pony | 7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe
Size

37KB
MD5

81edecb831332564dd1ac0967e9773ff
SHA1

71afe4e331f4b91cd7487ebcfb601be7ac3b7e47
SHA256

7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6
SHA512

451f5133e5db562604adaf24d308a10ce6d04f59b6e4f9c6d5db76b980a0e23878520919c473df33b2d5dba3b748db682346389facca802d1de3500b2c1786f4
SSDEEP

768:dlU0HJ25v/EuJ82l2G8B2KW8e9aZ4xccqaY6G1rQcsclnbcuyD7U:dlUFyuwoL8e9gYccHArQcdlnouy8

Score

10^/10

pony collection discovery rat spyware stealer upx

Malware Config

Extracted

Family

pony

http://ulster-online.com/smith/gate.php

Attributes

payload_url
http://ulster-online.com/smith/micro.exe

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4344-132-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4344-134-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeImpersonatePrivilege	4344	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe
Token: SeTcbPrivilege	4344	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe
Token: SeChangeNotifyPrivilege	4344	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe
Token: SeCreateTokenPrivilege	4344	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe
Token: SeBackupPrivilege	4344	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe
Token: SeRestorePrivilege	4344	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe
Token: SeIncreaseQuotaPrivilege	4344	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe
Token: SeAssignPrimaryTokenPrivilege	4344	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe
Token: SeImpersonatePrivilege	4344	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe
Token: SeTcbPrivilege	4344	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe
Token: SeChangeNotifyPrivilege	4344	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe
Token: SeCreateTokenPrivilege	4344	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe
Token: SeBackupPrivilege	4344	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe
Token: SeRestorePrivilege	4344	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe
Token: SeIncreaseQuotaPrivilege	4344	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe
Token: SeAssignPrimaryTokenPrivilege	4344	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe
Token: SeImpersonatePrivilege	4344	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe
Token: SeTcbPrivilege	4344	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe
Token: SeChangeNotifyPrivilege	4344	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe
Token: SeCreateTokenPrivilege	4344	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe
Token: SeBackupPrivilege	4344	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe
Token: SeRestorePrivilege	4344	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe
Token: SeIncreaseQuotaPrivilege	4344	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe
Token: SeAssignPrimaryTokenPrivilege	4344	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe
Token: SeImpersonatePrivilege	4344	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe
Token: SeTcbPrivilege	4344	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe
Token: SeChangeNotifyPrivilege	4344	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe
Token: SeCreateTokenPrivilege	4344	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe
Token: SeBackupPrivilege	4344	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe
Token: SeRestorePrivilege	4344	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe
Token: SeIncreaseQuotaPrivilege	4344	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe
Token: SeAssignPrimaryTokenPrivilege	4344	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe
Token: SeImpersonatePrivilege	4344	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe
Token: SeTcbPrivilege	4344	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe
Token: SeChangeNotifyPrivilege	4344	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe
Token: SeCreateTokenPrivilege	4344	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe
Token: SeBackupPrivilege	4344	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe
Token: SeRestorePrivilege	4344	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe
Token: SeIncreaseQuotaPrivilege	4344	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe
Token: SeAssignPrimaryTokenPrivilege	4344	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe
Token: SeImpersonatePrivilege	4344	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe
Token: SeTcbPrivilege	4344	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe
Token: SeChangeNotifyPrivilege	4344	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe
Token: SeCreateTokenPrivilege	4344	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe
Token: SeBackupPrivilege	4344	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe
Token: SeRestorePrivilege	4344	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe
Token: SeIncreaseQuotaPrivilege	4344	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe
Token: SeAssignPrimaryTokenPrivilege	4344	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4344 wrote to memory of 2012	4344	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe	79
PID 4344 wrote to memory of 2012	4344	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe	79
PID 4344 wrote to memory of 2012	4344	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe	79

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe

C:\Users\Admin\AppData\Local\Temp\7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe
"C:\Users\Admin\AppData\Local\Temp\7a2883a3af9d9afd764a791b87b691eb382eea701eaf21b52c4852053a899de6.exe"
1⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:4344
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\7A2883~1.EXE" > NUL
  2⤵
  PID:2012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2012-133-0x0000000000000000-mapping.dmp

Download
memory/4344-132-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4344-134-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads