BL_PL_&_INVOICE_PDF.exe
1360	IpOverUsbSvrc.exe
2008	BL_PL_&_INVOICE_PDF.exe
2008	BL_PL_&_INVOICE_PDF.exe
1360	IpOverUsbSvrc.exe
2008	BL_PL_&_INVOICE_PDF.exe
2008	BL_PL_&_INVOICE_PDF.exe
1360	IpOverUsbSvrc.exe
2008	BL_PL_&_INVOICE_PDF.exe
2008	BL_PL_&_INVOICE_PDF.exe
2008	BL_PL_&_INVOICE_PDF.exe
1360	IpOverUsbSvrc.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

BL_PL_&_INVOICE_PDF.exevbc.exeIpOverUsbSvrc.exeatiesrx.exeIpOverUsbSvrc.exe

description	pid	process
Token: SeDebugPrivilege	2008	BL_PL_&_INVOICE_PDF.exe
Token: SeImpersonatePrivilege	588	vbc.exe
Token: SeTcbPrivilege	588	vbc.exe
Token: SeChangeNotifyPrivilege	588	vbc.exe
Token: SeCreateTokenPrivilege	588	vbc.exe
Token: SeBackupPrivilege	588	vbc.exe
Token: SeRestorePrivilege	588	vbc.exe
Token: SeIncreaseQuotaPrivilege	588	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	588	vbc.exe
Token: SeDebugPrivilege	1320	IpOverUsbSvrc.exe
Token: SeImpersonatePrivilege	588	vbc.exe
Token: SeTcbPrivilege	588	vbc.exe
Token: SeChangeNotifyPrivilege	588	vbc.exe
Token: SeCreateTokenPrivilege	588	vbc.exe
Token: SeBackupPrivilege	588	vbc.exe
Token: SeRestorePrivilege	588	vbc.exe
Token: SeIncreaseQuotaPrivilege	588	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	588	vbc.exe
Token: SeImpersonatePrivilege	588	vbc.exe
Token: SeTcbPrivilege	588	vbc.exe
Token: SeChangeNotifyPrivilege	588	vbc.exe
Token: SeCreateTokenPrivilege	588	vbc.exe
Token: SeBackupPrivilege	588	vbc.exe
Token: SeRestorePrivilege	588	vbc.exe
Token: SeIncreaseQuotaPrivilege	588	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	588	vbc.exe
Token: SeImpersonatePrivilege	588	vbc.exe
Token: SeTcbPrivilege	588	vbc.exe
Token: SeChangeNotifyPrivilege	588	vbc.exe
Token: SeCreateTokenPrivilege	588	vbc.exe
Token: SeBackupPrivilege	588	vbc.exe
Token: SeRestorePrivilege	588	vbc.exe
Token: SeIncreaseQuotaPrivilege	588	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	588	vbc.exe
Token: SeDebugPrivilege	860	atiesrx.exe
Token: SeDebugPrivilege	1360	IpOverUsbSvrc.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

BL_PL_&_INVOICE_PDF.exeIpOverUsbSvrc.exevbc.exe

description	pid	process	target process
PID 2008 wrote to memory of 588	2008	BL_PL_&_INVOICE_PDF.exe	vbc.exe
PID 2008 wrote to memory of 588	2008	BL_PL_&_INVOICE_PDF.exe	vbc.exe
PID 2008 wrote to memory of 588	2008	BL_PL_&_INVOICE_PDF.exe	vbc.exe
PID 2008 wrote to memory of 588	2008	BL_PL_&_INVOICE_PDF.exe	vbc.exe
PID 2008 wrote to memory of 588	2008	BL_PL_&_INVOICE_PDF.exe	vbc.exe
PID 2008 wrote to memory of 588	2008	BL_PL_&_INVOICE_PDF.exe	vbc.exe
PID 2008 wrote to memory of 588	2008	BL_PL_&_INVOICE_PDF.exe	vbc.exe
PID 2008 wrote to memory of 588	2008	BL_PL_&_INVOICE_PDF.exe	vbc.exe
PID 2008 wrote to memory of 1320	2008	BL_PL_&_INVOICE_PDF.exe	IpOverUsbSvrc.exe
PID 2008 wrote to memory of 1320	2008	BL_PL_&_INVOICE_PDF.exe	IpOverUsbSvrc.exe
PID 2008 wrote to memory of 1320	2008	BL_PL_&_INVOICE_PDF.exe	IpOverUsbSvrc.exe
PID 2008 wrote to memory of 1320	2008	BL_PL_&_INVOICE_PDF.exe	IpOverUsbSvrc.exe
PID 1320 wrote to memory of 860	1320	IpOverUsbSvrc.exe	atiesrx.exe
PID 1320 wrote to memory of 860	1320	IpOverUsbSvrc.exe	atiesrx.exe
PID 1320 wrote to memory of 860	1320	IpOverUsbSvrc.exe	atiesrx.exe
PID 1320 wrote to memory of 860	1320	IpOverUsbSvrc.exe	atiesrx.exe
PID 588 wrote to memory of 288	588	vbc.exe	cmd.exe
PID 588 wrote to memory of 288	588	vbc.exe	cmd.exe
PID 588 wrote to memory of 288	588	vbc.exe	cmd.exe
PID 588 wrote to memory of 288	588	vbc.exe	cmd.exe
PID 2008 wrote to memory of 1360	2008	BL_PL_&_INVOICE_PDF.exe	IpOverUsbSvrc.exe
PID 2008 wrote to memory of 1360	2008	BL_PL_&_INVOICE_PDF.exe	IpOverUsbSvrc.exe
PID 2008 wrote to memory of 1360	2008	BL_PL_&_INVOICE_PDF.exe	IpOverUsbSvrc.exe
PID 2008 wrote to memory of 1360	2008	BL_PL_&_INVOICE_PDF.exe	IpOverUsbSvrc.exe

outlook_win_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

C:\Users\Admin\AppData\Local\Temp\BL_PL_&_INVOICE_PDF.exe
"C:\Users\Admin\AppData\Local\Temp\BL_PL_&_INVOICE_PDF.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:588

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7200366.bat" "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" "
3⤵
PID:288

C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1320

C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:860

C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1360

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

2

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7200366.bat
Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe
Filesize
8KB

MD5
54fbde415453f5c9089b49e65bd5f8e7

SHA1
d77b86631f629b52bbebc6e08fbf60c78e8ceab0

SHA256
7d31b70e949833d9f78199848b14307e41da511ca4915c20a8ca61ee8eeeedbf

SHA512
90dbbb3986ab3f4dda4292b580bfac7c97bbf20f68d0be0af271b9bc5e22a4abc326baaf284be005c6460ecc2187b6ca5d015fab55be3b242122436fcf3ee5ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe
Filesize
8KB

MD5
54fbde415453f5c9089b49e65bd5f8e7

SHA1
d77b86631f629b52bbebc6e08fbf60c78e8ceab0

SHA256
7d31b70e949833d9f78199848b14307e41da511ca4915c20a8ca61ee8eeeedbf

SHA512
90dbbb3986ab3f4dda4292b580bfac7c97bbf20f68d0be0af271b9bc5e22a4abc326baaf284be005c6460ecc2187b6ca5d015fab55be3b242122436fcf3ee5ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe
Filesize
8KB

MD5
54fbde415453f5c9089b49e65bd5f8e7

SHA1
d77b86631f629b52bbebc6e08fbf60c78e8ceab0

SHA256
7d31b70e949833d9f78199848b14307e41da511ca4915c20a8ca61ee8eeeedbf

SHA512
90dbbb3986ab3f4dda4292b580bfac7c97bbf20f68d0be0af271b9bc5e22a4abc326baaf284be005c6460ecc2187b6ca5d015fab55be3b242122436fcf3ee5ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
Filesize
134KB

MD5
0e087a29f6694524e66020d9454ccdb9

SHA1
10e5050f1975938399827be5dab35e5d01cb0c89

SHA256
eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c

SHA512
9e9c8bb4c3c577a41d930356c8b2d0a9eba0f0692b7e654053b2af478471c1b36db78cd33d2d5b800e661d5a5752e53448fbd299bdc670da5091e704ec10a1af

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
Filesize
134KB

MD5
0e087a29f6694524e66020d9454ccdb9

SHA1
10e5050f1975938399827be5dab35e5d01cb0c89

SHA256
eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c

SHA512
9e9c8bb4c3c577a41d930356c8b2d0a9eba0f0692b7e654053b2af478471c1b36db78cd33d2d5b800e661d5a5752e53448fbd299bdc670da5091e704ec10a1af

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe
Filesize
8KB

MD5
54fbde415453f5c9089b49e65bd5f8e7

SHA1
d77b86631f629b52bbebc6e08fbf60c78e8ceab0

SHA256
7d31b70e949833d9f78199848b14307e41da511ca4915c20a8ca61ee8eeeedbf

SHA512
90dbbb3986ab3f4dda4292b580bfac7c97bbf20f68d0be0af271b9bc5e22a4abc326baaf284be005c6460ecc2187b6ca5d015fab55be3b242122436fcf3ee5ed

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
Filesize
134KB

MD5
0e087a29f6694524e66020d9454ccdb9

SHA1
10e5050f1975938399827be5dab35e5d01cb0c89

SHA256
eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c

SHA512
9e9c8bb4c3c577a41d930356c8b2d0a9eba0f0692b7e654053b2af478471c1b36db78cd33d2d5b800e661d5a5752e53448fbd299bdc670da5091e704ec10a1af

Download Submit
memory/288-80-0x0000000000000000-mapping.dmp

Download
memory/588-81-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/588-67-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/588-65-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/588-62-0x000000000041A1F0-mapping.dmp

Download
memory/588-61-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/588-60-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/588-58-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/588-57-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/588-66-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/860-84-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/860-75-0x0000000000000000-mapping.dmp

Download
memory/860-79-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/1320-78-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/1320-83-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/1320-69-0x0000000000000000-mapping.dmp

Download
memory/1320-85-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/1360-86-0x0000000000000000-mapping.dmp

Download
memory/1360-89-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/1360-90-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/2008-54-0x0000000076AE1000-0x0000000076AE3000-memory.dmp

Filesize
8KB

Download
memory/2008-56-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/2008-55-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads